CN108809993A - The dispositions method and certificate authentication method of certificate authentication system, certificate authentication system - Google Patents
The dispositions method and certificate authentication method of certificate authentication system, certificate authentication system Download PDFInfo
- Publication number
- CN108809993A CN108809993A CN201810620418.0A CN201810620418A CN108809993A CN 108809993 A CN108809993 A CN 108809993A CN 201810620418 A CN201810620418 A CN 201810620418A CN 108809993 A CN108809993 A CN 108809993A
- Authority
- CN
- China
- Prior art keywords
- servers
- server
- certificate
- transaction request
- certificate authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3821—Electronic credentials
- G06Q20/38215—Use of certificates or encrypted proofs of transaction rights
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/568—Storing data temporarily at an intermediate stage, e.g. caching
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/102—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying security measure for e-commerce
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Finance (AREA)
- Strategic Management (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the present invention provides the dispositions method and certificate authentication method of certificate authentication system, certificate authentication system, and technical problem dumb, that improvement cost is high is disposed to solve existing certificate authentication system.The certificate authentication system includes the LIST SERVER independently disposed, at least one CA servers, database server and encryption equipment server, wherein:LIST SERVER, the cert services running environment for configuring at least one CA servers, and the work state information that is reported according at least one CA servers distribute the transaction request got at least one CA servers;At least one CA servers, the transaction request for handling LIST SERVER distribution;Database server, for providing processing certificate information and/or user information that transaction request needs at least one CA servers;Encryption equipment server, the key for protecting at least one CA servers.
Description
Technical field
The present invention relates to field of computer technology more particularly to the dispositions methods of certificate authentication system, certificate authentication system
And certificate authentication method.
Background technology
Digital certificate (hereinafter referred to as certificate) is a string of characters of mark communication each side identity information in internet communication, by
Certificate authority is issued.Mainly there are two effects for certificate, one is coded communication, is not used illegally specifically for guarantee data
Family intercepts and captures and does not know Content of Communication by disabled user, the second is digital signature, is specifically used for verification communication on internet
The identity of entity.
Currently, the certificate authentication system of certificate authority mostly uses greatly the B/S frameworks or C/S frameworks of Web exploitations, entirely
System is a complete server.Based on this kind of framework, when the increase of transaction business amount, the industry for increasing certificate authentication system is needed
When processing capacity of being engaged in, it is necessary to upgrade to entire certificate authentication system, such as it is performance to replace the hardware of certificate authentication system
Higher hardware, or hot standby or cold standby is carried out to entire certificate authentication system and is disposed, but regardless of any upgrading mode is used, all
It needs to put into higher cost.
Invention content
The embodiment of the present invention provides the dispositions method and certificate authentication method of certificate authentication system, certificate authentication system, uses
Technical problem dumb, that improvement cost is high is disposed to solve existing certificate authentication system.
In a first aspect, providing a kind of certificate authentication system, the system comprises the LIST SERVER independently disposed, at least one
A CA servers, database server and encryption equipment server, wherein:
The LIST SERVER, the cert services running environment for configuring at least one CA servers, Yi Jigen
According to the work state information that at least one CA servers report, the friendship got is distributed at least one CA servers
Easily request;
At least one CA servers, the transaction request for handling the LIST SERVER distribution;
The database server, for providing the processing certificate that transaction request needs at least one CA servers
Information and/or user information;
The encryption equipment server, the key for protecting at least one CA servers.
In one possible implementation, the system also includes the first cache server and/or the second buffer services
Device, wherein:
First cache server, the transaction request that the uniform service entrance for caching the system receives, and by
The LIST SERVER obtains pending transaction request from first cache server;
Second cache server, the card for being stored from database server described in the database server synchronization
Letter ceases and/or user information, and is merchandised from the second cache server query processing by least one CA servers
Ask the certificate information and/or user information that need.
In one possible implementation, the LIST SERVER is specifically used for:
Determine whether that the first CA servers received in preset duration at least one CA servers are periodically sent out
The work state information sent;
If so, according to the work state information of the first CA servers, determine that the first CA servers are current
Busy extent, and asked for the first CA servers distribution and the transaction of the busy extent number of matches of the first CA servers
It asks;
Otherwise, detect the first CA servers whether normal operation, and determining that the first CA servers are not normal
When operation, the first CA servers are removed from the system.
In one possible implementation, the LIST SERVER is additionally operable to:
The activation request that non-the 2nd CA servers for belonging to the system are sent is received, the activation request is for asking to swash
The cert services function of the 2nd CA servers living;
Configuration file is sent to the 2nd CA servers, and the system is added in the 2nd CA servers, to swash
The cert services function of the 2nd CA servers living, wherein the configuration file is for configuring the 2nd CA servers
Cert services running environment.
Second aspect provides a kind of dispositions method of certificate authentication system, and the system comprises the catalogue independently disposed clothes
Business device, database server and encryption equipment server, the database server are used to carry for the CA servers in the system
For certificate information and/or user information that processing transaction request needs, the encryption equipment server is for protecting in the system
CA servers key, the method includes:
The LIST SERVER receives the activation request that the non-at least one CA servers for belonging to the system are sent, described
Activation request is used to ask to activate the cert services function of at least one CA servers;
The LIST SERVER sends configuration file at least one CA servers, and at least one CA is taken
The system is added in business device, and to activate the cert services function of at least one CA servers, the configuration file is for matching
Set the cert services running environment of at least one CA servers.
In one possible implementation, the method further includes:
The LIST SERVER determine whether to receive in preset duration the system comprises the first CA servers it is fixed
The work state information that phase sends;
If so, the LIST SERVER determines described first according to the work state information of the first CA servers
The current busy extent of CA servers, and be the busy extent of the first CA servers distribution and the first CA servers
Transaction request with quantity;
Otherwise, the LIST SERVER detect the first CA servers whether normal operation, and determining described first
When the non-normal operation of CA servers, the first CA servers are removed from the system.
The third aspect, provides a kind of certificate authentication method, and the method is applied to as appointed in first aspect or first aspect
A kind of certificate authentication system described in realization method, the method includes:
The LIST SERVER receives the work state information that each CA servers report at least one CA servers,
And the work state information reported according to each CA servers, the transaction request got is distributed respectively for each CA servers;
The key and institute that each CA servers at least one CA servers are protected based on the encryption equipment server
The certificate information and/or user information for stating database server offer, it is itself distribution to handle the LIST SERVER respectively
Transaction request.
In one possible implementation, the work state information reported according to each CA servers is each CA servers
The transaction request got is distributed respectively, including:
The LIST SERVER according to the work state information that each CA servers report at least one CA servers,
The current busy extent of each CA servers is determined respectively, and is matched with the busy extent of the CA servers for the distribution of each CA servers
The transaction request of quantity.
In one possible implementation, the system also includes first cache servers and second caching
Server, wherein:
The LIST SERVER obtains pending transaction request from first cache server;
Each server is needed from the second cache server query processing transaction request at least one CA servers
The certificate information and/or user information wanted.
Fourth aspect provides a kind of computer readable storage medium, wherein:
The computer-readable recording medium storage has computer instruction, when the computer instruction is run on computers
When so that computer executes the method as described in second aspect and/or the third aspect.
In the embodiment of the present invention, certificate authentication system include the LIST SERVER independently disposed, at least one CA servers,
Database server and encryption equipment server.Wherein, LIST SERVER is used to configure the certificate clothes of at least one CA servers
It is engaged in running environment, and the work state information that is reported according at least one CA servers, at least one CA servers
Distribute the transaction request got;At least one CA servers are used to handle the transaction request of LIST SERVER distribution;Data
Library server is used to provide processing certificate information and/or user information that transaction request needs at least one CA servers;
Encryption equipment server is used to protect the key of at least one CA servers.
By the way that each function module of certificate authentication system is independently deployed as each server so that certificate authentication system is in frame
It is more flexible on structure, it is convenient that the transformations such as dilatation are carried out to system.Also, between the server due to realizing each function the degree of coupling compared with
It is low, thus influence when modernization system to business is smaller, it is maintainable strong.
It further, can be in certificate deployment Verification System based on the certificate authentication system framework in the embodiment of the present invention
When according to the performance requirement of each function, pointedly configure appropriate hardware device, avoid existing certificate authentication system transformation
It needs to upgrade complete machine, leads to problem of high cost.Also, due to realizing that the server of each function is independently disposed,
Thus can Hot Spare or cold standby only be carried out to the part server (such as LIST SERVER) in system according to actual needs, carried
The stability and redundancy ability of the system of liter.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Inventive embodiments for those of ordinary skill in the art without creative efforts, can also be according to carrying
The attached drawing of confession obtains other attached drawings.
Fig. 1 is a kind of connection relationship diagram of certificate authentication system in the embodiment of the present invention;
Fig. 2 is the connection relationship diagram of another certificate authentication system in the embodiment of the present invention;
Fig. 3 is a kind of flow diagram of the dispositions method of certificate authentication system in the embodiment of the present invention;
Fig. 4 is a kind of flow diagram of certificate authentication method in the embodiment of the present invention.
Specific implementation mode
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
The every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
In addition, the terms "and/or", only a kind of incidence relation of description affiliated partner, indicates may exist
Three kinds of relationships, for example, A and/or B, can indicate:Individualism A exists simultaneously A and B, these three situations of individualism B.Separately
Outside, character "/" herein, in the case where not illustrating, it is a kind of relationship of "or" to typically represent forward-backward correlation object.
In addition, it is necessary to understand, in the description of the embodiment of the present invention, the vocabulary such as " first ", " second " are only used for distinguishing description
Purpose is not understood to indicate or imply relative importance, can not be interpreted as instruction or hint sequence.
The embodiment of the present invention provides a kind of certificate authentication system, which is developed by the way of modularization separation, will be each
A function module and configuration file are individually separately disposed, also, the system can be deployed in high in the clouds, can also be deployed in multiple
Ground server, can also be by high in the clouds and local server joint deployment.
As shown in Figure 1, certificate authentication system includes LIST SERVER, at least one certificate granting (Certificate
Authority, CA) server, database server and encryption equipment server.In the embodiment of the present invention, certificate authentication system packet
These servers included are individually to dispose, and the server communicated each other is by network connection, to realize number
According to interaction.
In a kind of possible embodiment, the entrance as shown in Figure 1, certificate authentication system can provide uniform services, user
Transaction request is submitted to certificate authentication system by the uniform service entrance.
The transaction request that certificate authentication system is submitted according to user, provides cert services to the user.In the embodiment of the present invention,
Transaction request can refer to that progress certificate request, certificate download, certificate update, certificate freezes, certificate thaws, certificate for asking
The transaction request of the type of transaction such as calcellation or CRL publications.For different type of transaction, the information content entrained by transaction request
Difference, certificate authentication system are also different based on the cert services performed by the transaction request.
LIST SERVER and at least one CA servers are at least one for configure that system includes by network connection
The cert services running environment of CA servers, and the work state information that is reported according at least one CA servers, for this
At least one CA servers distribute the transaction request got.That is, LIST SERVER CA servers can match in management system
It sets and quantity, and manages the operating status, cert services state and busy extent of each CA servers.
Specifically, each CA servers that certificate authentication system includes can periodically take to catalogue at predetermined intervals
Business device reports the work state information of itself, which reflects the working condition of CA servers, such as reflection operation
Normally whether, busy extent, running environment etc., for concrete example, which may include CA servers itself
IP information, running state information, one or more of hardware utilization rate information.LIST SERVER receives on CA servers
After the work state information of report, so that it may to be that the transaction that the distribution of CA servers is got is asked according to the working condition of CA servers
It asks.
The function of each CA servers is identical at least one CA servers that certificate authentication system includes, and is used to processing mesh
It is the transaction request respectively distributed to record server.For example, cancelled according to transaction request execution certificate request, certificates constructing, certificate,
The cert services such as warrant recovery.
CA servers described in the embodiment of the present invention can be the server of cluster either separate unit deployment.One kind can
In the embodiment of energy, each CA servers need to be loaded into LIST SERVER acquisition relevant configuration when running first time
In memory, to complete to initialize, and IP address, the operation shape of itself are reported to LIST SERVER after initialization is complete
The information such as state, hardware utilization rate.It, can be by the after initializing First CA servers in system in specific implementation process
One CA server is mirrored into, and then is directly based upon mirror image and is disposed more CA servers, realizes that flexible expansion, convenience are fast
It is prompt.
Database server is used to provide the processing card that transaction request needs at least one CA servers that system includes
Letter ceases and/or user information, i.e. the effect of database server can be certificate information and/or user's letter in record system
Breath.Wherein, user information may include subscriber identity information, black list information, customer transaction request record etc..Certainly, in reality
In the application of border, database server can also record the letter that other processing transaction requests need other than recording information above-mentioned
Breath.
At least one CA servers that encryption equipment server can include with system are by network connection, for protecting system
The key at least one CA servers that system includes.For example, encryption equipment server can preserve the root private key of CA servers, it is used for
It signs to certificate.
In a kind of possible embodiment, for any CA servers that certificate authentication system includes, such as the first CA takes
Business device, LIST SERVER may determine whether to receive the working condition letter that the first CA servers are periodically sent in preset duration
Breath, if so, according to the work state information of the first CA servers, determines the current busy extent of the first CA servers, and be
First CA servers distribute the transaction request with the busy extent number of matches of the first CA servers, otherwise, detection the first CA clothes
Be engaged in device whether normal operation, and when determining the non-normal operation of the first CA servers, the first CA servers are removed from system.
Wherein, when being asked for the first CA server dispensing transactions, other than the busy extent with reference to the first CA servers,
Current busy of other CA servers in pending transaction request total amount and frame of reference can also be referred in current system
Degree etc..
LIST SERVER detect the first CA servers whether the mode of normal operation, can be to the first CA servers send
Detection information can be anti-according to this if LIST SERVER receives the feedback information that the first CA servers are directed to detection information
Feedforward information further judges the working condition of the first CA servers;If it is more than not connect also after a preset duration to send detection information
The feedback information or work state information of the transmission of the first CA servers are received, then LIST SERVER can directly determine that the first CA takes
The business non-normal operation of device.
The mode that LIST SERVER removes the first CA servers from system can close to connect with the first CA servers
The port connect can also be that the first CA servers are arranged in systems as invalid state, can also be to be sent out to the first CA servers
It send and disconnects instruction or shutdown command, etc..
In the embodiment of the present invention, LIST SERVER can be realized as follows by way of sending configuration file to CA servers
Function:
(1) the cert services function of CA servers is activated;
(2) the cert services function of CA servers is closed;
(3) running environment of configuration/modification CA servers.
Also, based on the certificate authentication system framework in the embodiment of the present invention, it can easily increase CA clothes in systems
Business device quantity, improves the cert services ability of system.By increase it is non-belong to the 2nd CA servers of system for, process includes:
LIST SERVER receives the activation request that the 2nd CA servers are sent, and activation request is for asking the 2nd CA servers of activation
Cert services function, in turn, LIST SERVER send configuration file to the 2nd CA servers, and the 2nd CA servers are added and are
System, to activate the cert services function of the 2nd CA servers, wherein configuration file is used to configure the certificate clothes of the 2nd CA servers
Business running environment.
In a kind of possible embodiment, as shown in Fig. 2, certificate authentication system can also include the first cache server
And/or second cache server.
Wherein, the first cache server can be by network connection with LIST SERVER, the unified clothes for caching system
The transaction request that business entrance receives, and pending transaction request is obtained from the first cache server by LIST SERVER.It will use
The transaction request that family is submitted is buffered in the first cache server, is obtained from there when leaving unused convenient for certificate authentication system, with reality
Now to the efficient utilization of system resource.It, can be in the first buffer service after certificate authentication system has handled a certain transaction request
This transaction request is destroyed in device.
First cache server can be various types of cache servers, for example, Redis servers, Redis services
Device is a kind of memory type database server, and storage efficiency will be more efficient than relational database server.Also, first
The configuration of one master and multiple slaves may be used in cache server, by taking certificate trading volume is between 10,000 to 20,000 as an example, it is assumed that a certificate
Transaction needs the space store transaction request of 1KB, then the memory space of 1GB can cache million certificate transaction requests, phase
Compared with the prior art, the requirement configured to server hardware can be substantially reduced.In addition, the first caching in the embodiment of the present invention
Server can refer to an individual cache server, may also mean that multiple cache servers.
At least one CA servers that second cache server and system include can be by network connection, and can be with
It is connected by network and database server.Second cache server from database server synchronization database server for depositing
The information (such as certificate information and/or user information) of storage, and by least one CA servers from the second cache server Directory Enquiries
Manage the information (such as certificate information and/or user information) that transaction request needs.
Specifically, the second cache server can be used for the certificate status information in cache database server, to carry
The search efficiency of CA servers in high system, for example, can be with the certificate subject (Distinguished of cached certificates
Name, DN), template, the sequence number (Serial Number, SN) of certificate and state.Assuming that every record needs 100 bytes
The memory of memory space, 1GB will cache millions certificate.As it can be seen that compared to existing certificate authentication system framework, this hair
The requirement to hardware performance can be greatly reduced in certificate authentication system in bright embodiment.Also, the second cache server can be with
For various types of cache servers, for example, Redis servers.In addition, the second cache server in the embodiment of the present invention
It can refer to an individual cache server, may also mean that multiple cache servers.
Fig. 3 is referred to, same inventive concept is based on, the embodiment of the present invention provides a kind of deployment side of certificate authentication system
Method for example can be certificate authentication system shown in fig. 1 or fig. 2 based on the certificate authentication system that this method is disposed, thus,
It when understanding and explaining the dispositions method, may refer to, quote the aforementioned explanation to certificate authentication system in Fig. 1,2, herein no longer
It repeats.
The certificate authentication system includes the LIST SERVER independently disposed, database server and encryption equipment server, number
It is used to provide the processing certificate information that transaction request needs and/or user's letter for the CA servers in the system according to library server
Breath, encryption equipment server are used to protect the key of the CA servers in the system.The flow of dispositions method is described as follows:
Step 301:LIST SERVER receives the activation request that the non-at least one CA servers for belonging to the system are sent, should
Cert services function of the activation request for asking activation at least one CA servers;
Step 302:LIST SERVER sends configuration file at least one CA servers, and at least one CA is taken
The system is added in business device, and to activate the cert services function of at least one CA servers, the configuration file is for configuring this extremely
The cert services running environment of a few CA server.
In a kind of possible embodiment, which further includes:
LIST SERVER determines whether that the first CA servers that the system includes are received in preset duration periodically to be sent
Work state information;
If so, work state information of the LIST SERVER according to the first CA servers, determines the first CA servers
Current busy extent, and be the transaction of the first CA servers distribution and the busy extent number of matches of the first CA servers
Request;
Otherwise, LIST SERVER detect the first CA servers whether normal operation, and determining the first CA servers
When non-normal operation, the first CA servers are removed from the system.
Fig. 4 is referred to, same inventive concept is based on, the embodiment of the present invention provides a kind of certificate authentication method, and this method can
To be applied to certificate authentication system, such as applied to certificate authentication system shown in fig. 1 or fig. 2, thus, it should understanding and explaining
It when certificate authentication method, may refer to, quote the aforementioned explanation to certificate authentication system in Fig. 1,2, details are not described herein.Certificate
The flow of authentication method is described as follows:
Step 401:LIST SERVER receives the working condition letter that each CA servers report at least one CA servers
Breath, and the work state information reported according to each CA servers distribute the transaction request got respectively for each CA servers;
Step 402:The key that each CA servers at least one CA servers are protected based on encryption equipment server, and
The certificate information and/or user information that the database server provides handle the transaction that LIST SERVER is itself distribution respectively
Request.
It is each CA servers according to the work state information that each CA servers report in a kind of possible embodiment
The transaction request got is distributed respectively, including:
LIST SERVER is true respectively according to the work state information that each CA servers report at least one CA servers
The current busy extent of fixed each CA servers, and be the distribution of each CA servers and the busy extent number of matches of the CA servers
Transaction request.
In a kind of possible embodiment, which further includes the first cache server and the second cache server,
In:
LIST SERVER obtains pending transaction request from the first cache server;
The card that each server is needed from the second cache server query processing transaction request at least one CA servers
Letter ceases and/or user information.
Based on same inventive concept, the embodiment of the present invention provides a kind of computer readable storage medium, this is computer-readable
Storage medium is stored with computer instruction, when computer instruction is run on computers so that computer executes card above-mentioned
The dispositions method and/or certificate authentication method of book Verification System.
Should illustrate when, computer herein can refer to computer system, and a computer system includes multiple meters
Calculate machine equipment.Also, each method can be split execution, and each computer equipment can only carry out the side wherein executed by itself
Method.
In specific implementation process, computer readable storage medium includes:General serial bus USB
(Universal Serial Bus flash drive, USB), mobile hard disk, read-only memory (Read-Only Memory,
ROM), random access memory (Random Access Memory, RAM), magnetic disc or CD etc. are various can store program
The storage medium of code.
Above-mentioned one or more technical solutions, at least have the advantages that:
In the embodiment of the present invention, certificate authentication system include the LIST SERVER independently disposed, at least one CA servers,
Database server and encryption equipment server.Wherein, LIST SERVER is used to configure the certificate clothes of at least one CA servers
It is engaged in running environment, and the work state information that is reported according at least one CA servers, at least one CA servers
Distribute the transaction request got;At least one CA servers are used to handle the transaction request of LIST SERVER distribution;Data
Library server is used to provide processing certificate information and/or user information that transaction request needs at least one CA servers;
Encryption equipment server is used to protect the key of at least one CA servers.
By the way that each function module of certificate authentication system is independently deployed as each server so that certificate authentication system is in frame
It is more flexible on structure, it is convenient that the transformations such as dilatation are carried out to system.Also, between the server due to realizing each function the degree of coupling compared with
It is low, thus influence when modernization system to business is smaller, it is maintainable strong.
It further, can be in certificate deployment Verification System based on the certificate authentication system framework in the embodiment of the present invention
When according to the performance requirement of each function, pointedly configure appropriate hardware device, avoid existing certificate authentication system transformation
It needs to upgrade complete machine, leads to problem of high cost.Also, due to realizing that the server of each function is independently disposed,
Thus can Hot Spare or cold standby only be carried out to the part server (such as LIST SERVER) in system according to actual needs, carried
The stability and redundancy ability of the system of liter.
Further, certificate authentication system can be equipped with uniform service interface, be based on the uniform service interface, and user can be with
Cert services are asked to more convenient, specification, meanwhile, certificate authentication system more easily can also carry out pipe to transaction request
Reason.
Further, certificate authentication system can be equipped with the first cache server and/or the second cache server.Based on
One cache server, certificate authentication system can still keep normal operation in the case of high concurrent, high traffic, promote system
The stability of system;Based on the second cache server, the speed that CA servers obtain the data that database provides can be improved, is promoted
The efficiency of CA server process transaction requests.
The apparatus embodiments described above are merely exemplary, wherein the units/modules illustrated as separating component
It may or may not be physically separated, the component shown as units/modules may or may not be
Physical unit/module, you can be located at a place, or may be distributed in multiple network element/modules.It can basis
It is actual to need that some or all of module therein is selected to achieve the purpose of the solution of this embodiment.Ordinary skill people
Member is not in the case where paying performing creative labour, you can to understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can
It is realized by the mode of software plus required general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on
Stating technical solution, substantially the part that contributes to existing technology can be expressed in the form of software products in other words, should
Computer software product can store in a computer-readable storage medium, such as ROM/RAM, magnetic disc, CD, including several fingers
It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation
Method described in certain parts of example or embodiment.
Finally it should be noted that:The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although
Present invention has been described in detail with reference to the aforementioned embodiments, it will be understood by those of ordinary skill in the art that:It still may be used
With technical scheme described in the above embodiments is modified or equivalent replacement of some of the technical features;
And these modifications or replacements, various embodiments of the present invention technical solution that it does not separate the essence of the corresponding technical solution spirit and
Range.
Claims (10)
1. a kind of certificate authentication system, which is characterized in that the system comprises the LIST SERVER independently disposed, at least one CA
Server, database server and encryption equipment server, wherein:
The LIST SERVER, the cert services running environment for configuring at least one CA servers, and according to institute
The work state information that at least one CA servers report is stated, the transaction got at least one CA servers distribution is asked
It asks;
At least one CA servers, the transaction request for handling the LIST SERVER distribution;
The database server, for providing the processing certificate information that transaction request needs at least one CA servers
And/or user information;
The encryption equipment server, the key for protecting at least one CA servers.
2. the system as claimed in claim 1, which is characterized in that the system also includes the first cache server and/or second
Cache server, wherein:
First cache server, the transaction request that the uniform service entrance for caching the system receives, and by described
LIST SERVER obtains pending transaction request from first cache server;
Second cache server, the certificate letter for being stored from database server described in the database server synchronization
Breath and/or user information, and by least one CA servers from the second cache server query processing transaction request
The certificate information and/or user information needed.
3. system as claimed in claim 1 or 2, which is characterized in that the LIST SERVER is specifically used for:
Determine whether to receive what the first CA servers at least one CA servers were periodically sent in preset duration
Work state information;
If so, according to the work state information of the first CA servers, current busy of the first CA servers is determined
Degree, and be the transaction request of the first CA servers distribution and the busy extent number of matches of the first CA servers;
Otherwise, detect the first CA servers whether normal operation, and determining the non-normal operation of the first CA servers
When, the first CA servers are removed from the system.
4. system as claimed in claim 1 or 2, which is characterized in that the LIST SERVER is additionally operable to:
The activation request that non-the 2nd CA servers for belonging to the system are sent is received, the activation request is for asking activation institute
State the cert services function of the 2nd CA servers;
Configuration file is sent to the 2nd CA servers, and the system is added in the 2nd CA servers, to activate
State the cert services function of the 2nd CA servers, wherein the configuration file is used to configure the certificate of the 2nd CA servers
Service operation environment.
5. a kind of dispositions method of certificate authentication system, which is characterized in that the system comprises the LIST SERVER independently disposed,
Database server and encryption equipment server, the database server are used to provide processing for the CA servers in the system
The certificate information and/or user information that transaction request needs, the encryption equipment server is for protecting the CA in the system to take
The key of business device, the method includes:
The LIST SERVER receives the activation request that the non-at least one CA servers for belonging to the system are sent, the activation
Request is used to ask to activate the cert services function of at least one CA servers;
The LIST SERVER sends configuration file at least one CA servers, and by least one CA servers
The system is added, to activate the cert services function of at least one CA servers, the configuration file is for configuring institute
State the cert services running environment of at least one CA servers.
6. method as claimed in claim 5, which is characterized in that the method further includes:
The LIST SERVER determine whether to receive in preset duration the system comprises the first CA servers periodically send out
The work state information sent;
If so, work state information of the LIST SERVER according to the first CA servers, determines the first CA clothes
The current busy extent of business device, and be the busy extent coupling number of the first CA servers distribution and the first CA servers
The transaction request of amount;
Otherwise, the LIST SERVER detect the first CA servers whether normal operation, and determining the first CA clothes
When the non-normal operation of device of being engaged in, the first CA servers are removed from the system.
7. a kind of certificate authentication method, which is characterized in that the method is applied to the card as described in any one of claim 1-4
Book Verification System, the method includes:
The LIST SERVER receives the work state information that each CA servers report at least one CA servers, and root
According to the work state information that each CA servers report, the transaction request got is distributed respectively for each CA servers;
The key and the number that each CA servers at least one CA servers are protected based on the encryption equipment server
According to certificate information and/or user information that library server provides, the transaction that the LIST SERVER is itself distribution is handled respectively
Request.
8. the method for claim 7, which is characterized in that be each according to the work state information that each CA servers report
CA servers distribute the transaction request got respectively, including:
The LIST SERVER is according to the work state information that each CA servers report at least one CA servers, respectively
It determines the current busy extent of each CA servers, and is the busy extent number of matches of each CA servers distribution and the CA servers
Transaction request.
9. method as claimed in claim 7 or 8, which is characterized in that the system also includes first cache server and
Second cache server, wherein:
The LIST SERVER obtains pending transaction request from first cache server;
Each server is needed from the second cache server query processing transaction request at least one CA servers
Certificate information and/or user information.
10. a kind of computer readable storage medium, it is characterised in that:
The computer-readable recording medium storage has computer instruction, when the computer instruction is run on computers,
So that computer executes the method as described in any one of claim 5-9.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810620418.0A CN108809993A (en) | 2018-06-15 | 2018-06-15 | The dispositions method and certificate authentication method of certificate authentication system, certificate authentication system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810620418.0A CN108809993A (en) | 2018-06-15 | 2018-06-15 | The dispositions method and certificate authentication method of certificate authentication system, certificate authentication system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108809993A true CN108809993A (en) | 2018-11-13 |
Family
ID=64086507
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810620418.0A Pending CN108809993A (en) | 2018-06-15 | 2018-06-15 | The dispositions method and certificate authentication method of certificate authentication system, certificate authentication system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108809993A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110708165A (en) * | 2019-09-29 | 2020-01-17 | 杭州尚尚签网络科技有限公司 | Multi-CA automatic scheduling method based on request response |
CN112073401A (en) * | 2020-08-28 | 2020-12-11 | 苏州浪潮智能科技有限公司 | Method, program and medium for automatically updating certificate based on HTTPS protocol web application |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102970299A (en) * | 2012-11-27 | 2013-03-13 | 西安电子科技大学 | File safe protection system and method thereof |
WO2014135195A1 (en) * | 2013-03-05 | 2014-09-12 | Telefonaktiebolaget L M Ericsson (Publ) | Handling of digital certificates |
CN104320492A (en) * | 2014-11-11 | 2015-01-28 | 北京国双科技有限公司 | Method and device for dispatching web servers |
CN104506353A (en) * | 2014-12-23 | 2015-04-08 | 北京奇虎科技有限公司 | Authentication management method, equipment and system |
CN106656552A (en) * | 2016-09-30 | 2017-05-10 | 上海冰穹网络科技有限公司 | Extension method, system and electronic device for data platform system |
-
2018
- 2018-06-15 CN CN201810620418.0A patent/CN108809993A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102970299A (en) * | 2012-11-27 | 2013-03-13 | 西安电子科技大学 | File safe protection system and method thereof |
WO2014135195A1 (en) * | 2013-03-05 | 2014-09-12 | Telefonaktiebolaget L M Ericsson (Publ) | Handling of digital certificates |
CN104320492A (en) * | 2014-11-11 | 2015-01-28 | 北京国双科技有限公司 | Method and device for dispatching web servers |
CN104506353A (en) * | 2014-12-23 | 2015-04-08 | 北京奇虎科技有限公司 | Authentication management method, equipment and system |
CN106656552A (en) * | 2016-09-30 | 2017-05-10 | 上海冰穹网络科技有限公司 | Extension method, system and electronic device for data platform system |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110708165A (en) * | 2019-09-29 | 2020-01-17 | 杭州尚尚签网络科技有限公司 | Multi-CA automatic scheduling method based on request response |
CN110708165B (en) * | 2019-09-29 | 2022-08-05 | 杭州尚尚签网络科技有限公司 | Multi-CA automatic scheduling method based on request response |
CN112073401A (en) * | 2020-08-28 | 2020-12-11 | 苏州浪潮智能科技有限公司 | Method, program and medium for automatically updating certificate based on HTTPS protocol web application |
CN112073401B (en) * | 2020-08-28 | 2022-05-10 | 苏州浪潮智能科技有限公司 | Method, program and medium for automatically updating certificate based on HTTPS (Hypertext transfer protocol secure) protocol web application |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11340672B2 (en) | Persistent reservations for virtual disk using multiple targets | |
US8533261B2 (en) | Extensible and programmable multi-tenant service architecture | |
US7707248B2 (en) | Credit-based peer-to-peer storage | |
US20070033395A1 (en) | Method and system for hierarchical license servers | |
US20030154314A1 (en) | Redirecting local disk traffic to network attached storage | |
CN105556919B (en) | Dual factor anthentication is carried out using service request bill | |
CN103620580A (en) | System and method for migration of data clones | |
CN103731508A (en) | Cloud-storage-based network hard disk device and management method thereof | |
CN109669955B (en) | Digital asset query system and method based on block chain | |
CN102713825A (en) | Storage visibility in virtual environments | |
US11308223B2 (en) | Blockchain-based file handling | |
CN1787432B (en) | Method and system for authenticating a node requesting another node to perform work | |
US20120166492A1 (en) | Database transfers using constraint free data | |
CN107544864A (en) | A kind of virtual-machine data copy method and virtual-machine data copy system | |
CN109711845A (en) | One kind being based on SaaS mode bank-enterprise interconnection interconnection method and system | |
CN110199283A (en) | For the system and method that authentication platform is trusted in network function virtualized environment | |
CN112328366B (en) | Efficient cloud platform host protection method and system | |
CN107291395A (en) | A kind of LUN on-line rapid estimations method and system | |
CN108809993A (en) | The dispositions method and certificate authentication method of certificate authentication system, certificate authentication system | |
CN101471956B (en) | Method for identifying and dynamically updating storage device state of target terminal | |
CN109271367A (en) | Distributed file system multinode snapshot rollback method and system | |
CN101917438A (en) | Access control method and system in network communication system | |
CN107209706A (en) | The application of maintenance and the method and system of desktop are received for connecting devices to | |
CN105637471B (en) | Method and apparatus for being monitored and controlling to storage environment | |
US7484038B1 (en) | Method and apparatus to manage storage devices |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181113 |
|
RJ01 | Rejection of invention patent application after publication |