CN108809993A - The dispositions method and certificate authentication method of certificate authentication system, certificate authentication system - Google Patents

The dispositions method and certificate authentication method of certificate authentication system, certificate authentication system Download PDF

Info

Publication number
CN108809993A
CN108809993A CN201810620418.0A CN201810620418A CN108809993A CN 108809993 A CN108809993 A CN 108809993A CN 201810620418 A CN201810620418 A CN 201810620418A CN 108809993 A CN108809993 A CN 108809993A
Authority
CN
China
Prior art keywords
servers
server
certificate
transaction request
certificate authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810620418.0A
Other languages
Chinese (zh)
Inventor
郑军
刘金华
张庆勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Xin'an Century Polytron Technologies Inc
Original Assignee
Beijing Xin'an Century Polytron Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Xin'an Century Polytron Technologies Inc filed Critical Beijing Xin'an Century Polytron Technologies Inc
Priority to CN201810620418.0A priority Critical patent/CN108809993A/en
Publication of CN108809993A publication Critical patent/CN108809993A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3821Electronic credentials
    • G06Q20/38215Use of certificates or encrypted proofs of transaction rights
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/568Storing data temporarily at an intermediate stage, e.g. caching
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/102Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying security measure for e-commerce
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the present invention provides the dispositions method and certificate authentication method of certificate authentication system, certificate authentication system, and technical problem dumb, that improvement cost is high is disposed to solve existing certificate authentication system.The certificate authentication system includes the LIST SERVER independently disposed, at least one CA servers, database server and encryption equipment server, wherein:LIST SERVER, the cert services running environment for configuring at least one CA servers, and the work state information that is reported according at least one CA servers distribute the transaction request got at least one CA servers;At least one CA servers, the transaction request for handling LIST SERVER distribution;Database server, for providing processing certificate information and/or user information that transaction request needs at least one CA servers;Encryption equipment server, the key for protecting at least one CA servers.

Description

The dispositions method and certificate authentication method of certificate authentication system, certificate authentication system
Technical field
The present invention relates to field of computer technology more particularly to the dispositions methods of certificate authentication system, certificate authentication system And certificate authentication method.
Background technology
Digital certificate (hereinafter referred to as certificate) is a string of characters of mark communication each side identity information in internet communication, by Certificate authority is issued.Mainly there are two effects for certificate, one is coded communication, is not used illegally specifically for guarantee data Family intercepts and captures and does not know Content of Communication by disabled user, the second is digital signature, is specifically used for verification communication on internet The identity of entity.
Currently, the certificate authentication system of certificate authority mostly uses greatly the B/S frameworks or C/S frameworks of Web exploitations, entirely System is a complete server.Based on this kind of framework, when the increase of transaction business amount, the industry for increasing certificate authentication system is needed When processing capacity of being engaged in, it is necessary to upgrade to entire certificate authentication system, such as it is performance to replace the hardware of certificate authentication system Higher hardware, or hot standby or cold standby is carried out to entire certificate authentication system and is disposed, but regardless of any upgrading mode is used, all It needs to put into higher cost.
Invention content
The embodiment of the present invention provides the dispositions method and certificate authentication method of certificate authentication system, certificate authentication system, uses Technical problem dumb, that improvement cost is high is disposed to solve existing certificate authentication system.
In a first aspect, providing a kind of certificate authentication system, the system comprises the LIST SERVER independently disposed, at least one A CA servers, database server and encryption equipment server, wherein:
The LIST SERVER, the cert services running environment for configuring at least one CA servers, Yi Jigen According to the work state information that at least one CA servers report, the friendship got is distributed at least one CA servers Easily request;
At least one CA servers, the transaction request for handling the LIST SERVER distribution;
The database server, for providing the processing certificate that transaction request needs at least one CA servers Information and/or user information;
The encryption equipment server, the key for protecting at least one CA servers.
In one possible implementation, the system also includes the first cache server and/or the second buffer services Device, wherein:
First cache server, the transaction request that the uniform service entrance for caching the system receives, and by The LIST SERVER obtains pending transaction request from first cache server;
Second cache server, the card for being stored from database server described in the database server synchronization Letter ceases and/or user information, and is merchandised from the second cache server query processing by least one CA servers Ask the certificate information and/or user information that need.
In one possible implementation, the LIST SERVER is specifically used for:
Determine whether that the first CA servers received in preset duration at least one CA servers are periodically sent out The work state information sent;
If so, according to the work state information of the first CA servers, determine that the first CA servers are current Busy extent, and asked for the first CA servers distribution and the transaction of the busy extent number of matches of the first CA servers It asks;
Otherwise, detect the first CA servers whether normal operation, and determining that the first CA servers are not normal When operation, the first CA servers are removed from the system.
In one possible implementation, the LIST SERVER is additionally operable to:
The activation request that non-the 2nd CA servers for belonging to the system are sent is received, the activation request is for asking to swash The cert services function of the 2nd CA servers living;
Configuration file is sent to the 2nd CA servers, and the system is added in the 2nd CA servers, to swash The cert services function of the 2nd CA servers living, wherein the configuration file is for configuring the 2nd CA servers Cert services running environment.
Second aspect provides a kind of dispositions method of certificate authentication system, and the system comprises the catalogue independently disposed clothes Business device, database server and encryption equipment server, the database server are used to carry for the CA servers in the system For certificate information and/or user information that processing transaction request needs, the encryption equipment server is for protecting in the system CA servers key, the method includes:
The LIST SERVER receives the activation request that the non-at least one CA servers for belonging to the system are sent, described Activation request is used to ask to activate the cert services function of at least one CA servers;
The LIST SERVER sends configuration file at least one CA servers, and at least one CA is taken The system is added in business device, and to activate the cert services function of at least one CA servers, the configuration file is for matching Set the cert services running environment of at least one CA servers.
In one possible implementation, the method further includes:
The LIST SERVER determine whether to receive in preset duration the system comprises the first CA servers it is fixed The work state information that phase sends;
If so, the LIST SERVER determines described first according to the work state information of the first CA servers The current busy extent of CA servers, and be the busy extent of the first CA servers distribution and the first CA servers Transaction request with quantity;
Otherwise, the LIST SERVER detect the first CA servers whether normal operation, and determining described first When the non-normal operation of CA servers, the first CA servers are removed from the system.
The third aspect, provides a kind of certificate authentication method, and the method is applied to as appointed in first aspect or first aspect A kind of certificate authentication system described in realization method, the method includes:
The LIST SERVER receives the work state information that each CA servers report at least one CA servers, And the work state information reported according to each CA servers, the transaction request got is distributed respectively for each CA servers;
The key and institute that each CA servers at least one CA servers are protected based on the encryption equipment server The certificate information and/or user information for stating database server offer, it is itself distribution to handle the LIST SERVER respectively Transaction request.
In one possible implementation, the work state information reported according to each CA servers is each CA servers The transaction request got is distributed respectively, including:
The LIST SERVER according to the work state information that each CA servers report at least one CA servers, The current busy extent of each CA servers is determined respectively, and is matched with the busy extent of the CA servers for the distribution of each CA servers The transaction request of quantity.
In one possible implementation, the system also includes first cache servers and second caching Server, wherein:
The LIST SERVER obtains pending transaction request from first cache server;
Each server is needed from the second cache server query processing transaction request at least one CA servers The certificate information and/or user information wanted.
Fourth aspect provides a kind of computer readable storage medium, wherein:
The computer-readable recording medium storage has computer instruction, when the computer instruction is run on computers When so that computer executes the method as described in second aspect and/or the third aspect.
In the embodiment of the present invention, certificate authentication system include the LIST SERVER independently disposed, at least one CA servers, Database server and encryption equipment server.Wherein, LIST SERVER is used to configure the certificate clothes of at least one CA servers It is engaged in running environment, and the work state information that is reported according at least one CA servers, at least one CA servers Distribute the transaction request got;At least one CA servers are used to handle the transaction request of LIST SERVER distribution;Data Library server is used to provide processing certificate information and/or user information that transaction request needs at least one CA servers; Encryption equipment server is used to protect the key of at least one CA servers.
By the way that each function module of certificate authentication system is independently deployed as each server so that certificate authentication system is in frame It is more flexible on structure, it is convenient that the transformations such as dilatation are carried out to system.Also, between the server due to realizing each function the degree of coupling compared with It is low, thus influence when modernization system to business is smaller, it is maintainable strong.
It further, can be in certificate deployment Verification System based on the certificate authentication system framework in the embodiment of the present invention When according to the performance requirement of each function, pointedly configure appropriate hardware device, avoid existing certificate authentication system transformation It needs to upgrade complete machine, leads to problem of high cost.Also, due to realizing that the server of each function is independently disposed, Thus can Hot Spare or cold standby only be carried out to the part server (such as LIST SERVER) in system according to actual needs, carried The stability and redundancy ability of the system of liter.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Inventive embodiments for those of ordinary skill in the art without creative efforts, can also be according to carrying The attached drawing of confession obtains other attached drawings.
Fig. 1 is a kind of connection relationship diagram of certificate authentication system in the embodiment of the present invention;
Fig. 2 is the connection relationship diagram of another certificate authentication system in the embodiment of the present invention;
Fig. 3 is a kind of flow diagram of the dispositions method of certificate authentication system in the embodiment of the present invention;
Fig. 4 is a kind of flow diagram of certificate authentication method in the embodiment of the present invention.
Specific implementation mode
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art The every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
In addition, the terms "and/or", only a kind of incidence relation of description affiliated partner, indicates may exist Three kinds of relationships, for example, A and/or B, can indicate:Individualism A exists simultaneously A and B, these three situations of individualism B.Separately Outside, character "/" herein, in the case where not illustrating, it is a kind of relationship of "or" to typically represent forward-backward correlation object. In addition, it is necessary to understand, in the description of the embodiment of the present invention, the vocabulary such as " first ", " second " are only used for distinguishing description Purpose is not understood to indicate or imply relative importance, can not be interpreted as instruction or hint sequence.
The embodiment of the present invention provides a kind of certificate authentication system, which is developed by the way of modularization separation, will be each A function module and configuration file are individually separately disposed, also, the system can be deployed in high in the clouds, can also be deployed in multiple Ground server, can also be by high in the clouds and local server joint deployment.
As shown in Figure 1, certificate authentication system includes LIST SERVER, at least one certificate granting (Certificate Authority, CA) server, database server and encryption equipment server.In the embodiment of the present invention, certificate authentication system packet These servers included are individually to dispose, and the server communicated each other is by network connection, to realize number According to interaction.
In a kind of possible embodiment, the entrance as shown in Figure 1, certificate authentication system can provide uniform services, user Transaction request is submitted to certificate authentication system by the uniform service entrance.
The transaction request that certificate authentication system is submitted according to user, provides cert services to the user.In the embodiment of the present invention, Transaction request can refer to that progress certificate request, certificate download, certificate update, certificate freezes, certificate thaws, certificate for asking The transaction request of the type of transaction such as calcellation or CRL publications.For different type of transaction, the information content entrained by transaction request Difference, certificate authentication system are also different based on the cert services performed by the transaction request.
LIST SERVER and at least one CA servers are at least one for configure that system includes by network connection The cert services running environment of CA servers, and the work state information that is reported according at least one CA servers, for this At least one CA servers distribute the transaction request got.That is, LIST SERVER CA servers can match in management system It sets and quantity, and manages the operating status, cert services state and busy extent of each CA servers.
Specifically, each CA servers that certificate authentication system includes can periodically take to catalogue at predetermined intervals Business device reports the work state information of itself, which reflects the working condition of CA servers, such as reflection operation Normally whether, busy extent, running environment etc., for concrete example, which may include CA servers itself IP information, running state information, one or more of hardware utilization rate information.LIST SERVER receives on CA servers After the work state information of report, so that it may to be that the transaction that the distribution of CA servers is got is asked according to the working condition of CA servers It asks.
The function of each CA servers is identical at least one CA servers that certificate authentication system includes, and is used to processing mesh It is the transaction request respectively distributed to record server.For example, cancelled according to transaction request execution certificate request, certificates constructing, certificate, The cert services such as warrant recovery.
CA servers described in the embodiment of the present invention can be the server of cluster either separate unit deployment.One kind can In the embodiment of energy, each CA servers need to be loaded into LIST SERVER acquisition relevant configuration when running first time In memory, to complete to initialize, and IP address, the operation shape of itself are reported to LIST SERVER after initialization is complete The information such as state, hardware utilization rate.It, can be by the after initializing First CA servers in system in specific implementation process One CA server is mirrored into, and then is directly based upon mirror image and is disposed more CA servers, realizes that flexible expansion, convenience are fast It is prompt.
Database server is used to provide the processing card that transaction request needs at least one CA servers that system includes Letter ceases and/or user information, i.e. the effect of database server can be certificate information and/or user's letter in record system Breath.Wherein, user information may include subscriber identity information, black list information, customer transaction request record etc..Certainly, in reality In the application of border, database server can also record the letter that other processing transaction requests need other than recording information above-mentioned Breath.
At least one CA servers that encryption equipment server can include with system are by network connection, for protecting system The key at least one CA servers that system includes.For example, encryption equipment server can preserve the root private key of CA servers, it is used for It signs to certificate.
In a kind of possible embodiment, for any CA servers that certificate authentication system includes, such as the first CA takes Business device, LIST SERVER may determine whether to receive the working condition letter that the first CA servers are periodically sent in preset duration Breath, if so, according to the work state information of the first CA servers, determines the current busy extent of the first CA servers, and be First CA servers distribute the transaction request with the busy extent number of matches of the first CA servers, otherwise, detection the first CA clothes Be engaged in device whether normal operation, and when determining the non-normal operation of the first CA servers, the first CA servers are removed from system.
Wherein, when being asked for the first CA server dispensing transactions, other than the busy extent with reference to the first CA servers, Current busy of other CA servers in pending transaction request total amount and frame of reference can also be referred in current system Degree etc..
LIST SERVER detect the first CA servers whether the mode of normal operation, can be to the first CA servers send Detection information can be anti-according to this if LIST SERVER receives the feedback information that the first CA servers are directed to detection information Feedforward information further judges the working condition of the first CA servers;If it is more than not connect also after a preset duration to send detection information The feedback information or work state information of the transmission of the first CA servers are received, then LIST SERVER can directly determine that the first CA takes The business non-normal operation of device.
The mode that LIST SERVER removes the first CA servers from system can close to connect with the first CA servers The port connect can also be that the first CA servers are arranged in systems as invalid state, can also be to be sent out to the first CA servers It send and disconnects instruction or shutdown command, etc..
In the embodiment of the present invention, LIST SERVER can be realized as follows by way of sending configuration file to CA servers Function:
(1) the cert services function of CA servers is activated;
(2) the cert services function of CA servers is closed;
(3) running environment of configuration/modification CA servers.
Also, based on the certificate authentication system framework in the embodiment of the present invention, it can easily increase CA clothes in systems Business device quantity, improves the cert services ability of system.By increase it is non-belong to the 2nd CA servers of system for, process includes: LIST SERVER receives the activation request that the 2nd CA servers are sent, and activation request is for asking the 2nd CA servers of activation Cert services function, in turn, LIST SERVER send configuration file to the 2nd CA servers, and the 2nd CA servers are added and are System, to activate the cert services function of the 2nd CA servers, wherein configuration file is used to configure the certificate clothes of the 2nd CA servers Business running environment.
In a kind of possible embodiment, as shown in Fig. 2, certificate authentication system can also include the first cache server And/or second cache server.
Wherein, the first cache server can be by network connection with LIST SERVER, the unified clothes for caching system The transaction request that business entrance receives, and pending transaction request is obtained from the first cache server by LIST SERVER.It will use The transaction request that family is submitted is buffered in the first cache server, is obtained from there when leaving unused convenient for certificate authentication system, with reality Now to the efficient utilization of system resource.It, can be in the first buffer service after certificate authentication system has handled a certain transaction request This transaction request is destroyed in device.
First cache server can be various types of cache servers, for example, Redis servers, Redis services Device is a kind of memory type database server, and storage efficiency will be more efficient than relational database server.Also, first The configuration of one master and multiple slaves may be used in cache server, by taking certificate trading volume is between 10,000 to 20,000 as an example, it is assumed that a certificate Transaction needs the space store transaction request of 1KB, then the memory space of 1GB can cache million certificate transaction requests, phase Compared with the prior art, the requirement configured to server hardware can be substantially reduced.In addition, the first caching in the embodiment of the present invention Server can refer to an individual cache server, may also mean that multiple cache servers.
At least one CA servers that second cache server and system include can be by network connection, and can be with It is connected by network and database server.Second cache server from database server synchronization database server for depositing The information (such as certificate information and/or user information) of storage, and by least one CA servers from the second cache server Directory Enquiries Manage the information (such as certificate information and/or user information) that transaction request needs.
Specifically, the second cache server can be used for the certificate status information in cache database server, to carry The search efficiency of CA servers in high system, for example, can be with the certificate subject (Distinguished of cached certificates Name, DN), template, the sequence number (Serial Number, SN) of certificate and state.Assuming that every record needs 100 bytes The memory of memory space, 1GB will cache millions certificate.As it can be seen that compared to existing certificate authentication system framework, this hair The requirement to hardware performance can be greatly reduced in certificate authentication system in bright embodiment.Also, the second cache server can be with For various types of cache servers, for example, Redis servers.In addition, the second cache server in the embodiment of the present invention It can refer to an individual cache server, may also mean that multiple cache servers.
Fig. 3 is referred to, same inventive concept is based on, the embodiment of the present invention provides a kind of deployment side of certificate authentication system Method for example can be certificate authentication system shown in fig. 1 or fig. 2 based on the certificate authentication system that this method is disposed, thus, It when understanding and explaining the dispositions method, may refer to, quote the aforementioned explanation to certificate authentication system in Fig. 1,2, herein no longer It repeats.
The certificate authentication system includes the LIST SERVER independently disposed, database server and encryption equipment server, number It is used to provide the processing certificate information that transaction request needs and/or user's letter for the CA servers in the system according to library server Breath, encryption equipment server are used to protect the key of the CA servers in the system.The flow of dispositions method is described as follows:
Step 301:LIST SERVER receives the activation request that the non-at least one CA servers for belonging to the system are sent, should Cert services function of the activation request for asking activation at least one CA servers;
Step 302:LIST SERVER sends configuration file at least one CA servers, and at least one CA is taken The system is added in business device, and to activate the cert services function of at least one CA servers, the configuration file is for configuring this extremely The cert services running environment of a few CA server.
In a kind of possible embodiment, which further includes:
LIST SERVER determines whether that the first CA servers that the system includes are received in preset duration periodically to be sent Work state information;
If so, work state information of the LIST SERVER according to the first CA servers, determines the first CA servers Current busy extent, and be the transaction of the first CA servers distribution and the busy extent number of matches of the first CA servers Request;
Otherwise, LIST SERVER detect the first CA servers whether normal operation, and determining the first CA servers When non-normal operation, the first CA servers are removed from the system.
Fig. 4 is referred to, same inventive concept is based on, the embodiment of the present invention provides a kind of certificate authentication method, and this method can To be applied to certificate authentication system, such as applied to certificate authentication system shown in fig. 1 or fig. 2, thus, it should understanding and explaining It when certificate authentication method, may refer to, quote the aforementioned explanation to certificate authentication system in Fig. 1,2, details are not described herein.Certificate The flow of authentication method is described as follows:
Step 401:LIST SERVER receives the working condition letter that each CA servers report at least one CA servers Breath, and the work state information reported according to each CA servers distribute the transaction request got respectively for each CA servers;
Step 402:The key that each CA servers at least one CA servers are protected based on encryption equipment server, and The certificate information and/or user information that the database server provides handle the transaction that LIST SERVER is itself distribution respectively Request.
It is each CA servers according to the work state information that each CA servers report in a kind of possible embodiment The transaction request got is distributed respectively, including:
LIST SERVER is true respectively according to the work state information that each CA servers report at least one CA servers The current busy extent of fixed each CA servers, and be the distribution of each CA servers and the busy extent number of matches of the CA servers Transaction request.
In a kind of possible embodiment, which further includes the first cache server and the second cache server, In:
LIST SERVER obtains pending transaction request from the first cache server;
The card that each server is needed from the second cache server query processing transaction request at least one CA servers Letter ceases and/or user information.
Based on same inventive concept, the embodiment of the present invention provides a kind of computer readable storage medium, this is computer-readable Storage medium is stored with computer instruction, when computer instruction is run on computers so that computer executes card above-mentioned The dispositions method and/or certificate authentication method of book Verification System.
Should illustrate when, computer herein can refer to computer system, and a computer system includes multiple meters Calculate machine equipment.Also, each method can be split execution, and each computer equipment can only carry out the side wherein executed by itself Method.
In specific implementation process, computer readable storage medium includes:General serial bus USB (Universal Serial Bus flash drive, USB), mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disc or CD etc. are various can store program The storage medium of code.
Above-mentioned one or more technical solutions, at least have the advantages that:
In the embodiment of the present invention, certificate authentication system include the LIST SERVER independently disposed, at least one CA servers, Database server and encryption equipment server.Wherein, LIST SERVER is used to configure the certificate clothes of at least one CA servers It is engaged in running environment, and the work state information that is reported according at least one CA servers, at least one CA servers Distribute the transaction request got;At least one CA servers are used to handle the transaction request of LIST SERVER distribution;Data Library server is used to provide processing certificate information and/or user information that transaction request needs at least one CA servers; Encryption equipment server is used to protect the key of at least one CA servers.
By the way that each function module of certificate authentication system is independently deployed as each server so that certificate authentication system is in frame It is more flexible on structure, it is convenient that the transformations such as dilatation are carried out to system.Also, between the server due to realizing each function the degree of coupling compared with It is low, thus influence when modernization system to business is smaller, it is maintainable strong.
It further, can be in certificate deployment Verification System based on the certificate authentication system framework in the embodiment of the present invention When according to the performance requirement of each function, pointedly configure appropriate hardware device, avoid existing certificate authentication system transformation It needs to upgrade complete machine, leads to problem of high cost.Also, due to realizing that the server of each function is independently disposed, Thus can Hot Spare or cold standby only be carried out to the part server (such as LIST SERVER) in system according to actual needs, carried The stability and redundancy ability of the system of liter.
Further, certificate authentication system can be equipped with uniform service interface, be based on the uniform service interface, and user can be with Cert services are asked to more convenient, specification, meanwhile, certificate authentication system more easily can also carry out pipe to transaction request Reason.
Further, certificate authentication system can be equipped with the first cache server and/or the second cache server.Based on One cache server, certificate authentication system can still keep normal operation in the case of high concurrent, high traffic, promote system The stability of system;Based on the second cache server, the speed that CA servers obtain the data that database provides can be improved, is promoted The efficiency of CA server process transaction requests.
The apparatus embodiments described above are merely exemplary, wherein the units/modules illustrated as separating component It may or may not be physically separated, the component shown as units/modules may or may not be Physical unit/module, you can be located at a place, or may be distributed in multiple network element/modules.It can basis It is actual to need that some or all of module therein is selected to achieve the purpose of the solution of this embodiment.Ordinary skill people Member is not in the case where paying performing creative labour, you can to understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can It is realized by the mode of software plus required general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on Stating technical solution, substantially the part that contributes to existing technology can be expressed in the form of software products in other words, should Computer software product can store in a computer-readable storage medium, such as ROM/RAM, magnetic disc, CD, including several fingers It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation Method described in certain parts of example or embodiment.
Finally it should be noted that:The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although Present invention has been described in detail with reference to the aforementioned embodiments, it will be understood by those of ordinary skill in the art that:It still may be used With technical scheme described in the above embodiments is modified or equivalent replacement of some of the technical features; And these modifications or replacements, various embodiments of the present invention technical solution that it does not separate the essence of the corresponding technical solution spirit and Range.

Claims (10)

1. a kind of certificate authentication system, which is characterized in that the system comprises the LIST SERVER independently disposed, at least one CA Server, database server and encryption equipment server, wherein:
The LIST SERVER, the cert services running environment for configuring at least one CA servers, and according to institute The work state information that at least one CA servers report is stated, the transaction got at least one CA servers distribution is asked It asks;
At least one CA servers, the transaction request for handling the LIST SERVER distribution;
The database server, for providing the processing certificate information that transaction request needs at least one CA servers And/or user information;
The encryption equipment server, the key for protecting at least one CA servers.
2. the system as claimed in claim 1, which is characterized in that the system also includes the first cache server and/or second Cache server, wherein:
First cache server, the transaction request that the uniform service entrance for caching the system receives, and by described LIST SERVER obtains pending transaction request from first cache server;
Second cache server, the certificate letter for being stored from database server described in the database server synchronization Breath and/or user information, and by least one CA servers from the second cache server query processing transaction request The certificate information and/or user information needed.
3. system as claimed in claim 1 or 2, which is characterized in that the LIST SERVER is specifically used for:
Determine whether to receive what the first CA servers at least one CA servers were periodically sent in preset duration Work state information;
If so, according to the work state information of the first CA servers, current busy of the first CA servers is determined Degree, and be the transaction request of the first CA servers distribution and the busy extent number of matches of the first CA servers;
Otherwise, detect the first CA servers whether normal operation, and determining the non-normal operation of the first CA servers When, the first CA servers are removed from the system.
4. system as claimed in claim 1 or 2, which is characterized in that the LIST SERVER is additionally operable to:
The activation request that non-the 2nd CA servers for belonging to the system are sent is received, the activation request is for asking activation institute State the cert services function of the 2nd CA servers;
Configuration file is sent to the 2nd CA servers, and the system is added in the 2nd CA servers, to activate State the cert services function of the 2nd CA servers, wherein the configuration file is used to configure the certificate of the 2nd CA servers Service operation environment.
5. a kind of dispositions method of certificate authentication system, which is characterized in that the system comprises the LIST SERVER independently disposed, Database server and encryption equipment server, the database server are used to provide processing for the CA servers in the system The certificate information and/or user information that transaction request needs, the encryption equipment server is for protecting the CA in the system to take The key of business device, the method includes:
The LIST SERVER receives the activation request that the non-at least one CA servers for belonging to the system are sent, the activation Request is used to ask to activate the cert services function of at least one CA servers;
The LIST SERVER sends configuration file at least one CA servers, and by least one CA servers The system is added, to activate the cert services function of at least one CA servers, the configuration file is for configuring institute State the cert services running environment of at least one CA servers.
6. method as claimed in claim 5, which is characterized in that the method further includes:
The LIST SERVER determine whether to receive in preset duration the system comprises the first CA servers periodically send out The work state information sent;
If so, work state information of the LIST SERVER according to the first CA servers, determines the first CA clothes The current busy extent of business device, and be the busy extent coupling number of the first CA servers distribution and the first CA servers The transaction request of amount;
Otherwise, the LIST SERVER detect the first CA servers whether normal operation, and determining the first CA clothes When the non-normal operation of device of being engaged in, the first CA servers are removed from the system.
7. a kind of certificate authentication method, which is characterized in that the method is applied to the card as described in any one of claim 1-4 Book Verification System, the method includes:
The LIST SERVER receives the work state information that each CA servers report at least one CA servers, and root According to the work state information that each CA servers report, the transaction request got is distributed respectively for each CA servers;
The key and the number that each CA servers at least one CA servers are protected based on the encryption equipment server According to certificate information and/or user information that library server provides, the transaction that the LIST SERVER is itself distribution is handled respectively Request.
8. the method for claim 7, which is characterized in that be each according to the work state information that each CA servers report CA servers distribute the transaction request got respectively, including:
The LIST SERVER is according to the work state information that each CA servers report at least one CA servers, respectively It determines the current busy extent of each CA servers, and is the busy extent number of matches of each CA servers distribution and the CA servers Transaction request.
9. method as claimed in claim 7 or 8, which is characterized in that the system also includes first cache server and Second cache server, wherein:
The LIST SERVER obtains pending transaction request from first cache server;
Each server is needed from the second cache server query processing transaction request at least one CA servers Certificate information and/or user information.
10. a kind of computer readable storage medium, it is characterised in that:
The computer-readable recording medium storage has computer instruction, when the computer instruction is run on computers, So that computer executes the method as described in any one of claim 5-9.
CN201810620418.0A 2018-06-15 2018-06-15 The dispositions method and certificate authentication method of certificate authentication system, certificate authentication system Pending CN108809993A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810620418.0A CN108809993A (en) 2018-06-15 2018-06-15 The dispositions method and certificate authentication method of certificate authentication system, certificate authentication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810620418.0A CN108809993A (en) 2018-06-15 2018-06-15 The dispositions method and certificate authentication method of certificate authentication system, certificate authentication system

Publications (1)

Publication Number Publication Date
CN108809993A true CN108809993A (en) 2018-11-13

Family

ID=64086507

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810620418.0A Pending CN108809993A (en) 2018-06-15 2018-06-15 The dispositions method and certificate authentication method of certificate authentication system, certificate authentication system

Country Status (1)

Country Link
CN (1) CN108809993A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110708165A (en) * 2019-09-29 2020-01-17 杭州尚尚签网络科技有限公司 Multi-CA automatic scheduling method based on request response
CN112073401A (en) * 2020-08-28 2020-12-11 苏州浪潮智能科技有限公司 Method, program and medium for automatically updating certificate based on HTTPS protocol web application

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102970299A (en) * 2012-11-27 2013-03-13 西安电子科技大学 File safe protection system and method thereof
WO2014135195A1 (en) * 2013-03-05 2014-09-12 Telefonaktiebolaget L M Ericsson (Publ) Handling of digital certificates
CN104320492A (en) * 2014-11-11 2015-01-28 北京国双科技有限公司 Method and device for dispatching web servers
CN104506353A (en) * 2014-12-23 2015-04-08 北京奇虎科技有限公司 Authentication management method, equipment and system
CN106656552A (en) * 2016-09-30 2017-05-10 上海冰穹网络科技有限公司 Extension method, system and electronic device for data platform system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102970299A (en) * 2012-11-27 2013-03-13 西安电子科技大学 File safe protection system and method thereof
WO2014135195A1 (en) * 2013-03-05 2014-09-12 Telefonaktiebolaget L M Ericsson (Publ) Handling of digital certificates
CN104320492A (en) * 2014-11-11 2015-01-28 北京国双科技有限公司 Method and device for dispatching web servers
CN104506353A (en) * 2014-12-23 2015-04-08 北京奇虎科技有限公司 Authentication management method, equipment and system
CN106656552A (en) * 2016-09-30 2017-05-10 上海冰穹网络科技有限公司 Extension method, system and electronic device for data platform system

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110708165A (en) * 2019-09-29 2020-01-17 杭州尚尚签网络科技有限公司 Multi-CA automatic scheduling method based on request response
CN110708165B (en) * 2019-09-29 2022-08-05 杭州尚尚签网络科技有限公司 Multi-CA automatic scheduling method based on request response
CN112073401A (en) * 2020-08-28 2020-12-11 苏州浪潮智能科技有限公司 Method, program and medium for automatically updating certificate based on HTTPS protocol web application
CN112073401B (en) * 2020-08-28 2022-05-10 苏州浪潮智能科技有限公司 Method, program and medium for automatically updating certificate based on HTTPS (Hypertext transfer protocol secure) protocol web application

Similar Documents

Publication Publication Date Title
US11340672B2 (en) Persistent reservations for virtual disk using multiple targets
US8533261B2 (en) Extensible and programmable multi-tenant service architecture
US7707248B2 (en) Credit-based peer-to-peer storage
US20070033395A1 (en) Method and system for hierarchical license servers
US20030154314A1 (en) Redirecting local disk traffic to network attached storage
CN105556919B (en) Dual factor anthentication is carried out using service request bill
CN103620580A (en) System and method for migration of data clones
CN103731508A (en) Cloud-storage-based network hard disk device and management method thereof
CN109669955B (en) Digital asset query system and method based on block chain
CN102713825A (en) Storage visibility in virtual environments
US11308223B2 (en) Blockchain-based file handling
CN1787432B (en) Method and system for authenticating a node requesting another node to perform work
US20120166492A1 (en) Database transfers using constraint free data
CN107544864A (en) A kind of virtual-machine data copy method and virtual-machine data copy system
CN109711845A (en) One kind being based on SaaS mode bank-enterprise interconnection interconnection method and system
CN110199283A (en) For the system and method that authentication platform is trusted in network function virtualized environment
CN112328366B (en) Efficient cloud platform host protection method and system
CN107291395A (en) A kind of LUN on-line rapid estimations method and system
CN108809993A (en) The dispositions method and certificate authentication method of certificate authentication system, certificate authentication system
CN101471956B (en) Method for identifying and dynamically updating storage device state of target terminal
CN109271367A (en) Distributed file system multinode snapshot rollback method and system
CN101917438A (en) Access control method and system in network communication system
CN107209706A (en) The application of maintenance and the method and system of desktop are received for connecting devices to
CN105637471B (en) Method and apparatus for being monitored and controlling to storage environment
US7484038B1 (en) Method and apparatus to manage storage devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20181113

RJ01 Rejection of invention patent application after publication