CN116668034A - Connection system and method for data service object, electronic equipment and storage medium - Google Patents

Connection system and method for data service object, electronic equipment and storage medium Download PDF

Info

Publication number
CN116668034A
CN116668034A CN202310596549.0A CN202310596549A CN116668034A CN 116668034 A CN116668034 A CN 116668034A CN 202310596549 A CN202310596549 A CN 202310596549A CN 116668034 A CN116668034 A CN 116668034A
Authority
CN
China
Prior art keywords
connection
terminal
data service
configuration information
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310596549.0A
Other languages
Chinese (zh)
Inventor
许俊禹
丁开生
邱海军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202310596549.0A priority Critical patent/CN116668034A/en
Publication of CN116668034A publication Critical patent/CN116668034A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0246Exchanging or transporting network management information using the Internet; Embedding network management web servers in network elements; Web-services-based protocols
    • H04L41/0273Exchanging or transporting network management information using the Internet; Embedding network management web servers in network elements; Web-services-based protocols using web services for network management, e.g. simple object access protocol [SOAP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The embodiment of the application provides a data service object connection system, a data service object connection method, electronic equipment and a storage medium, and belongs to the technical field of data service. The connection system of the data service object comprises a data request terminal and a connection control terminal; the data request terminal is used for responding to the data request instruction to generate a terminal identity credential and sending the terminal identity credential to the connection control terminal; the connection control terminal is used for matching connection configuration information according to the terminal identity credentials and sending the matched connection configuration information to the data request terminal, wherein the connection configuration information comprises a target address, a target object account and a target object password; the data request terminal is used for sending a target object account and a target object password to the corresponding data service object according to the target address so as to enable the data service object to be connected with the data request terminal. The application can reduce the password leakage risk of the data service object of the user so as to improve the security of the connection between the client and the data service.

Description

Connection system and method for data service object, electronic equipment and storage medium
Technical Field
The present invention relates to the field of data service technologies, and in particular, to a system, a method, an electronic device, and a storage medium for connecting data service objects.
Background
With the development of cloud computing technology, more and more data of each enterprise is stored in a third party server, and user data security is relevant to a process of connecting with a server operating system or a database on a server. Data security encompasses the entire lifecycle of data generation, collection, storage, transmission, processing, destruction, etc., wherein ensuring secure access to servers is critical to data storage security.
Taking the database on the server as an example, the premise of safely accessing the database is that an account number and a password which can be connected with the database are needed. The account number is a plaintext character string which is assigned by a database administrator to a user who needs to be connected with the database as an identification ID, and the password is a string of plaintext characters. If the account is used by natural people, for example, an IT technician needs to directly access a database for carrying out background database operation in daily operation, in this case, the account and the password are responsible for by an identity ID responsible person, password change and memory are usually by personal defaulting in the brain, management is relatively simple, and password leakage is easy to cause. However, if the application program is used as a client to access the database, particularly in the environment of several tens of hundreds of sets of various database management systems, the security management of the database account passwords is much more complex, which is mainly that the application program respectively stores the database account numbers and passwords required by the application program, the application program has mandatory requirements on the password strength and the password expiration time, and the database account numbers and passwords stored in the plaintext of each application program have potential safety hazards, even if a special person periodically modifies the passwords and encrypts the plaintext of the passwords into ciphertext through a tool, the security risk of the passwords is increased once the manual intervention is performed, including but not limited to: secret password disclosure, secret password forgetting, misoperation, operation omission and the like.
In the currently adopted password management mode of memorizing passwords by users or storing passwords by application programs, after each client acquires the user input account passwords or the account passwords from a local memory of the application program, each client directly sends an access request containing the account numbers and the passwords to the server.
Disclosure of Invention
The embodiment of the invention mainly aims to provide a data service object connection system, a data service object connection method, electronic equipment and a storage medium, aiming at reducing the password leakage risk of a data service object of a user so as to improve the connection security of a client and a data service end.
A first aspect of an embodiment of the present invention provides a connection system for a data service object, where the connection system for a data service object includes a data request terminal and a connection control terminal;
the data request terminal is used for responding to a data request instruction to generate a terminal identity credential and sending the terminal identity credential to the connection control terminal;
the connection control terminal is used for matching connection configuration information according to the terminal identity certificate, and sending the matching connection configuration information to the data request terminal, wherein the connection configuration information comprises a target address, a target object account number and a target object password;
The data request terminal is further used for sending the target object account and the target object password to the corresponding data service object according to the target address so that the data service object and the data request terminal are connected.
In some embodiments, the data requesting terminal includes a dynamic credential generation module;
the dynamic credential generation module is used for calling an identity credential acquisition tool from the connection control terminal to acquire a terminal identity credential in response to a data request instruction, wherein the identity credential acquisition tool is used for:
collecting a first identifier of an application program sending a data request instruction and a second identifier of the data request terminal;
integrating the first identifier and the second identifier to obtain a terminal identity credential in a plaintext form;
and encrypting the terminal identity credential by adopting a first encryption algorithm to obtain the terminal identity credential in a ciphertext form.
In some embodiments, the connection control terminal includes a registration module for:
receiving a registration request from a data request terminal;
transmitting an identity credential collecting tool to the requesting terminal in response to a registration request, so that the data requesting terminal runs the identity credential collecting tool to obtain a terminal identity credential;
And verifying the authority of the data service object aiming at the terminal identity certificate, and storing the verified terminal identity certificate and the connection configuration information for connecting the data service object in a correlated way.
In some embodiments, the connection control terminal further includes a connection configuration module for:
obtaining connection technology configuration information from a management terminal, wherein the connection technology configuration information comprises a target object identifier and connection technology configuration;
determining a corresponding data service object according to the target object identifier;
writing the connection technology configuration into connection configuration information associated with the data service object.
In some embodiments, the connection configuration information further includes a connection technology configuration, and the data request terminal further includes a connection establishment module, where the connection establishment module is configured to:
judging whether a corresponding connection technology tool exists locally according to the connection technology configuration;
when a corresponding connection technology tool exists locally, calling the connection technology tool from the local to establish connection with the data service object;
and when the corresponding connection technology tool does not exist locally, calling the connection technology tool from the connection control terminal to establish connection with the data service object.
In some embodiments, the connection control terminal includes a password update module for:
triggering and calling a password updating tool according to the timer of the connection configuration information so as to update the target object password in the connection configuration information.
A second aspect of an embodiment of the present invention provides a method for connecting a data service object, which is applied to a data request terminal of a data service object connection system according to the first aspect, where the method for connecting a data service object includes the following steps:
generating a terminal identity credential in response to the data request instruction;
the terminal identity certificate is sent to a connection control terminal to obtain connection configuration information, wherein the connection configuration information comprises a target address, a target object account number and a target object password;
and sending the target object account number and the target object password to the corresponding data service object according to the target address so as to establish connection with the data service object.
A third aspect of an embodiment of the present invention provides a connection method of a data service object, which is applied to a connection control terminal of a connection system of a data service object according to the first aspect, where the connection method of the data service object includes the following steps:
Acquiring a terminal identity credential from a data request terminal;
matching connection configuration information according to the terminal identity credentials, wherein the connection configuration information comprises a target address, a target object account and a target object password; the method comprises the steps of carrying out a first treatment on the surface of the
And sending the matched connection configuration information to the data request terminal so that the data request terminal establishes connection with a corresponding data service object according to the connection configuration information.
A fourth aspect of the embodiments of the present invention proposes an electronic device comprising a memory, a processor, a program stored on the memory and executable on the processor, and a data bus for enabling a connection communication between the processor and the memory, the program, when executed by the processor, implementing the connection method of the data service object according to the second or third aspect.
A fifth aspect of the embodiments of the present invention proposes a storage medium, which is a computer-readable storage medium, for computer-readable storage, the storage medium storing one or more programs executable by one or more processors to implement the method for connecting data service objects according to the second aspect or the third aspect.
The technical scheme of the invention has at least one of the following advantages or beneficial effects: in the connection system of the data service object, the relevant connection configuration information for connecting the data service object is stored in the connection control terminal, when the data request terminal needs to access the data service object, the data request terminal acquires the terminal identity certificate of the data request terminal, and the connection control terminal acquires the connection configuration information by utilizing the terminal identity certificate and then establishes connection with the corresponding data service object through the connection configuration information. Compared with the mode that the data request terminal stores the account passwords of the data service object and directly connects the data service object, the invention adopts the connection control terminal to uniformly manage all the account passwords, and all the data request terminals in the system do not locally store the account passwords, so that the risk of password leakage of the data service object can be reduced, terminal identity credentials are dynamically acquired when the data request terminal is connected with the data service object, and the connection control terminal is requested for relevant connection configuration information by virtue of the terminal identity credentials, so that the security of the connection of the client and the data service terminal can be improved.
Drawings
FIG. 1 is a schematic diagram of a connection system based on a data service object and a process for establishing a connection with the data service object according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a database connection procedure based on the RADIUS protocol according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a database connection process according to another embodiment of the present invention;
fig. 4 is a schematic diagram of a registration process of a data request terminal according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a database connection architecture according to an embodiment of the present invention;
fig. 6 is a flowchart of a connection method of a data service object applied to a data request terminal according to an embodiment of the present invention;
fig. 7 is a flowchart of a connection method of a data service object applied to a connection control terminal according to an embodiment of the present invention;
fig. 8 is a flowchart of a connection method of a data service object applied to a connection control terminal according to another embodiment of the present invention;
fig. 9 is a flowchart of a connection method of a data service object applied to a connection control terminal according to another embodiment of the present invention;
fig. 10 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
It should be noted that although functional block division is performed in a device diagram and a logic sequence is shown in a flowchart, in some cases, the steps shown or described may be performed in a different order than the block division in the device, or in the flowchart. The terms first, second and the like in the description and in the claims and in the above-described figures, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used herein is for the purpose of describing embodiments of the invention only and is not intended to be limiting of the invention.
First, several nouns involved in the present invention are parsed:
a database management system (database management system, DBMS), which is a large software that manipulates and manages databases, is used to build, use, and maintain databases. The method and the system perform unified management and control on the database so as to ensure the safety and the integrity of the database. The user accesses the data in the database through the DBMS, and the database manager also performs maintenance work of the database through the DBMS. It provides multiple functions that enable multiple applications and users to build, modify and query databases in different ways, either simultaneously or at different times. It enables users to conveniently define and manipulate data, maintain the security and integrity of data, and perform concurrent control and recovery of databases under multiple users.
RADIUS is the most widely used AAA protocol, and is a C/S architecture protocol, where its client is initially a NAS (Net Access Server) server and any computer running RADIUS client software can become a RADIUS client. NAS (network access server) serves as RADIUS client providing access to remote access users and services interacting with RADIUS server. The RADIUS server stores the identity information, authorization information and access record of the user, and performs authentication, authorization and accounting services on the user. The user submits a user name and a password to the RADIUS client, the RADIUS client does not do authentication by itself but submits the authentication to the RADIUS server, and after the RADIUS server passes the authentication, the RADIUS client is responsible for user access.
A data service object refers to a remote system capable of providing data service functionality for a user's individual or application. For example, a database management system or an operating system built on a server, where a user accesses the database or the server operating system needs to provide a corresponding database account number and password or a corresponding operating system account number and password. Taking the access database as an example, the user terminal sends the account number and the password to a corresponding database management system for authentication, so that connection is established.
Referring to fig. 2, in the process of establishing a database connection, the ideas of "management control and service/access separation", "management control centralization, service/access dispersion" of the RADIUS protocol can be used to yield the authentication function in charge of the original DBMS, and retain other functions such as rights management, database connection, etc., namely, the DBMS is configured as a RADIUS client, and the control center is configured as a RADIUS server for authentication. The RADIUS client is responsible for transmitting account number and password information from a user/application program to an appointed RADIUS server, the RADIUS server is responsible for receiving an authentication request of the user, authenticating the user, further returning user configuration information to the RADIUS client, and the RADIUS client establishes connection with the user according to the user configuration information. Although the security of the connection process can be improved, the risk of password leakage is still high, the DBMS needs to be modified, the related area is wide, and the cost is high.
The invention provides a connection system, a method, electronic equipment and a storage medium of a data service object based on a RADIUS protocol idea, aiming at reducing the password leakage risk of the data service object so as to improve the connection security of a client and a data service end without improving a DBMS.
The embodiment of the invention provides a connection system of a data service object, which comprises a data request terminal and a connection control terminal;
the data request terminal is used for responding to the data request instruction to generate a terminal identity credential and sending the terminal identity credential to the connection control terminal;
the connection control terminal is used for matching connection configuration information according to the terminal identity credentials and sending the matched connection configuration information to the data request terminal, wherein the connection configuration information comprises a target address, a target object account and a target object password;
the data request terminal is used for sending a target object account and a target object password to the corresponding data service object according to the target address so as to enable the data service object to be connected with the data request terminal.
Referring to fig. 1, a process of establishing a connection between a data service object and a connection system based on a data service object is as follows:
s11, the data request terminal sends a terminal identity credential of the data request terminal to the connection control terminal;
s12, the connection control terminal returns corresponding connection configuration information to the data request terminal according to the terminal identity certificate;
and S13, the data request terminal performs authentication interaction with the data service object according to the connection configuration information, and the connection between the data request terminal and the data service object is realized.
In some embodiments, the data request terminal is a device used by a user or an application program, where the device may be a smart phone, a tablet computer, a notebook computer, a desktop computer, etc., and is mainly used to obtain a service provided by a data service object, where the data service object is a database, and the data request terminal is a database client, where information such as an account number and a password connected to the data service object is not locally stored in the data request terminal. The connection control terminal is mainly used for managing information such as account numbers and passwords of a plurality of data request terminals connected with data service objects in an enterprise, and can be a computer or a server. The data request terminal and the connection control terminal are provided with related software so that the data request terminal and the connection control terminal cooperate with each other to complete the interaction process shown in fig. 1.
In some embodiments, the terminal identity credential is a unique identifier of an object sending out the data request instruction, and may be a user identifier, an application identifier, or a device identifier, or may be a combination of the user identifier and the device identifier, or a combination of the application identifier and the device identifier, or the like.
In some embodiments, if the data service object is a database, the target address in the connection configuration information may be the IP, port of the target DBMS; if the data service object is a host operating system, the destination address in the connection configuration information may be a destination host operating system IP, port, etc.
In the connection system of the data service object, which is provided by the embodiment of the invention, an account password escrow mode is adopted, the independence of the DBMS is kept, and no change or cooperation is needed. The authentication and connection modes of the database client and the DBMS are kept unchanged, except that the database client does not need to store a database account number and a password any more, and human intervention and contact are not needed, so that various security risks can be reduced. In enterprise management, referring to fig. 3, a connection control terminal is established as a "hosting center" of database accounts and passwords, and each DBMS centrally stores and centrally manages all other user-level accounts and passwords except for database administrator (DBA) accounts (root, sys, etc.). The database client (i.e. user or application program) does not directly authenticate and establish connection with the target DBMS through the account number and password maintained locally at the database client, but requests connection configuration information required by connecting the target DBMS to the hosting center through the terminal identity certificate of the database client, wherein the connection configuration information comprises a database account, a password, a database connection address and the like of the user, the information can be transmitted in a ciphertext form, the database client obtains the ciphertext and then directly decrypts the ciphertext into the connection configuration information in a plaintext form in a memory, the connection configuration information is only stored in the memory and is used for realizing authentication and connection from the database client to the database server, and the connection configuration information is not stored in the local disk of the database client in a lasting manner.
According to some embodiments of the invention, a data requesting terminal includes a dynamic credential generation module;
the dynamic credential generation module is used for calling an identity credential acquisition tool from the connection control terminal to acquire the terminal identity credential in response to the data request instruction, wherein the identity credential acquisition tool is used for:
collecting a first identifier of an application program sending a data request instruction and a second identifier of a data request terminal;
integrating the first identifier and the second identifier to obtain a terminal identity credential in a plaintext form;
and encrypting the terminal identity credential by adopting a first encryption algorithm to obtain the terminal identity credential in a ciphertext form.
In some embodiments, an application program installed in the data request terminal sends a data request instruction, and the memory of the data request terminal calls an identity credential collecting tool from the connection control terminal according to the data request instruction, and the calling mode can be online calling or offline calling. And the online calling is carried out on the memory of the data request terminal, and a calling request is sent to the connection control terminal according to the data request instruction so as to acquire an identity credential acquisition tool. And the offline calling is to send an identity credential collecting tool to the data request terminal in advance for connecting the control terminal, the data request terminal stores the identity credential collecting tool in a local disk, and the identity credential collecting tool is called from the local disk when a memory of the request terminal receives a data request instruction.
In some embodiments, the identity credential collection tool is a computer program plug-in for generating terminal identity credentials, such as a JAR package. Taking an example that an application program sends a data request instruction, a memory of a data request terminal calls and runs an identity credential acquisition tool. Based on the identity credential collecting tool, an application program identifier of a data request instruction sent out on a data request terminal is collected as a first identifier, and environment dependent information of the application program is collected as a second identifier, so that identity cannot be impossibly used. Integrating the application program identifier and the environment dependent information to obtain a terminal identity credential in a plaintext form, and encrypting the terminal identity credential in the plaintext form by adopting a first encryption algorithm to obtain the terminal identity credential in the ciphertext form. The first encryption algorithm symmetrically encrypts the terminal identity credential in a plaintext form, and finally obtains the terminal identity credential in a ciphertext form by being assisted by hash transformation, wherein the hash transformation can ensure the integrity and the non-falsification of the information. The identity credential acquisition tool returns the acquired terminal identity credential to the memory of the data request terminal, and the memory of the data request terminal sends the terminal identity credential to the connection control terminal. The connection control terminal adopts a decryption algorithm corresponding to the first encryption algorithm to decrypt the terminal identity credential to obtain a terminal identity credential in a plaintext form for subsequent processing.
In some embodiments, the second identifier may also be a device identifier, which can uniquely identify the hardware device on which the application program is running.
According to some embodiments of the invention, the connection control terminal includes a registration module for:
receiving a registration request from a data request terminal;
transmitting an identity credential collecting tool to the requesting terminal in response to the registration request, so that the data requesting terminal runs the identity credential collecting tool to obtain a terminal identity credential;
and verifying the authority of the data service object aiming at the terminal identity certificate, and storing the verified terminal identity certificate and the connection configuration information for connecting the data service object in a correlated way.
In some embodiments, the process of registering the data requesting terminal is as shown in fig. 4:
s21, the data request terminal sends a registration request to the connection control terminal. Specifically, an application program running in the data request terminal invokes a method in a JAR packet provided by the connection control terminal to initiate a registration request, and parameters required for the method invocation include, but are not limited to: the application program manager applies for the identity information such as the application program ID and the database account number to the DBMS manager in advance.
S22, the connection control terminal returns an identity credential acquisition tool to the data request terminal according to the registration request.
S23, the data request terminal downloads and invokes an identity credential acquisition tool to acquire and generate a terminal identity credential. Specifically, the data request terminal runs an identity credential collection tool to collect environment dependence of an application program, and generates a terminal identity credential according to the environment dependence and an application program identifier for initiating a registration request. The identity credential acquisition tool algorithm adopted in the registration process of the data request terminal is the same as the identity credential acquisition tool algorithm adopted when the data request terminal is connected with the data service object. The environment dependence is used for representing the environment such as hardware, basic software (such as an operating system) and the like on which the application program is currently running, and can be the device number and the like on which the application program is located.
S24, the data request terminal uploads the terminal identity certificate to the connection control terminal.
And S25, the connection control terminal displays the terminal identity certificate to the hosting manager for identity verification. Specifically, when the verification is passed, the terminal identity certificate and the connection configuration information of the database are stored in a correlated mode to finish the record of the application program and the environment dependence thereof, and the record is used for subsequent database connection authentication.
Further, after the record is completed, when the application program needs to be connected to the database, the connection control terminal provides an identity credential acquisition tool for the application program running in the data request to dynamically generate a terminal identity credential and submit an identity authentication request to the connection control terminal, the connection control terminal performs matching verification on the terminal identity credential registered for record, if the verification is passed, connection configuration information required by the connection target DBMS is fed back, and if the verification is not passed, an identity error prompt is fed back.
In this embodiment, the processes of generating, uploading, auditing, recording, authenticating and the like of the terminal identity credential are all dynamic, and the terminal identity credential includes the application program identifier, and also includes the hardware device environment and the basic software environment for running the application program, so that the risk of theft of the database account number and the password can be reduced.
According to some embodiments of the invention, the connection control terminal further comprises a connection configuration module for:
obtaining connection technology configuration information from a management terminal, wherein the connection technology configuration information comprises a target object identifier and connection technology configuration;
determining a corresponding data service object according to the target object identifier;
The connection technology configuration is written in connection configuration information associated with the data service object.
In some embodiments, the management terminal is a terminal for providing various kinds of configuration, auditing and other operation support for management roles such as account hosts, host administrators, database administrators and the like, the management terminal is connected with the connection control terminal, and the management roles can manage and configure various connection configuration information in the connection control terminal by using the management terminal.
In some embodiments, the connection control terminal data service object identification, terminal identity credentials and connection configuration information are stored in association. The connection configuration information includes a target address of the data service object, a target object account number and a target object password for a user or an application program to log in to the target data service object, and a connection technology configuration for connecting the target data service object. The connection technology configuration may include a connection technology and a connection manner, and the connection technology may be a java database connection technology, and the connection manner may be a service_name or SID, service_name manner: jdbc: oracle: thin @/< host >: < port >/< service_name >, SID connectivity: jdbc: oracle: @ < host >: < port >: < SID >.
In some embodiments, the management terminal transmits connection technology configuration information including the target object identification and the connection technology configuration to the connection control terminal, when the connection technology adopted by the data service object is changed. The connection control terminal searches the associated connection configuration information according to the target object identification, writes the received new connection technology configuration into the searched connection configuration information, and simultaneously deletes the old connection technology configuration. Similarly, when the IP, port, etc. of the data service object changes, the connection configuration information related to the connection control terminal may be modified by the management terminal. The unified maintenance of connection configuration information of critical connection can improve the connection efficiency of each client, for example, when the DBMS environment changes, the connection configuration of the relevant clients can be modified through simple operation of the management terminal, all relevant parties and the relevant clients are not required to be informed of configuration adjustment in a time-consuming and labor-consuming mode, the change of the DBMS service side is not perceived on the clients, and the risk of unconnected databases caused by the probability of configuration errors of the clients is reduced.
According to some embodiments of the invention, the data request terminal further comprises a connection establishment module, wherein the connection establishment module is used for:
Judging whether a corresponding connection technology tool exists locally according to the connection technology configuration in the connection configuration information;
when the corresponding connection technology tool exists locally, calling the connection technology tool from the local to establish connection with the data service object;
when the corresponding connection technology tool does not exist locally, the connection technology tool is called from the connection control terminal to establish connection with the data service object.
In this embodiment, the connection control terminal uniformly encapsulates the mainstream Database Connection Pool (DCP) technology into a connection technology tool and transmits the connection technology tool to the relevant data request terminal, so that the use specification of the database connection technology in the enterprise can be ensured in technical means. When the data request terminal establishes connection with the database, the data request terminal locally stores corresponding connection technology tools in advance, and then the connection technology tools are locally called to establish connection with the data service object; and when the corresponding connection technology tool does not exist locally, calling the connection technology tool on line from the connection control terminal to establish connection with the data service object.
According to some embodiments of the invention, the connection control terminal includes a password update module, where the password update module is configured to:
Triggering and calling a password updating tool according to the timer of the connection configuration information so as to update the target object password in the connection configuration information.
In some embodiments, each piece of connection configuration information in the connection control terminal is correspondingly provided with a timer, and when the timer of the connection configuration information reaches the timing time, the password updating tool is called to update the target object password in the connection configuration information, so that the password is automatically modified at regular intervals, the risk of password leakage is reduced, and the client is not perceived.
In the following, an embodiment of the present invention will be further described by taking an application access database management system as an example, referring to fig. 5, in a related art database connection architecture 510, an application connection database carries its own database account number and password for each application to directly access a DBMS, and this way needs each application to store its own account number and password, so that problems such as password leakage or password error easily occur to affect the application connection DBMS. When the application program does not store the database account number and the password locally and needs to be connected with the DBMS, the database account number and the password are dynamically acquired into the memory by dynamically acquiring the application program ID and the environment dependence information as identity credentials, and the connection is established with the DBMS based on the memory instead of the database account number and the password which are stored locally and are conventionally and permanently.
Specifically, the overall detailed flow of the application program connection database management system is as follows:
s31, an application program dynamically calls an identity credential acquisition tool provided by a connection control terminal to generate a terminal identity credential in a ciphertext form, and the terminal identity credential is sent to the connection control terminal and comprises an application program ID and environment dependency information;
s32, the connection control terminal decrypts the terminal identity certificate by adopting a decryption algorithm corresponding to a first encryption algorithm in the identity certificate acquisition tool, performs identity matching authentication according to the terminal identity certificate in a plaintext form, encrypts corresponding connection configuration information by adopting a second encryption algorithm and returns the connection configuration information to the application program if the matching is successful, and sends error information to a responsible person of the application program in a message notification form such as a short message, IM, mail, to-be-handled and the like to check or reapply if the matching is unsuccessful;
and S33, when the application program memory receives the connection configuration information, decrypting the connection configuration information by adopting a second decryption algorithm corresponding to the second encryption algorithm, then sending a connection request containing an account number and a password to a corresponding target DBMS according to a target object address in the connection configuration information, and establishing connection with the DBMS by adopting a connection technology appointed in the connection configuration information.
The embodiment of the present invention also provides a method for connecting a data service object, which is applied to the data request terminal of the data service object connection system in the above embodiment, referring to fig. 6, and the method for connecting a data service object in the embodiment of the present invention includes, but is not limited to, the following steps:
step S101, generating a terminal identity credential in response to a data request instruction;
step S102, a terminal identity credential is sent to a connection control terminal to acquire connection configuration information, wherein the connection configuration information comprises a target address, a target object account number and a target object password;
step S103, a target object account number and a target object password are sent to the corresponding data service object according to the target address so as to establish connection with the data service object.
In some embodiments, in step S101, the step of generating the terminal identity credential in response to the data request instruction includes, but is not limited to, the steps of:
step S201, an identity credential collecting tool from a connection control terminal is called in response to a data request instruction to collect terminal identity credentials, wherein the identity credential collecting tool is used for:
collecting a first identifier of an application program sending a data request instruction and a second identifier of a data request terminal;
Integrating the first identifier and the second identifier to obtain a terminal identity credential in a plaintext form;
and encrypting the terminal identity credential by adopting a first encryption algorithm to obtain the terminal identity credential in a ciphertext form.
In some embodiments, the connection configuration information further includes a connection technology configuration, and the connection method applied to the data request terminal further includes the steps of:
step S301, judging whether a corresponding connection technology tool exists locally according to the connection technology configuration;
step S302, when a corresponding connection technology tool exists locally, the connection technology tool is called from the local to establish connection with the data service object;
step S303, when the corresponding connection technology tool does not exist locally, the connection technology tool is called from the connection control terminal to establish connection with the data service object.
Another embodiment of the present invention further provides a connection method of a data service object, which is applied to the connection control terminal of the connection system of a data service object in the foregoing embodiment, referring to fig. 7, and the connection method of a data service object in the embodiment of the present invention includes, but is not limited to, the following steps:
step S401, obtaining a terminal identity credential from a data request terminal;
Step S402, matching connection configuration information according to a terminal identity credential, wherein the connection configuration information comprises a target address, a target object account number and a target object password;
step S403, the matched connection configuration information is sent to the data request terminal, so that the data request terminal establishes connection with the corresponding data service object according to the connection configuration information.
In some embodiments, referring to fig. 8, the connection method applied to the connection control terminal further includes the steps of:
step S501, receiving a registration request from a data request terminal;
step S502, an identity credential collecting tool is sent to a request terminal in response to a registration request, so that the data request terminal runs the identity credential collecting tool to obtain a terminal identity credential;
step S503, checking the authority of the data service object aiming at the terminal identity certificate, and storing the checked terminal identity certificate and the connection configuration information for connecting the data service object in a correlated way.
In some embodiments, referring to fig. 9, the connection method applied to the connection control terminal further includes the steps of:
step S601, obtaining connection technology configuration information from a management terminal, wherein the connection technology configuration information comprises a target object identifier and connection technology configuration;
Step S602, determining a corresponding data service object according to the target object identifier;
step S603, writing the connection technology configuration into the connection configuration information associated with the data service object.
In some embodiments, the connection method applied to the connection control terminal further includes the steps of:
step S701, triggering and calling a password updating tool according to a timer of the connection configuration information to update a target object password in the connection configuration information.
The embodiment of the invention also provides electronic equipment, which comprises: the system comprises a memory, a processor, a program stored on the memory and capable of running on the processor, and a data bus for realizing connection communication between the processor and the memory, wherein the program realizes the connection method of the data service objects when being executed by the processor. The electronic equipment can be any intelligent terminal including a tablet personal computer, a vehicle-mounted computer and the like.
Referring to fig. 10, fig. 10 illustrates a hardware structure of an electronic device according to another embodiment, the electronic device includes:
the processor 901 may be implemented by a general purpose CPU (central processing unit), a microprocessor, an application specific integrated circuit (ApplicationSpecificIntegratedCircuit, ASIC), or one or more integrated circuits, etc. for executing related programs to implement the technical solution provided by the embodiments of the present invention;
The memory 902 may be implemented in the form of read-only memory (ReadOnlyMemory, ROM), static storage, dynamic storage, or random access memory (RandomAccessMemory, RAM). The memory 902 may store an operating system and other application programs, and when the technical solutions provided in the embodiments of the present disclosure are implemented by software or firmware, relevant program codes are stored in the memory 902, and the processor 901 invokes a connection method for executing a data service object of an embodiment of the present disclosure;
an input/output interface 903 for inputting and outputting information;
the communication interface 904 is configured to implement communication interaction between the device and other devices, and may implement communication in a wired manner (e.g. USB, network cable, etc.), or may implement communication in a wireless manner (e.g. mobile network, WIFI, bluetooth, etc.);
a bus 905 that transfers information between the various components of the device (e.g., the processor 901, the memory 902, the input/output interface 903, and the communication interface 904);
wherein the processor 901, the memory 902, the input/output interface 903 and the communication interface 904 are communicatively coupled to each other within the device via a bus 905.
The embodiment of the invention also provides a storage medium, which is a computer readable storage medium and is used for computer readable storage, the storage medium stores one or more programs, and the one or more programs can be executed by one or more processors to realize the connection method of the data service objects.
The memory, as a non-transitory computer readable storage medium, may be used to store non-transitory software programs as well as non-transitory computer executable programs. In addition, the memory may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory remotely located relative to the processor, the remote memory being connectable to the processor through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The embodiments described in the embodiments of the present invention are for more clearly describing the technical solutions of the embodiments of the present invention, and do not constitute a limitation on the technical solutions provided by the embodiments of the present invention, and those skilled in the art can know that, with the evolution of technology and the appearance of new application scenarios, the technical solutions provided by the embodiments of the present invention are equally applicable to similar technical problems.
It will be appreciated by persons skilled in the art that the embodiments of the invention are not limited by the illustrations, and that more or fewer steps than those shown may be included, or certain steps may be combined, or different steps may be included.
The above described apparatus embodiments are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, i.e. may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
Those of ordinary skill in the art will appreciate that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof.
The terms "first," "second," "third," "fourth," and the like in the description of the invention and in the above figures, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be understood that in the present invention, "at least one (item)" means one or more, and "a plurality" means two or more. "and/or" for describing the association relationship of the association object, the representation may have three relationships, for example, "a and/or B" may represent: only a, only B and both a and B are present, wherein a, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b or c may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.
In the several embodiments provided by the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the above-described division of units is merely a logical function division, and there may be another division manner in actual implementation, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including multiple instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method of the various embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing a program.
The preferred embodiments of the present invention have been described above with reference to the accompanying drawings, and are not thereby limiting the scope of the claims of the embodiments of the present invention. Any modifications, equivalent substitutions and improvements made by those skilled in the art without departing from the scope and spirit of the embodiments of the present invention shall fall within the scope of the claims of the embodiments of the present invention.

Claims (10)

1. A connection system of a data service object, wherein the connection system of the data service object comprises a data request terminal and a connection control terminal;
the data request terminal is used for responding to a data request instruction to generate a terminal identity credential and sending the terminal identity credential to the connection control terminal;
the connection control terminal is used for matching connection configuration information according to the terminal identity certificate, and sending the matching connection configuration information to the data request terminal, wherein the connection configuration information comprises a target address, a target object account number and a target object password;
the data request terminal is further used for sending the target object account and the target object password to the corresponding data service object according to the target address so that the data service object and the data request terminal are connected.
2. The connection system of data service objects according to claim 1, wherein the data request terminal comprises a dynamic credential generation module;
the dynamic credential generation module is used for calling an identity credential acquisition tool from the connection control terminal to acquire a terminal identity credential in response to a data request instruction, wherein the identity credential acquisition tool is used for:
collecting a first identifier of an application program sending a data request instruction and a second identifier of the data request terminal;
integrating the first identifier and the second identifier to obtain a terminal identity credential in a plaintext form;
and encrypting the terminal identity credential by adopting a first encryption algorithm to obtain the terminal identity credential in a ciphertext form.
3. The connection system of data service objects according to claim 2, wherein the connection control terminal includes a registration module for:
receiving a registration request from a data request terminal;
transmitting an identity credential collecting tool to the requesting terminal in response to a registration request, so that the data requesting terminal runs the identity credential collecting tool to obtain a terminal identity credential;
And verifying the authority of the data service object aiming at the terminal identity certificate, and storing the verified terminal identity certificate and the connection configuration information for connecting the data service object in a correlated way.
4. A connection system for data service objects according to claim 3, wherein the connection control terminal further comprises a connection configuration module for:
obtaining connection technology configuration information from a management terminal, wherein the connection technology configuration information comprises a target object identifier and connection technology configuration;
determining a corresponding data service object according to the target object identifier;
writing the connection technology configuration into connection configuration information associated with the data service object.
5. The connection system of data service objects according to claim 1, wherein the connection configuration information further comprises a connection technology configuration, and the data request terminal further comprises a connection establishment module for:
judging whether a corresponding connection technology tool exists locally according to the connection technology configuration;
when a corresponding connection technology tool exists locally, calling the connection technology tool from the local to establish connection with the data service object;
And when the corresponding connection technology tool does not exist locally, calling the connection technology tool from the connection control terminal to establish connection with the data service object.
6. The connection system of data service objects according to claim 1, wherein the connection control terminal comprises a password update module for:
triggering and calling a password updating tool according to the timer of the connection configuration information so as to update the target object password in the connection configuration information.
7. A method for connecting a data service object, which is applied to a data request terminal of a connection system of a data service object according to claim 1, comprising the steps of:
generating a terminal identity credential in response to the data request instruction;
the terminal identity certificate is sent to a connection control terminal to obtain connection configuration information, wherein the connection configuration information comprises a target address, a target object account number and a target object password;
and sending the target object account number and the target object password to the corresponding data service object according to the target address so as to establish connection with the data service object.
8. A connection method of data service objects, characterized in that it is applied to a connection control terminal of a connection system of data service objects according to claim 1, the connection method of data service objects comprising the steps of:
acquiring a terminal identity credential from a data request terminal;
matching connection configuration information according to the terminal identity credentials, wherein the connection configuration information comprises a target address, a target object account and a target object password; the method comprises the steps of carrying out a first treatment on the surface of the
And sending the matched connection configuration information to the data request terminal so that the data request terminal establishes connection with a corresponding data service object according to the connection configuration information.
9. An electronic device comprising a memory, a processor, a program stored on the memory and executable on the processor, and a data bus for enabling a connection communication between the processor and the memory, the program when executed by the processor implementing the steps of the method for connecting data service objects according to claim 7 or claim 8.
10. A storage medium, which is a computer-readable storage medium, for computer-readable storage, characterized in that the storage medium stores one or more programs executable by one or more processors to implement the steps of the data service object connection method of claim 7 or claim 8.
CN202310596549.0A 2023-05-25 2023-05-25 Connection system and method for data service object, electronic equipment and storage medium Pending CN116668034A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310596549.0A CN116668034A (en) 2023-05-25 2023-05-25 Connection system and method for data service object, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310596549.0A CN116668034A (en) 2023-05-25 2023-05-25 Connection system and method for data service object, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116668034A true CN116668034A (en) 2023-08-29

Family

ID=87713008

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310596549.0A Pending CN116668034A (en) 2023-05-25 2023-05-25 Connection system and method for data service object, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116668034A (en)

Similar Documents

Publication Publication Date Title
WO2022206349A1 (en) Information verification method, related apparatus, device, and storage medium
US11665006B2 (en) User authentication with self-signed certificate and identity verification
CN110582768B (en) Apparatus and method for providing secure database access
US8627409B2 (en) Framework for automated dissemination of security metadata for distributed trust establishment
EP3017582B1 (en) Method to enroll a certificate to a device using scep and respective management application
CN110049016B (en) Data query method, device, system, equipment and storage medium of block chain
CN104735087B (en) Multi-cluster Hadoop system security optimization method based on public key algorithm and SSL protocol
CN102448061B (en) Method and system for preventing phishing attack on basis of mobile terminal
CN107483491A (en) The access control method of distributed storage under a kind of cloud environment
CN108989290A (en) A kind of control method and control device for realizing server network access limitation in outer net
CN112543166B (en) Real name login method and device
CN114362931B (en) Internet of things equipment registration and security authentication connection and instruction interaction method
JP6240102B2 (en) Authentication system, authentication key management device, authentication key management method, and authentication key management program
WO2013189329A1 (en) Encryption/decryption method, system and device
CN103906050A (en) WPKI security monitoring and control method and system based on mobile terminal
CN108989302B (en) OPC proxy connection system and connection method based on secret key
CN116668034A (en) Connection system and method for data service object, electronic equipment and storage medium
JPWO2019234801A1 (en) Service provision system and service provision method
CN111814130B (en) Single sign-on method and system
CN112929374A (en) Cloud computing-based multi-factor bidirectional dynamic authentication encryption system
JP2017027247A (en) Authentication system and authentication method
CN113157207B (en) Data processing method, device and storage medium
JP5749222B2 (en) Access permission control system and access permission control method
CN112929325B (en) Information processing method, system, electronic device, and readable storage medium
CN116582302A (en) Metadata-based remote database connection method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination