CN102487383A - Industrial internet distributed system safety access control device - Google Patents
Industrial internet distributed system safety access control device Download PDFInfo
- Publication number
- CN102487383A CN102487383A CN2010105709798A CN201010570979A CN102487383A CN 102487383 A CN102487383 A CN 102487383A CN 2010105709798 A CN2010105709798 A CN 2010105709798A CN 201010570979 A CN201010570979 A CN 201010570979A CN 102487383 A CN102487383 A CN 102487383A
- Authority
- CN
- China
- Prior art keywords
- resource
- server
- certificate
- module
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000012550 audit Methods 0.000 claims abstract description 26
- 238000013475 authorization Methods 0.000 claims abstract description 6
- 238000000034 method Methods 0.000 claims description 15
- 230000006399 behavior Effects 0.000 claims description 13
- 238000004891 communication Methods 0.000 claims description 12
- 238000007726 management method Methods 0.000 claims description 12
- 230000008569 process Effects 0.000 claims description 6
- 238000013468 resource allocation Methods 0.000 claims description 4
- 230000027455 binding Effects 0.000 claims description 3
- 238000009739 binding Methods 0.000 claims description 3
- 238000012423 maintenance Methods 0.000 claims description 3
- 230000006872 improvement Effects 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 5
- 238000004519 manufacturing process Methods 0.000 description 4
- 241000625014 Vir Species 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000000739 chaotic effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000012467 final product Substances 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 229910052500 inorganic mineral Inorganic materials 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000011707 mineral Substances 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses an industrial Internet distributed system safety access control device. The device integrates a module which is used to carry out authentication and authorization to identities and access operations of a user and a server, the module which is used to audit the access operations of the user and the server and the module which is used to carry out uniform resource positioning to object resources accessed by the user and the server. Identity security and authority validity of the user or the server which access to the industrial Internet distributed system and acquire information/ service can be effectively ensured. In addition, the user and the server in the industrial Internet do not need to know an actual storage position of the needed object resources. Through a uniform resource positioning platform of the distributed system, the corresponding server can be positioned and the needed object resources can be acquired. A demand in a distributed environment can be rapidly and conveniently satisfied.
Description
Technical field
The present invention relates to a kind of network security access control technology
Background technology
Along with developing rapidly of industrial automation control; More and more many industrial enterprises use its inside (or special-purpose) network that its production process special equipment or industrial intelligent equipment (Intelligent Electric Device-IED) are interconnected at together, form the production control system network.This industrial enterprise is referred to as industry internet with inner (or special-purpose) network.
Large enterprise carries enterprise, reconnoitres and be developed as main large-scale Mining Group with mineral resources like Utilities Electric Co., oil gas, and its holding company often is distributed in the whole nation and even all parts of the world, only uses internal network can't satisfy its information interaction demand.Development along with industry internet; Industry internet no longer is confined to a station or a city, utilizes the hardware and software facility of existing public network (ten thousand dimension the Internets), two or more industry internets is carried out communication connect; Make a central control system to exercise supervision and control to all sub-production control systems; Also make communication each other between a plurality of sub-production control systems to form a bigger industry internet, its resource is carried out more optimal control and use.
And; In order to improve running efficiency of system, equally loaded; Improve system robustness; Industry internet uses distributed system usually, and distributed data base, Distributed Services etc. are provided, and is carried out information gathering, storage, information processing respectively, is transmitted, provides service etc. by servers different in the industry internet.The industry internet distributed system is an incorporate system; The operating system (being distributed operating system) that an overall situation will be arranged in whole system; It is responsible for the work such as resource allocation and scheduling, task division, message transmission, control coordination of total system (comprising every computer), and for the user interface of a unified interface, standard is provided.This distributed operating system generally is positioned at the central control system of industry internet.Distributed operating system has been arranged; The user realizes action required and using system resource through unified interface; As for operation be on which computer, carry out or what use is that the resource of which computer then is the thing of system, the user need not understand, the system that is to say is transparent to the user.
Because information transmitted is industrial internal information in the industry internet, the service that provides is an internal services, and therefore fail safe and the confidentiality to information has high requirement.In order to ensure fail safe, in industry internet, before the service of obtaining or data, information, user, client and application process all need be carried out corresponding authentication.Whether effectively whether true the essence of authentication confirm and the process by authentication object exactly.The general cryptographic technique that adopts uses the digital certificate checking by authentication object, reaches affirmation by authentication object whether true, effective aim.
Only through identification with differentiate after, just utilize its institute to ask to serve the IP address that belongs to and set up tunnel (VPN), be connected to the server that corresponding with service is provided through VPN, obtain respective service, data, information etc.VPN is a Virtual Private Network, sets up interim, a safe connection through a common network (normally internet), is safe, a stable tunnel that passes chaotic common network.
Yet, for the industry internet distributed system, only user, client and application process are carried out authentication, its safe class is not enough for the industry internet that requires high security.And only utilizing the IP address to set up the mode that VPN ensures communication security is not enough equally for distributed system.For existing industry internet distributed system, press for the network security access control apparatus of a high demand for security that is applicable to distributed environment, can ensures data (being confidentiality, integrality and the non-repudiation of data).
Summary of the invention
The technical problem that the present invention mainly solves provides a kind of industry internet distributed system safety access control apparatus; Make when the fail safe of the industry internet that adopts distributed computing technology is protected, satisfy the resource location requirement of industry internet under distributed environment.
In order to solve the problems of the technologies described above, the invention provides a kind of industry internet distributed system safety access control apparatus, comprise the network communication port, link to each other through server in inner private network or public network and the said industry internet or client, also comprise:
The identity of a pair of user and server and accessing operation authority are carried out the Certificate Authority module of authentication; The audit module that the accessing operation of a pair of user or server is audited, the resource locating module that the object resource of a pair of user or server access operation is carried out the memory location positioning control;
Said Certificate Authority module, audit module all link to each other with said network communication port with the resource locating module; Said Certificate Authority module receives the authentication information from subscription client or server through said network communication port, carries out the authentication and authorization of identity and accessing operation authority; Said audit module receives the accessing operation information from subscription client or server through said network service port, and said accessing operation is audited; Said resource locating module links to each other with said audit module, after the audit of said accessing operation information through said audit module, the memory location of the object resource of said accessing operation is positioned.
As the improvement of technique scheme, this device also comprises certificate granting center and the certificate repository that a pair of digital certificate carries out the basic management operation, and said basic management operation comprises certificate authority, index at least, stores and revokes;
Said certificate granting center links to each other with said Certificate Authority module; Said certificate repository links to each other with said Certificate Authority module with said certificate granting center respectively; Issue in the certificate process for the user at said certificate granting center; Distribute role and authority through said Certificate Authority module for the user, the digital certificate that comprises Role Information is issued for this user in said certificate granting center, and this digital certificate is kept at certificate repository; Said Certificate Authority module reads this user's digital certificate from said certificate repository when user identity and accessing operation authority are carried out authentication.
Improvement as technique scheme; This device also comprises a resource management module; Link to each other management and overall component resources storehouse, resource allocation ATL, common information model CIM pattern description file and the CIM model semantics model library of maintenance system with the resource locating module.
Improvement as technique scheme; The object resource is divided into and can disposes object resource and common object resource in the said distributed system; Common object resource and the object the disposed resource under it are stored in the same server; The resource that each object resource comprises a unique correspondence indicates; The upper level that this resource sign comprises under this object resource can be disposed object resource identification sign indicating number and this resource identification sign indicating number two parts, at the resource locating module resource sign and the memory address that can dispose the object resource is registered, and this resource locating module also further comprises:
Sub module stored is used to preserve the said resource sign of object resource and the corresponding relation of memory address disposed;
Search submodule; Be used for indicating according to the resource of accessing operation request; Confirm whether institute's requested resource is to dispose the object resource; If can dispose the object resource,, from the corresponding relation that said sub module stored is preserved, search the memory address of this object resource then according to this resource identification sign indicating number part in the said resource sign; If common object resource, upper level can be disposed object resource identification sign indicating number part in then indicating according to said resource, from the corresponding relation that said sub module stored is preserved, searches the memory address of this object resource;
The feedback submodule is used for the said memory address that finds is fed back to the accessing operation requesting party, obtains required object resource by the accessing operation requesting party from this memory address corresponding server.
As the improvement of technique scheme, this device also comprises a rights database, is used to preserve the corresponding authority information of user of different role;
Said Certificate Authority module is after checking digital certificate validity; According to the related said rights database of the username information in the digital certificate with Role Information; Therefrom extract user's authority information, return the user interface that comprises accessing operation in its extent of competence to the user.
As the improvement of technique scheme, said Certificate Authority module also is used for when the server generation behavior of said industry internet, this server being carried out authentication, if authentication through allow this server that the behavior takes place; If authentication not through refuse this server the behavior take place;
Said server behavior comprises one of following or its combination in any at least:
Startup of server, server provide service, server to provide data, server that operation is provided, reach server using system resource.
As the improvement of technique scheme, said certificate granting center also is used to server-assignment digital certificate and the key in the said industry internet, with the information of said server and digital certificate and the key bindings that is distributed, and is saved in said certificate repository;
Said Certificate Authority module is obtained the digital certificate of server from said certificate repository; Verify the digital certificate and the key of said server; And whether the server info bound of digital certificate and the server info in the said authentication mate, and realizes the authentication to said server.
Embodiment of the present invention compared with prior art; The main distinction and effect thereof are: the safe access control apparatus that a suitable distributed environment is set for industry internet; The module that set is carried out authentication and authorization to the identity and the accessing operation authority of user and server in this device; To the module that the accessing operation of user or server is audited, the object resource of user and server access is carried out the module of unified resource location.Effectively guarantee access industrial the Internet distributed system and obtain the user of information/service or fail safe, the authority validity of server identity.And; Make user and server in the industry internet need not to know the actual storage locations of required object resource; Only need to navigate to corresponding server, obtain required object resource through the unified resource locating platform of distributed system; Realize fast, conveniently satisfying the demand under the distributed environment.
As further improvement; Object resource in the distributed system is divided into disposes object resource and common object resource; Be stored in each distributed server; Common object resource and the object the disposed resource under it are stored in the same server, and each object resource comprises a resource ID, comprise the affiliated upper level of this object resource among the ID and can dispose object resource identification sign indicating number and this object resource identification sign indicating number two parts.ID and the memory address that only can dispose the object resource send to the registration of resource positioning equipment; When the resource locating module is searched resource, at first judge whether,,, search this object resource memory address then according to this resource identification sign indicating number part if can dispose the object resource to disposing the object resource; If common object resource then can be disposed object resource identification sign indicating number part according to upper level, search this object resource memory address; The resources requesting party obtains required object resource from memory address corresponding with service device.For comprising the various distributed system of mass data and resource type; This resource locate mode has been accelerated resource lookup and locating speed greatly; And only need register during owing to resource registering and can dispose the object resource ID; Therefore solve big data quantity, polymorphic type information resources registration problem, reduced requirements such as power system capacity to the resource location facilities, handling property, avoided the resource location facilities to cause system bottleneck effectively.
In addition; The present invention has abolished in the traditional concept that server is an idea safe, that need not authentication in the distributed network, through the server that service is provided in the distributed network is carried out real-time identity authentication, inscribes the legitimacy of the service that server provides when guaranteeing each; The validity of the data that provided; Effectively avoid the stolen situation of server, satisfy the user's security demand, comprise confidentiality, integrality and the non-repudiation of data; Make level of security that distributed network reached can satisfy the system of high demands for security such as industry internet, comprise user's in the industrial circles such as electric power, oil gas, traffic high level demand for security.
Description of drawings
Below in conjunction with accompanying drawing and embodiment the present invention is done further explain.
Fig. 1 is a server/customer end syndeton sketch map in safe access control apparatus and the distributed system in the present invention's one preferred embodiments;
Fig. 2 is the present invention's one preferred embodiments industry internet distributed system safety access control apparatus structure chart.
Embodiment
For making the object of the invention, technical scheme and advantage clearer, will combine accompanying drawing that execution mode of the present invention is done to describe in detail further below.
The present invention's one preferred embodiments relates to a kind of industry internet distributed system safety access control apparatus; Security control mechanism and distributed platform as the industry internet distributed system; It comprises the network communication port, directly or indirectly is connected through Servers-all in dedicated network (internal network) or public network and the industry internet and client.These servers can be realized different services, operation etc. in the zones of different of industry internet, can be distributed in one-level main website, secondary main website even the substation of zones of different like each server.Client can be connected to this device at any zone passage network, and is as shown in Figure 1.
In this execution mode, client realizes authentication through this device, and the login distributed system is confirmed self authority, locatees the object resource (in the extent of competence) of required accessing operation, finally obtains required service intra vires.Server passes through this device and realizes authentication, and the login distributed system is confirmed self authority, also obtains required object resource intra vires through this device location, for the user service etc. is provided intra vires.And; This safe access control apparatus carries out the Certificate Authority except identity and authority to client and server; After also accomplishing the resource location, being connected to the server of being located at user and server; Further each operation of user and server is audited, guarantee that service that its performed operation obtains is all in its extent of competence.Through multi-faceted multiple authentication Audit Mechanism, guarantee the fail safe and the stability of industry internet distributed system.
Specifically; The safe access control apparatus of this execution mode mainly comprises: the identity of a pair of user and server and accessing operation authority are carried out the Certificate Authority module of authentication; The audit module that the accessing operation of a pair of user or server is audited; The resource locating module that the object resource of a pair of user or server access operation is carried out the memory location positioning control, as shown in Figure 2.
Wherein, Certificate Authority module, audit module all link to each other with the network communication port with the resource locating module; The Certificate Authority module receives the authentication information from subscription client or server through the network communication port, carries out the authentication and authorization of identity and accessing operation authority; The audit module receives the accessing operation information from subscription client or server through the network service port, and accessing operation is audited; The resource locating module links to each other with the audit module, after the audit of accessing operation information through the module of auditing, the memory location of the object resource of accessing operation is positioned.The audit module can the invokes authentication authorization module, accomplishes the identity of the client/server of carrying out this accessing operation and the authentication of authority, confirms whether accessing operation is legal; Also can directly carry out authentication, confirm whether accessing operation is legal the identity and the authority of client/server.
This safe access control apparatus also comprises a certificate granting center and the certificate repository that a pair of digital certificate carries out the basic management operation, and the basic management operation comprises certificate authority, index at least, stores and revokes.
The certificate granting center links to each other with the Certificate Authority module; Certificate repository links to each other with the Certificate Authority module with the certificate granting center respectively; Issue in the certificate process for the user at the certificate granting center; Distribute role and authority through the Certificate Authority module for the user, the digital certificate that comprises Role Information is issued for this user in the certificate granting center, and this digital certificate is kept at certificate repository; The Certificate Authority module reads this user's digital certificate from certificate repository when user identity and accessing operation authority are carried out authentication.
This device also comprises a resource management module; Link to each other with the resource locating module; Management and overall component resources storehouse, resource allocation ATL, common information model (Common InformationModel is called for short " CIM ") pattern description file and the CIM model semantics model library of maintenance system.
This device also comprises a rights database, is used to preserve the corresponding authority information of user of different role;
The Certificate Authority module according to username information in the digital certificate and Role Information associated permissions database, is therefrom extracted user's authority information after checking digital certificate validity, return the user interface that comprises accessing operation in its extent of competence to the user.
As the improvement of technique scheme, the Certificate Authority module also is used for when the server generation behavior of industry internet, this server being carried out authentication, if authentication through allow this server that the behavior takes place; If authentication not through refuse this server the behavior take place.The server behavior comprises at least: startup of server, server provide service, server to provide data, server that operation is provided, reach server using system resource etc.
Corresponding, the certificate granting center can also be used to server-assignment digital certificate and the key in the industry internet, with the information of server and digital certificate and the key bindings that is distributed, and is saved in certificate repository; The Certificate Authority module is obtained the digital certificate of server from certificate repository, the digital certificate of authentication server and key, and whether server info and the server info in the authentication that digital certificate is bound mate, and realize the authentication to server.
In sum; In this execution mode; The user will visit the service in the industry internet; At first need login industry internet distributed system safety access control apparatus, user's identity carried out authentication and confirmed its authority, return and the corresponding user interface of its authority (only comprising the operation that this user has authority on the user interface) to the user by the Certificate Authority module.When the user need carry out concrete accessing operation through client; Further user's accessing operation authority is audited by the audit module; If the audit through allow it to carry out this time accessing operation, if the audit not through forbid this time accessing operation, guarantee security of system.And; The user need not to know that the service of asking is positioned at that station server, and what accessing operation no matter the user need carry out, and all only needs to ask to the safety access control apparatus; By the resource locating module is that the user carries out the resource location; Confirm the position at the object resource place that required service is corresponding,, find corresponding server to obtain respective service and get final product according to the result that the resource locating module returns.
Except carrying out the identity purview certification in user level with the audit, in the server aspect, server need carry out the authentication of identity and authority equally.Start, provide service at server, data are provided, operation is provided, and during behavior such as using system resource; Need carry out authentication and audit to its identity and authority equally; After through authentication, this server can start, service is provided, data are provided, operation etc. is provided; After through audit, this server can carry out resource location,, the using system resource, to the operation that conducts interviews of other servers.
It is thus clear that; The safe access control apparatus of this execution mode has abolished in the traditional concept that server is an idea safe, that need not authentication in the distributed network; Through the server that service is provided in the distributed network is carried out real-time identity authentication; Inscribe the legitimacy of the service that server provides when guaranteeing each, the validity of the data that provided is effectively avoided the stolen situation of server; Satisfy the demand for security of industry internet system; Comprise confidentiality, integrality and the non-repudiation of data, the level of security that makes the industry internet distributed system reached can satisfy the system of high demand for security in the industrial circle, comprises the system that has high-level demand for security in the industrial circles such as electric power, oil gas, traffic.And; Guarantee that user and server in the industry internet need not to know the actual storage locations of required object resource; Only need to navigate to corresponding server, obtain required object resource through the unified resource locating platform of distributed system; Realize fast, conveniently satisfying the demand under the distributed environment.
Improvement as technique scheme; The object resource is divided into and can disposes object resource and common object resource in the distributed system of this execution mode; Common object resource and the object the disposed resource under it are stored in the same server; The resource that each object resource comprises a unique correspondence indicates; The upper level that this resource sign comprises under this object resource can be disposed object resource identification sign indicating number and this resource identification sign indicating number two parts, at the resource locating module resource sign and the memory address that can dispose the object resource is registered, and this resource locating module also further comprises:
Sub module stored is used to preserve that the resource that can dispose the object resource indicates and the corresponding relation of memory address;
Search submodule; Be used for indicating according to the resource of accessing operation request; Confirm whether institute's requested resource is to dispose the object resource; If can dispose the object resource,, from the corresponding relation that sub module stored is preserved, search the memory address of this object resource then according to this resource identification sign indicating number part in the resource sign; If common object resource, upper level can be disposed object resource identification sign indicating number part in then indicating according to resource, from the corresponding relation that sub module stored is preserved, searches the memory address of this object resource;
The feedback submodule is used for the memory address that finds is fed back to the accessing operation requesting party, obtains required object resource by the accessing operation requesting party from this memory address corresponding server.
That is to say that each server only need send to the registration of resource positioning equipment with ID that can dispose the object resource and memory address in this system; When the resource locating module is searched resource, at first judge whether,,, search this object resource memory address then according to this resource identification sign indicating number part if can dispose the object resource to disposing the object resource; If common object resource then can be disposed object resource identification sign indicating number part according to upper level, search this object resource memory address; The resources requesting party obtains required object resource from memory address corresponding with service device.For comprising the various distributed system of mass data and resource type; This resource location technology has been accelerated resource lookup and locating speed greatly; And only need register during owing to resource registering and can dispose the object resource ID; Therefore solve big data quantity, polymorphic type information resources registration problem, reduced requirements such as power system capacity to the resource location facilities, handling property, avoided the resource location facilities to cause system bottleneck effectively.
Though through reference some preferred implementation of the present invention; The present invention is illustrated and describes; But those of ordinary skill in the art should be understood that and can do various changes to it in form with on the details, and without departing from the spirit and scope of the present invention.
Claims (7)
1. an industry internet distributed system safety access control apparatus comprises the network communication port, links to each other through server in inner private network or public network and the said industry internet or client, it is characterized in that, also comprises:
The identity of a pair of user and server and accessing operation authority are carried out the Certificate Authority module of authentication; The audit module that the accessing operation of a pair of user or server is audited, the resource locating module that the object resource of a pair of user or server access operation is carried out the memory location positioning control;
Said Certificate Authority module, audit module all link to each other with said network communication port with the resource locating module; Said Certificate Authority module receives the authentication information from subscription client or server through said network communication port, carries out the authentication and authorization of identity and accessing operation authority; Said audit module receives the accessing operation information from subscription client or server through said network service port, and said accessing operation is audited; Said resource locating module links to each other with said audit module, after the audit of said accessing operation information through said audit module, the memory location of the object resource of said accessing operation is positioned.
2. industry internet distributed system safety access control apparatus according to claim 1; It is characterized in that; This device also comprises a certificate granting center and the certificate repository that a pair of digital certificate carries out the basic management operation, and said basic management operation comprises certificate authority, index at least, stores and revokes;
Said certificate granting center links to each other with said Certificate Authority module; Said certificate repository links to each other with said Certificate Authority module with said certificate granting center respectively; Issue in the certificate process for the user at said certificate granting center; Distribute role and authority through said Certificate Authority module for the user, the digital certificate that comprises Role Information is issued for this user in said certificate granting center, and this digital certificate is kept at certificate repository; Said Certificate Authority module reads this user's digital certificate from said certificate repository when user identity and accessing operation authority are carried out authentication.
3. industry internet distributed system safety access control apparatus according to claim 1; It is characterized in that; This device also comprises a resource management module; Link to each other management and overall component resources storehouse, resource allocation ATL, common information model CIM pattern description file and the CIM model semantics model library of maintenance system with said resource locating module.
4. industry internet distributed system safety access control apparatus according to claim 1; It is characterized in that; The object resource is divided into and can disposes object resource and common object resource in the said distributed system; Common object resource and the object the disposed resource under it are stored in the same server, and the resource that each object resource comprises a unique correspondence indicates, and the upper level that this resource sign comprises under this object resource can be disposed object resource identification sign indicating number and this resource identification sign indicating number two parts; At the resource locating module resource sign and the memory address that can dispose the object resource are registered, this resource locating module also further comprises:
Sub module stored is used to preserve the said resource sign of object resource and the corresponding relation of memory address disposed;
Search submodule; Be used for indicating according to the resource of accessing operation request; Confirm whether institute's requested resource is to dispose the object resource; If can dispose the object resource,, from the corresponding relation that said sub module stored is preserved, search the memory address of this object resource then according to this resource identification sign indicating number part in the said resource sign; If common object resource, upper level can be disposed object resource identification sign indicating number part in then indicating according to said resource, from the corresponding relation that said sub module stored is preserved, searches the memory address of this object resource;
The feedback submodule is used for the said memory address that finds is fed back to the accessing operation requesting party, obtains required object resource by the accessing operation requesting party from this memory address corresponding server.
5. industry internet distributed system safety access control apparatus according to claim 2 is characterized in that this device also comprises a rights database, is used to preserve the corresponding authority information of user of different role;
Said Certificate Authority module is after checking digital certificate validity; According to the related said rights database of the username information in the digital certificate with Role Information; Therefrom extract user's authority information, return the user interface that comprises accessing operation in its extent of competence to the user.
6. industry internet distributed system safety access control apparatus according to claim 2; It is characterized in that; Said Certificate Authority module also is used for when the server generation behavior of said industry internet; This server is carried out authentication, if authentication through allow this server that the behavior takes place; If authentication not through refuse this server the behavior take place;
Said server behavior comprises one of following or its combination in any at least:
Startup of server, server provide service, server to provide data, server that operation is provided, reach server using system resource.
7. industry internet distributed system safety access control apparatus according to claim 6; It is characterized in that; Said certificate granting center also is used to server-assignment digital certificate and the key in the said industry internet; With the information of said server and digital certificate and the key bindings that is distributed, and be saved in said certificate repository;
Said Certificate Authority module is obtained the digital certificate of server from said certificate repository; Verify the digital certificate and the key of said server; And whether the server info bound of digital certificate and the server info in the said authentication mate, and realizes the authentication to said server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010570979.8A CN102487383B (en) | 2010-12-02 | 2010-12-02 | Industrial internet distributed system safety access control device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010570979.8A CN102487383B (en) | 2010-12-02 | 2010-12-02 | Industrial internet distributed system safety access control device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102487383A true CN102487383A (en) | 2012-06-06 |
| CN102487383B CN102487383B (en) | 2015-01-28 |
Family
ID=46152837
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010570979.8A Active CN102487383B (en) | 2010-12-02 | 2010-12-02 | Industrial internet distributed system safety access control device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102487383B (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104657501A (en) * | 2015-03-12 | 2015-05-27 | 浪潮通信信息系统有限公司 | Resource reconnoitering scheme acquiring method and device |
| CN104753902A (en) * | 2013-12-31 | 2015-07-01 | 上海格尔软件股份有限公司 | Service system verification method and device |
| CN103106357B (en) * | 2012-11-12 | 2015-09-30 | 成都锦瑞投资有限公司 | Based on property system of real name authentication and authorization system and the method for CFCA Valuation Standard |
| CN106068624A (en) * | 2014-01-27 | 2016-11-02 | 霍尼韦尔国际公司 | For protecting the apparatus and method of dcs (DCS) |
| CN107276965A (en) * | 2016-04-07 | 2017-10-20 | 阿里巴巴集团控股有限公司 | The authority control method and device of service discovery component |
| CN107925653A (en) * | 2015-05-26 | 2018-04-17 | T·弗里杰里奥 | Telecommunication system and the equipment associated with the telecommunication system for safe transmission wherein data |
| WO2018076763A1 (en) * | 2016-10-27 | 2018-05-03 | 上海亿账通区块链科技有限公司 | Method and system for transaction on block chain, electronic device, and storage medium |
| CN109246143A (en) * | 2018-10-29 | 2019-01-18 | 航天信息股份有限公司 | Identity authentication method, device and storage medium based on digital certificate |
| CN109344600A (en) * | 2018-10-09 | 2019-02-15 | 象翌微链科技发展有限公司 | A kind of distributed system and the data processing method based on the system |
| CN109547557A (en) * | 2018-12-06 | 2019-03-29 | 南京邮电大学 | Industry internet Intelligent Decision-making Method, readable storage medium storing program for executing and terminal |
| CN110233814A (en) * | 2018-03-05 | 2019-09-13 | 上海可鲁系统软件有限公司 | A kind of industry Internet of Things intelligent virtual private network system |
| CN110266666A (en) * | 2019-06-05 | 2019-09-20 | 瀚云科技有限公司 | A kind of method for managing security and system based on industry internet |
| CN110620750A (en) * | 2018-06-20 | 2019-12-27 | 宁德师范学院 | Network security verification method of distributed system |
| CN111131207A (en) * | 2019-12-13 | 2020-05-08 | 新华三大数据技术有限公司 | Certificate verification method and device in distributed task and server |
| CN112087511A (en) * | 2020-09-08 | 2020-12-15 | 国润创投(北京)科技有限公司 | Automation equipment information acquisition system based on industrial internet |
| CN112291278A (en) * | 2020-12-29 | 2021-01-29 | 中天众达智慧城市科技有限公司 | Personal consumption data processing device in urban brain system |
| CN114640497A (en) * | 2022-01-26 | 2022-06-17 | 山东中网云安智能科技有限公司 | Network security isolation system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101155030A (en) * | 2006-09-29 | 2008-04-02 | 维豪信息技术有限公司 | Network resource integration access method based on registration and authentication |
| CN101478398A (en) * | 2009-01-07 | 2009-07-08 | 中国人民解放军信息工程大学 | Authorization management system oriented to resource management and establishing method |
| CN101547096A (en) * | 2009-02-11 | 2009-09-30 | 广州杰赛科技股份有限公司 | Net-meeting system and management method thereof based on digital certificate |
| CN101582769A (en) * | 2009-07-03 | 2009-11-18 | 杭州华三通信技术有限公司 | Authority setting method of user access network and equipment |
-
2010
- 2010-12-02 CN CN201010570979.8A patent/CN102487383B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101155030A (en) * | 2006-09-29 | 2008-04-02 | 维豪信息技术有限公司 | Network resource integration access method based on registration and authentication |
| CN101478398A (en) * | 2009-01-07 | 2009-07-08 | 中国人民解放军信息工程大学 | Authorization management system oriented to resource management and establishing method |
| CN101547096A (en) * | 2009-02-11 | 2009-09-30 | 广州杰赛科技股份有限公司 | Net-meeting system and management method thereof based on digital certificate |
| CN101582769A (en) * | 2009-07-03 | 2009-11-18 | 杭州华三通信技术有限公司 | Authority setting method of user access network and equipment |
Non-Patent Citations (1)
| Title |
|---|
| 杨猛: "基于802.1x的局域网认证、授权与审计系统的设计与实现", 《第一届中国高校通信类院系学术研讨会论文集》 * |
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103106357B (en) * | 2012-11-12 | 2015-09-30 | 成都锦瑞投资有限公司 | Based on property system of real name authentication and authorization system and the method for CFCA Valuation Standard |
| CN104753902B (en) * | 2013-12-31 | 2019-03-26 | 格尔软件股份有限公司 | A kind of operation system verification method and verifying device |
| CN104753902A (en) * | 2013-12-31 | 2015-07-01 | 上海格尔软件股份有限公司 | Service system verification method and device |
| CN106068624A (en) * | 2014-01-27 | 2016-11-02 | 霍尼韦尔国际公司 | For protecting the apparatus and method of dcs (DCS) |
| CN106068624B (en) * | 2014-01-27 | 2020-02-07 | 霍尼韦尔国际公司 | Apparatus and method for protecting a Distributed Control System (DCS) |
| CN104657501B (en) * | 2015-03-12 | 2017-12-15 | 浪潮天元通信信息系统有限公司 | A kind of resource surveys the acquisition methods and device of scheme in advance |
| CN104657501A (en) * | 2015-03-12 | 2015-05-27 | 浪潮通信信息系统有限公司 | Resource reconnoitering scheme acquiring method and device |
| CN107925653A (en) * | 2015-05-26 | 2018-04-17 | T·弗里杰里奥 | Telecommunication system and the equipment associated with the telecommunication system for safe transmission wherein data |
| CN107276965A (en) * | 2016-04-07 | 2017-10-20 | 阿里巴巴集团控股有限公司 | The authority control method and device of service discovery component |
| WO2018076763A1 (en) * | 2016-10-27 | 2018-05-03 | 上海亿账通区块链科技有限公司 | Method and system for transaction on block chain, electronic device, and storage medium |
| CN110233814A (en) * | 2018-03-05 | 2019-09-13 | 上海可鲁系统软件有限公司 | A kind of industry Internet of Things intelligent virtual private network system |
| CN114978583A (en) * | 2018-03-05 | 2022-08-30 | 上海可鲁系统软件有限公司 | Intelligent virtual private network system for industrial Internet of things |
| CN110233814B (en) * | 2018-03-05 | 2022-05-17 | 上海可鲁系统软件有限公司 | Intelligent virtual private network system for industrial Internet of things |
| CN110620750A (en) * | 2018-06-20 | 2019-12-27 | 宁德师范学院 | Network security verification method of distributed system |
| CN109344600A (en) * | 2018-10-09 | 2019-02-15 | 象翌微链科技发展有限公司 | A kind of distributed system and the data processing method based on the system |
| CN109344600B (en) * | 2018-10-09 | 2022-04-08 | 象翌微链科技发展有限公司 | Distributed system and data processing method based on same |
| CN109246143A (en) * | 2018-10-29 | 2019-01-18 | 航天信息股份有限公司 | Identity authentication method, device and storage medium based on digital certificate |
| CN109547557A (en) * | 2018-12-06 | 2019-03-29 | 南京邮电大学 | Industry internet Intelligent Decision-making Method, readable storage medium storing program for executing and terminal |
| CN110266666A (en) * | 2019-06-05 | 2019-09-20 | 瀚云科技有限公司 | A kind of method for managing security and system based on industry internet |
| CN111131207B (en) * | 2019-12-13 | 2021-12-07 | 新华三大数据技术有限公司 | Certificate verification method and device in distributed task and server |
| CN111131207A (en) * | 2019-12-13 | 2020-05-08 | 新华三大数据技术有限公司 | Certificate verification method and device in distributed task and server |
| CN112087511A (en) * | 2020-09-08 | 2020-12-15 | 国润创投(北京)科技有限公司 | Automation equipment information acquisition system based on industrial internet |
| CN112291278B (en) * | 2020-12-29 | 2021-06-04 | 中天众达智慧城市科技有限公司 | Personal consumption data processing device in urban brain system |
| CN112291278A (en) * | 2020-12-29 | 2021-01-29 | 中天众达智慧城市科技有限公司 | Personal consumption data processing device in urban brain system |
| CN114640497A (en) * | 2022-01-26 | 2022-06-17 | 山东中网云安智能科技有限公司 | Network security isolation system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102487383B (en) | 2015-01-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102487383B (en) | Industrial internet distributed system safety access control device | |
| EP3843364B1 (en) | Method, device, and apparatus for processing cloud service in cloud system | |
| CN112417037B (en) | Block chain construction method for distributed identity authentication in industrial field | |
| CN111368230B (en) | Processing method and device for industrial Internet identification based on blockchain | |
| CN103259663A (en) | User unified authentication method in cloud computing environment | |
| CN112085417A (en) | Industrial Internet identification distribution and data management method based on block chain | |
| CN109003207B (en) | Residence permit information processing method and platform based on block chain | |
| CN105183820A (en) | Multi-tenant supported large data platform and tenant access method | |
| CN112671580A (en) | QAR data management method based on block chain technology | |
| CN109587146A (en) | Method for managing object and system based on block chain | |
| CN103745599A (en) | Vehicle intelligent management system based on cloud computing platform | |
| CN102930216B (en) | Based on the encrypt file management method of wireless U-disc | |
| CN102255870B (en) | Security authentication method and system for distributed network | |
| CN110581824A (en) | Quick login management system based on multiple WeChat public numbers | |
| CN105225072A (en) | A kind of access management method of multi-application system and system | |
| CN112036886A (en) | Block chain-based power big data exchange method and system | |
| CN113468511A (en) | Data processing method and device, computer readable medium and electronic equipment | |
| CN106775950A (en) | A kind of virtual machine remote access method and device | |
| CN111680282B (en) | Node management method, device, equipment and medium based on block chain network | |
| CN202153753U (en) | Remote communication service device of industrial Internet distributed system | |
| CN114819998A (en) | Data sharing authority management system based on industrial internet identification analysis | |
| CN103533094A (en) | Identification code all-in-one machine and identification code system | |
| CN102419832A (en) | Method and system for locating resource in distributed environment | |
| CN103873962A (en) | ONU authentication method and system based on single task management | |
| CN103530232B (en) | A kind of software testing management framework establishment method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP02 | Change in the address of a patent holder | ||
| CP02 | Change in the address of a patent holder |
Address after: 201203 403d, building 5, No. 3000, Longdong Avenue, Pudong New Area, Shanghai Patentee after: Shanghai Kelu Software Co.,Ltd. Address before: 201203 Shanghai city Pudong New Area road 887 Lane 82 Zuchongzhi Building No. two North Patentee before: Shanghai Kelu Software Co.,Ltd. |
|
| CB03 | Change of inventor or designer information | ||
| CB03 | Change of inventor or designer information |
Inventor after: Liang Jun Inventor after: Lin Yuan Inventor after: Yu Gaoyu Inventor after: Wang Lei Inventor before: Liang Jun Inventor before: Yu Gaoyu Inventor before: Wang Lei |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20231108 Address after: 201203 north, 2nd floor, No.82, Lane 887, Zuchongzhi Road, Pudong New Area, Shanghai Patentee after: Shanghai Kelu Software Co.,Ltd. Patentee after: Shanghai Left Bank Investment Management Co.,Ltd. Address before: 201203 403D 5, 3000 Longdong Avenue, Pudong New Area, Shanghai. Patentee before: Shanghai Kelu Software Co.,Ltd. |