CN112953932A - Identity authentication gateway integration design method and system based on CA certificate - Google Patents
Identity authentication gateway integration design method and system based on CA certificate Download PDFInfo
- Publication number
- CN112953932A CN112953932A CN202110179636.7A CN202110179636A CN112953932A CN 112953932 A CN112953932 A CN 112953932A CN 202110179636 A CN202110179636 A CN 202110179636A CN 112953932 A CN112953932 A CN 112953932A
- Authority
- CN
- China
- Prior art keywords
- gateway
- identity authentication
- load balancing
- devices
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1001—Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
Abstract
The invention relates to the technical field of identity authentication gateways, and discloses an identity authentication gateway integrated design method and an integrated system based on a CA certificate, which comprises an identity authentication gateway design method and a load balance design method, wherein in the identity authentication gateway design method, a plurality of gateway devices are adopted by an identity authentication gateway for cluster deployment, and the identity authentication gateway provides safety service for a whole network user when accessing an application system; the load balancing design method comprises the step of integrating two gateway load balancing devices positioned at the front ends of a plurality of gateway devices and two application load balancing devices positioned at the rear ends of the plurality of gateway devices to realize effective sharing of the identity authentication access request. By implementing cluster design on the identity authentication gateway and introducing a load balancing mechanism, the invention solves the problems of performance, stability and single point of failure of the identity authentication gateway, improves the resource utilization rate of the identity authentication gateway equipment, and ensures the safety, high availability and stability of the operation of an information system.
Description
Technical Field
The invention relates to the technical field of identity authentication gateway integration, in particular to a CA certificate-based identity authentication gateway integration design method and an integration system.
Background
With the continuous increase of the number of enterprise application systems and users and the increasing of high concurrent access volume and data volume, a single identity authentication gateway has the risks of performance and single point of failure, and cannot meet the future business requirements. Once the service of the in-use authentication gateway device is interrupted due to performance reasons, all the authentication information requests are synchronously transmitted to the standby gateway device, and the standby gateway device also has the service interruption due to excessive access pressure within a certain time range. The dual-computer hot standby deployment mode only solves the problem of high availability of the authentication gateway and cannot effectively solve the problem of performance bottleneck. Therefore, a new integrated design method needs to be considered for the identity authentication gateway to better meet the requirement of the current service on identity authentication.
Disclosure of Invention
The invention provides an identity authentication gateway integration design method and an identity authentication gateway integration system based on a CA certificate, so that the problems in the prior art are solved.
The invention provides an identity authentication gateway integrated design method based on a CA certificate, which comprises an identity authentication gateway design method and a load balance design method, wherein the identity authentication gateway in the identity authentication gateway design method adopts a plurality of gateway devices for cluster deployment, is based on a CA digital certificate authentication system and adopts hardware feature code identification to authenticate an authentication request sent by access terminal equipment, and provides a plurality of safety services for a whole network user to access an application system through the identity authentication gateway; the load balancing design method comprises the steps that two gateway load balancing devices located at the front ends of a plurality of pieces of gateway equipment and two application load balancing devices located at the rear ends of the plurality of pieces of gateway equipment are integrated to achieve effective sharing of identity authentication access requests, the two gateway load balancing devices located at the front ends of the plurality of pieces of gateway equipment and the two application load balancing devices located at the rear ends of the plurality of pieces of gateway equipment are deployed in a main route, a dual-active mode is adopted between the two gateway load balancing devices, and a dual-active mode is adopted between the two application load balancing devices.
Further, the plurality of security services include unified identity authentication, access control and/or single sign-on.
Further, the method for providing a plurality of security services for the whole network user to access the application system through the identity authentication gateway comprises the following steps:
s1) the user accesses the URL address of the identity authentication gateway through the browser and logs in the identity authentication gateway by using the password key USBKey, and the user provides an authentication request;
s2) the gateway load balancing device polls the authentication request to one of the gateway devices according to a load balancing strategy, and the identity authentication gateway synchronizes the request session of the user to the gateway devices of all cluster configurations through the cluster service configuration;
s3) the gateway equipment receiving the authentication request requires the user to present the CA certificate for signature verification, the user inputs the certificate PIN code in the pop-up box of the browser webpage, and the identity authentication gateway reads the certificate information and performs user identity authentication; judging whether the user identity authentication is successfully verified, if so, entering step S4); if not, returning to the step S1);
s4) after the user identity authentication is successfully verified, opening a communication link to the proxy application system, and sending the authenticated CA certificate information and the authenticated pass information to the proxy application system by the identity authentication gateway through the application load balancing equipment positioned at the rear ends of the plurality of pieces of gateway equipment;
s5), the application system of the agent opens the corresponding page to the user according to the authority of the user after receiving the certificate information and the authentication passing information sent by the identity authentication gateway, and the user performs single sign-on according to the corresponding page.
Further, in step S5), the application system further including the agent maintains the session information of the user through a secure Cookie mechanism, and the user does not need to authenticate again when logging in the application system.
Further, two gateway load balancing devices integrated at the front ends of the plurality of gateway devices realize effective sharing of identity authentication access requests, the method comprises the steps of respectively configuring an identity authentication gateway authentication port and an application access port address in real services of the gateway load balancing devices, adding the real services into a real service group, then configuring load external virtual services in the real service group, carrying out load balancing on the identity authentication gateway devices at the rear ends of the gateway load balancing devices through virtual IP addresses by the gateway load balancing devices, receiving user authentication requests, and then sending the user authentication requests to one gateway device at the rear ends through a polling algorithm; the gateway load balancing equipment detects the state of the gateway equipment through a health detection mechanism, and when the gateway equipment is detected to be abnormal, the gateway load balancing equipment automatically removes the abnormal gateway equipment from the polling node; the gateway load balancing equipment ensures that a user can access the same gateway equipment within the session holding time through a session holding mechanism; the two gateway load balancing devices ensure zero interruption of the service through a dual active mode; two network ports of each gateway device in the identity authentication gateway cluster configuration are respectively connected with two gateway load balancing devices, and the two network ports work simultaneously and transmit and receive data simultaneously; when one network port of the gateway equipment fails, the gateway load balancing equipment sends data to the other network port of the gateway equipment through a detection mechanism.
Further, two application load balancing devices positioned at the rear ends of the plurality of pieces of gateway equipment are integrated to realize effective sharing of the identity authentication access request, wherein the identity authentication gateway sends the authenticated CA certificate information and the authentication passing information to one application system in the plurality of agent application systems through the application load balancing devices positioned at the rear ends of the plurality of pieces of gateway equipment; the application load balancing equipment at the rear end of the plurality of gateway equipment sends the CA certificate information and the authentication passing information to one of the application systems of the plurality of agents through a polling algorithm, the application load balancing equipment ensures that a user can access the same application system within the session holding time through a session holding mechanism, and the application load balancing equipment monitors the health condition of the application systems of the plurality of agents in real time; when any one application system of the application systems of the agents breaks down, the application load balancing equipment switches the access request of the user to other normal application systems in real time.
Further, the identity authentication gateway adopts a main path authentication working mode and a bypass authentication working mode; the application system adopted in the main road authentication working mode comprises a comprehensive management platform, a business and property integration platform and/or office automation; the application system adopted in the bypass authentication working mode comprises a NAS network disk system.
Furthermore, two gateway load balancing devices at the front ends of the plurality of pieces of gateway devices and two application load balancing devices at the rear ends of the plurality of pieces of gateway devices are deployed in a main road, and an application system adopted in the main road deployment comprises a comprehensive management platform, a business and property integration platform and/or office automation.
Furthermore, the CA digital certificate authentication system is located in a CA certificate server, the CA certificate server is deployed in a safe area according to a network hierarchical domain principle, the hardware feature code identification comprises an MAC address and a hard disk serial number, and the real service comprises a server address, a server port, a service type, an application access control rule and a server role.
On the other hand, the invention provides an identity authentication gateway integration system based on CA certificate, which comprises a plurality of access terminal devices, two gateway load balancing devices, an identity authentication gateway cluster, two application load balancing devices, a plurality of application area servers and a CA certificate server, wherein the identity authentication gateway cluster comprises a plurality of gateway devices, a plurality of access terminal devices are connected with the two gateway load balancing devices sequentially through a plurality of network devices, a plurality of network devices comprise a plurality of access layer switches, a plurality of core layer switches and a firewall, a plurality of gateway devices are respectively connected with the two application load balancing devices, the two application load balancing devices are respectively connected with a plurality of application area servers through a plurality of application area switches, a plurality of application area servers respectively comprise a plurality of application systems of agents, the CA certificate server comprises a CA digital certificate authentication system, and is deployed in a security area according to a network hierarchical domain principle.
The invention has the beneficial effects that: the invention provides a method for deploying identity authentication gateways in a cluster mode, which integrates gateway load balancing equipment at the front end of the gateway and application load balancing equipment at the rear end of the gateway to realize effective sharing of identity authentication access requests. By carrying out capacity expansion design on the existing gateway, the invention solves the problems of performance, stability, single point fault and the like of the identity authentication gateway, strengthens the safety operation guarantee capability of the information system, and effectively improves the safety, high availability and stability of the information system; by cluster design of the existing gateway, the invention can relieve the use pressure of the application system, reduce the service interruption probability caused by overlarge service pressure and improve the expansibility of the deployment architecture of the application system; by introducing a load balancing mechanism, the network architecture is further optimized, the resource utilization rate of the identity authentication gateway is improved, and the rapidity and the stability of user access are ensured; the invention can switch the gateway equipment with problems to the normal gateway equipment through the detection mechanism, thereby avoiding the single-point failure of the gateway equipment.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the embodiments are briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a schematic flow chart illustrating how an identity authentication gateway provides a plurality of security services according to a first embodiment of the present invention.
Fig. 2 is a schematic flow chart of the user access integrated management platform according to the first embodiment.
Fig. 3 is a schematic structural diagram of an identity authentication gateway integrated system based on a CA certificate according to the first embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the invention, are intended for purposes of illustration only and are not intended to limit the scope of the invention. It is noted that the terms "comprises" and "comprising," and any variations thereof, in the description and claims of the present invention and the above-described drawings are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of elements is not necessarily limited to those elements, but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
The identity authentication gateway design method comprises an identity authentication gateway design method and a load balancing design method, wherein the identity authentication gateway is deployed in a cluster mode by adopting a plurality of gateway devices, is based on a CA digital certificate authentication system and adopts a hardware feature code identifier to authenticate an authentication request sent by access terminal equipment, and provides a plurality of safety services for a whole network user to access an application system through the identity authentication gateway; the load balancing design method comprises the steps that two gateway load balancing devices located at the front ends of a plurality of pieces of gateway equipment and two application load balancing devices located at the rear ends of the plurality of pieces of gateway equipment are integrated to achieve effective sharing of identity authentication access requests, the two gateway load balancing devices at the front ends of the plurality of pieces of gateway equipment and the two application load balancing devices at the rear ends of the plurality of pieces of gateway equipment are deployed in a main route, a dual-active mode is adopted between the two gateway load balancing devices, and the dual-active mode is adopted between the two application load balancing devices.
Several security services include identity authentication, access control, and/or single sign-on. Single sign-on is that in a plurality of application systems, a user only needs to log on once to access all mutually trusted application systems.
The single performance of the identity authentication gateway is 3400 of newly-built connection number, 20000 of concurrent connection number and 840M of throughput. The future target performance of the existing network is 10000 of newly-built connection number, 60000 of concurrent connection number and 3000M of throughput. The identity authentication gateway adopts four gateway devices for cluster deployment, the performance can reach 13600 of newly-built connection number, 80000 of concurrent connection number and 3360M of throughput. The identity authentication gateway provides uniform security services such as identity authentication, access control, single sign-on and the like for the whole network user to access the application system through the identity authentication gateway on the basis of a CA certificate authentication system. The identity authentication gateway has two working modes of a main path and a bypass. The identity authentication gateway supports a CA digital certificate authentication mode, and adopts a hardware feature code identifier to authenticate the access terminal equipment.
Providing a plurality of security services for a full-network user accessing an application system through an identity authentication gateway, as shown in fig. 1, includes the following steps:
s1) the user accesses the URL address of the identity authentication gateway through the browser and logs in the identity authentication gateway by using the password key USBKey, and the user provides an authentication request;
s2) the gateway load balancing device polls the authentication request to one of the gateway devices according to a load balancing strategy, and the identity authentication gateway synchronizes the request session of the user to the gateway devices of all cluster configurations through the cluster service configuration;
s3) the gateway equipment receiving the authentication request requires the user to present the CA certificate for signature verification, the user inputs the certificate PIN code in the pop-up box of the browser webpage, and the identity authentication gateway reads the certificate information and performs user identity authentication; judging whether the user identity authentication is successfully verified, if so, entering step S4); if not, returning to the step S1);
s4) after the user identity authentication is successfully verified, opening a communication link to the proxy application system, and sending the authenticated CA certificate information and the authenticated pass information to the proxy application system by the identity authentication gateway through the application load balancing equipment positioned at the rear ends of the plurality of pieces of gateway equipment;
s5) the application system of the agent receives the certificate information and the authentication passing information sent by the identity authentication gateway and opens the corresponding page to the user according to the authority of the user.
In step S5), the application system further including the proxy maintains the session information of the user through the secure Cookie mechanism, and the user does not need to authenticate again when logging in the application system.
Integrating two gateway load balancing devices positioned at the front ends of a plurality of gateway devices to realize effective sharing of identity authentication access requests, wherein the method comprises the steps of respectively configuring an identity authentication gateway authentication port and an application access port address in real services of the gateway load balancing devices, adding the real services into a real service group, then configuring load external virtual services in the real service group, carrying out load balancing on the identity authentication gateway devices positioned at the rear ends of the gateway load balancing devices through virtual IP addresses by the gateway load balancing devices, receiving user authentication requests, and then sending the user authentication requests to one gateway device positioned at the rear end through a polling algorithm; the gateway load balancing equipment detects the state of the gateway equipment through a health detection mechanism, and when the gateway equipment is detected to be abnormal, the gateway load balancing equipment automatically removes the abnormal gateway equipment from the polling node; the gateway load balancing equipment ensures that a user can access the same gateway equipment within the session holding time through a session holding mechanism; the two gateway load balancing devices ensure zero interruption of the service through a dual active mode; two network ports of each gateway device in the identity authentication gateway cluster configuration are respectively connected with two gateway load balancing devices, and the two network ports work simultaneously and transmit and receive data simultaneously; when one network port of the gateway equipment fails, the gateway load balancing equipment sends data to the other network port of the gateway equipment through a detection mechanism.
Integrating two application load balancing devices positioned at the rear ends of a plurality of pieces of gateway equipment to realize effective sharing of identity authentication access requests, wherein the identity authentication gateway sends authenticated CA certificate information and authentication passing information to one application system in a plurality of agent application systems through the application load balancing devices positioned at the rear ends of the plurality of pieces of gateway equipment; the application load balancing equipment at the rear end of the plurality of gateway equipment sends the CA certificate information and the authentication passing information to one of the application systems of the plurality of agents through a polling algorithm, the application load balancing equipment ensures that a user can access the same application system within the session holding time through a session holding mechanism, and the application load balancing equipment monitors the health condition of the application systems of the plurality of agents in real time; when any one application system of the application systems of the agents breaks down, the application load balancing equipment switches the access request of the user to other normal application systems in real time.
The session hold time was set at 10 minutes. The throughput performance of the gateway load balancing equipment and the application load balancing equipment is ten trillion, and the throughput performance of the gateway equipment in the identity authentication gateway is kilomega. The identity authentication gateway adopts a main path authentication working mode and a bypass authentication working mode; the application system adopted in the main road authentication working mode comprises a comprehensive management platform, a business and property integration platform and/or office automation; the application system adopted in the bypass authentication working mode comprises a NAS network disk system.
Two gateway load balancing devices at the front ends of a plurality of gateway devices and two application load balancing devices at the rear ends of a plurality of gateway devices are deployed in a main road, and an application system adopted in the main road deployment comprises a comprehensive management platform, a business and property integration platform and/or office automation.
The CA digital certificate authentication system is located in a CA certificate server, the CA certificate server is deployed in a safety area according to a network hierarchical domain principle, the hardware feature code identification comprises an MAC address and a hard disk serial number, and the real service comprises a server address, a server port, a service type, an application access control rule and a server role.
On the other hand, the embodiment of the present invention provides an identity authentication gateway integration system based on a CA certificate, as shown in fig. 3, including a plurality of access terminal devices, two gateway load balancing devices, an identity authentication gateway cluster, two application load balancing devices, a plurality of application area servers and a CA certificate server, where the identity authentication gateway cluster includes a plurality of gateway devices, the plurality of access terminal devices are connected to the two gateway load balancing devices sequentially through a plurality of network devices, the plurality of network devices include a plurality of access layer switches, a plurality of core layer switches and a firewall, the plurality of gateway devices are respectively connected to the two application load balancing devices, the two application load balancing devices are respectively connected to the plurality of application area servers through the plurality of application area switches, the plurality of application area servers respectively include application systems of a plurality of agents, the CA certificate server comprises a CA digital certificate authentication system, and is deployed in a security area according to a network hierarchical domain principle.
In this embodiment, the application system adopted in the main authentication operating mode when the user accesses the application system through the identity authentication gateway and the gateway load balancing is a comprehensive management platform, and the whole flow is as shown in fig. 2, and includes the following steps:
(1) a user accesses the URL address of the identity authentication gateway through a browser;
(2) when a user request is sent to the load balancing equipment, the load balancing equipment reasonably distributes an access request to a corresponding identity authentication gateway quickly according to a preset load strategy;
(3) the load balancing equipment monitors the health condition of the identity authentication gateway in real time, can find a fault gateway in real time and switch the access request of a user to other normal identity authentication gateways in time;
(4) the identity authentication gateway selected by the load balancing strategy requires a user to show a digital certificate after receiving a user access request, at the moment, the user inputs a certificate PIN code in a pop-up frame of a webpage, the identity authentication gateway reads certificate information and performs user identity authentication, after the identity authentication is passed, a gateway portal is popped up, and a comprehensive management platform system link is clicked;
(5) when the gateway transmits the authentication passing information (flow) to the application load balancing device, the application load balancing device reasonably and quickly distributes the flow to one of the comprehensive management platform systems according to a preset load strategy (if the comprehensive management platform systems have three sets, namely, any one of the comprehensive management platform 1\ the comprehensive management platform 2\ the comprehensive management platform 3);
(6) the load balancing equipment is used for monitoring the health condition of the integrated management platform system in real time, so that the fault integrated management platform system can be found in real time, and the access request of a user is switched to other normal integrated management platform systems in time;
(7) after receiving the certificate information and the authentication passing information transmitted by the gateway, the comprehensive management platform system opens a corresponding page to the user according to the authority of the user;
(8) and when the whole process is finished, the user normally logs in the comprehensive management platform system in a certificate mode.
By adopting the technical scheme disclosed by the invention, the following beneficial effects are obtained:
the invention adopts a cluster type deployment design for the identity authentication gateway, and integrates gateway load balancing equipment at the front end of the gateway and application load balancing equipment at the front end of the gateway to realize effective sharing of the identity authentication access request. By implementing cluster design on the identity authentication gateway and introducing a load balancing mechanism, the invention solves the problems of performance, stability and single point of failure of the identity authentication gateway, improves the resource utilization rate of the identity authentication gateway equipment, and ensures the safety, high availability and stability of the operation of an information system.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that it will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and such modifications and improvements should also be considered within the scope of the present invention.
Claims (10)
1. An identity authentication gateway integrated design method based on a CA certificate is characterized by comprising an identity authentication gateway design method and a load balance design method, wherein the identity authentication gateway in the identity authentication gateway design method adopts a plurality of gateway devices for cluster deployment, is based on a CA digital certificate authentication system and adopts a hardware feature code identifier to authenticate an authentication request sent by access terminal equipment, and provides a plurality of safety services for a whole network user when accessing an application system through the identity authentication gateway; the load balancing design method comprises the steps that two gateway load balancing devices located at the front ends of a plurality of pieces of gateway equipment and two application load balancing devices located at the rear ends of the plurality of pieces of gateway equipment are integrated to achieve effective sharing of identity authentication access requests, the two gateway load balancing devices located at the front ends of the plurality of pieces of gateway equipment and the two application load balancing devices located at the rear ends of the plurality of pieces of gateway equipment are deployed in a main route, a dual-active mode is adopted between the two gateway load balancing devices, and a dual-active mode is adopted between the two application load balancing devices.
2. The CA certificate-based identity authentication gateway integrated design method according to claim 1, wherein the plurality of security services comprise unified identity authentication, access control and/or single sign-on.
3. The CA certificate-based identity authentication gateway integrated design method according to claim 1 or 2, wherein a plurality of security services are provided for the whole network user to access the application system through the identity authentication gateway, and the method comprises the following steps:
s1) the user accesses the URL address of the identity authentication gateway through the browser and logs in the identity authentication gateway by using the password key USBKey, and the user provides an authentication request;
s2) the gateway load balancing device polls the authentication request to one of the gateway devices according to a load balancing strategy, and the identity authentication gateway synchronizes the request session of the user to the gateway devices of all cluster configurations through the cluster service configuration;
s3) the gateway equipment receiving the authentication request requires the user to present the CA certificate for signature verification, the user inputs the certificate PIN code in the pop-up box of the browser webpage, and the identity authentication gateway reads the certificate information and performs user identity authentication; judging whether the user identity authentication is successfully verified, if so, entering step S4); if not, returning to the step S1);
s4) after the user identity authentication is successfully verified, opening a communication link to the proxy application system, and sending the authenticated CA certificate information and the authenticated pass information to the proxy application system by the identity authentication gateway through the application load balancing equipment positioned at the rear ends of the plurality of pieces of gateway equipment;
s5), the application system of the agent opens the corresponding page to the user according to the authority of the user after receiving the certificate information and the authentication passing information sent by the identity authentication gateway, and the user performs single sign-on according to the corresponding page.
4. The CA certificate-based identity authentication gateway integrated design method as claimed in claim 3, wherein in step S5), the method further comprises the step of maintaining the session information of the user by the application system of the agent through a secure Cookie mechanism, and the user does not need to authenticate again when logging in the application system.
5. The CA certificate-based identity authentication gateway integration design method according to claim 1 or 4, wherein two gateway load balancing devices integrated at the front ends of the plurality of gateway devices realize effective sharing of identity authentication access requests, and the method comprises the steps of respectively configuring an identity authentication gateway authentication port and an application access port address in a real service of the gateway load balancing devices, adding the real service into a real service group, then configuring a load external virtual service in the real service group, and the gateway load balancing devices perform load balancing on the identity authentication gateway devices at the rear ends of the gateway load balancing devices through virtual IP addresses, and after receiving a user authentication request, sending the user authentication request to one gateway device at the rear end through a polling algorithm; the gateway load balancing equipment detects the state of the gateway equipment through a health detection mechanism, and when the gateway equipment is detected to be abnormal, the gateway load balancing equipment automatically removes the abnormal gateway equipment from the polling node; the gateway load balancing equipment ensures that a user can access the same gateway equipment within the session holding time through a session holding mechanism; the two gateway load balancing devices ensure zero interruption of the service through a dual active mode; two network ports of each gateway device in the identity authentication gateway cluster configuration are respectively connected with two gateway load balancing devices, and the two network ports work simultaneously and transmit and receive data simultaneously; when one network port of the gateway equipment fails, the gateway load balancing equipment sends data to the other network port of the gateway equipment through a detection mechanism.
6. The CA certificate-based identity authentication gateway integrated design method as claimed in claim 5, wherein two application load balancing devices integrated at the back ends of a plurality of gateway devices realize effective sharing of identity authentication access requests, including the identity authentication gateway sending the authenticated CA certificate information and authentication pass information to one of the application systems of a plurality of agents through the application load balancing devices at the back ends of the plurality of gateway devices; the application load balancing equipment at the rear end of the plurality of gateway equipment sends the CA certificate information and the authentication passing information to one of the application systems of the plurality of agents through a polling algorithm, the application load balancing equipment ensures that a user can access the same application system within the session holding time through a session holding mechanism, and the application load balancing equipment monitors the health condition of the application systems of the plurality of agents in real time; when any one application system of the application systems of the agents breaks down, the application load balancing equipment switches the access request of the user to other normal application systems in real time.
7. The CA certificate-based identity authentication gateway integrated design method according to claim 6, wherein the identity authentication gateway adopts a main authentication operating mode and a bypass authentication operating mode; the application system adopted in the main road authentication working mode comprises a comprehensive management platform, a business and property integration platform and/or office automation; the application system adopted in the bypass authentication working mode comprises a NAS network disk system.
8. The CA certificate-based identity authentication gateway integrated design method of claim 7, wherein two gateway load balancing devices at the front ends of the plurality of pieces of gateway devices and two application load balancing devices at the back ends of the plurality of pieces of gateway devices are deployed in a main road, and an application system used in the main road deployment comprises a comprehensive management platform, a business and financial integration platform and/or office automation.
9. The CA certificate-based identity authentication gateway integrated design method as claimed in claim 5, wherein the CA digital certificate authentication system is located in a CA certificate server, the CA certificate server is deployed in a security area according to a network hierarchical domain principle, the hardware feature code identifier comprises an MAC address and a hard disk serial number, and the real service comprises a server address, a server port, a service type, an application access control rule and a server role.
10. An identity authentication gateway integration system based on CA certificate, the identity authentication gateway integration design method based on CA certificate according to any claim 1 to 9, characterized in that, comprises several access terminal devices, two gateway load balancing devices, an identity authentication gateway cluster, two application load balancing devices, several application area servers and CA certificate servers, the identity authentication gateway cluster comprises several gateway devices, the several access terminal devices are connected with the two gateway load balancing devices sequentially through several network devices, the several network devices comprise several access layer switches, several core layer switches and a firewall, the several gateway devices are connected with the two application load balancing devices respectively, the two application load balancing devices are connected with the several application area servers respectively through several application area switches, the plurality of application area servers respectively comprise a plurality of agent application systems, the CA certificate server comprises a CA digital certificate authentication system, and the CA certificate server is deployed in a safety area according to a network classification domain principle.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110179636.7A CN112953932B (en) | 2021-02-07 | 2021-02-07 | Identity authentication gateway integration design method and system based on CA certificate |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110179636.7A CN112953932B (en) | 2021-02-07 | 2021-02-07 | Identity authentication gateway integration design method and system based on CA certificate |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112953932A true CN112953932A (en) | 2021-06-11 |
| CN112953932B CN112953932B (en) | 2022-12-20 |
Family
ID=76244897
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110179636.7A Active CN112953932B (en) | 2021-02-07 | 2021-02-07 | Identity authentication gateway integration design method and system based on CA certificate |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112953932B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7386721B1 (en) * | 2003-03-12 | 2008-06-10 | Cisco Technology, Inc. | Method and apparatus for integrated provisioning of a network device with configuration information and identity certification |
| CN101330494A (en) * | 2007-06-19 | 2008-12-24 | 瑞达信息安全产业股份有限公司 | Method for implementing computer terminal safety admittance based on credible authentication gateway |
| CN104468293A (en) * | 2014-11-28 | 2015-03-25 | 国家信息中心 | VPN accessing method |
| CN109672612A (en) * | 2018-12-13 | 2019-04-23 | 中国电子科技集团公司电子科学研究院 | API gateway system |
| CN110213246A (en) * | 2019-05-16 | 2019-09-06 | 南瑞集团有限公司 | A kind of wide area multiple-factor identity authorization system |
-
2021
- 2021-02-07 CN CN202110179636.7A patent/CN112953932B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7386721B1 (en) * | 2003-03-12 | 2008-06-10 | Cisco Technology, Inc. | Method and apparatus for integrated provisioning of a network device with configuration information and identity certification |
| CN101330494A (en) * | 2007-06-19 | 2008-12-24 | 瑞达信息安全产业股份有限公司 | Method for implementing computer terminal safety admittance based on credible authentication gateway |
| CN104468293A (en) * | 2014-11-28 | 2015-03-25 | 国家信息中心 | VPN accessing method |
| CN109672612A (en) * | 2018-12-13 | 2019-04-23 | 中国电子科技集团公司电子科学研究院 | API gateway system |
| CN110213246A (en) * | 2019-05-16 | 2019-09-06 | 南瑞集团有限公司 | A kind of wide area multiple-factor identity authorization system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112953932B (en) | 2022-12-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11190491B1 (en) | Method and apparatus for maintaining a resilient VPN connection | |
| US10581907B2 (en) | Systems and methods for network access control | |
| CN113949573B (en) | Zero-trust service access control system and method | |
| US10476906B1 (en) | System and method for managing formation and modification of a cluster within a malware detection system | |
| US7876712B2 (en) | Overlay network infrastructure | |
| US8850043B2 (en) | Network security using trust validation | |
| US20160337372A1 (en) | Network system, controller and packet authenticating method | |
| US20080222267A1 (en) | Method and system for web cluster server | |
| JP2004528609A (en) | Inter-application communication with filtering | |
| CN109271776A (en) | Micro services system single-point logging method, server and computer readable storage medium | |
| US20060224897A1 (en) | Access control service and control server | |
| US20220210130A1 (en) | Method and apparatus for maintaining a resilient vpn connection | |
| CN111818081B (en) | Virtual encryption machine management method, device, computer equipment and storage medium | |
| US7631179B2 (en) | System, method and apparatus for securing network data | |
| CN107454050B (en) | Method and device for accessing network resources | |
| CN112953932B (en) | Identity authentication gateway integration design method and system based on CA certificate | |
| CN112153050A (en) | Active anti-intrusion big data network security equipment and anti-intrusion method | |
| EP2196004B1 (en) | Method for distributing requests to server computers | |
| CN104753774B (en) | A kind of distributed enterprise comprehensive access gate | |
| CN202309766U (en) | Online service system based on activity catalog verification | |
| CN103001931A (en) | Communication system of terminals interconnected among different networks | |
| JP5345651B2 (en) | Secure tunneling platform system and method | |
| CN109451074B (en) | Server load balancing processing method based on portal protocol | |
| CN109039680B (en) | Method and system for switching main Broadband Network Gateway (BNG) and standby BNG and BNG | |
| CN115174361A (en) | Information transmission method, system and device based on authentication gateway |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information | ||
| CB03 | Change of inventor or designer information |
Inventor after: Huo Ruicai Inventor after: Huang Wei Inventor after: He Shiwei Inventor after: Sun Yahong Inventor before: Huo Ruicai Inventor before: Huang Wei Inventor before: He Shiwei |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |