A kind of industrial Internet distributed system safety access control device
Technical field
The present invention relates to a kind of network security Access Control Technique
Background technology
Along with developing rapidly of industrial automatic control, more and more many industrial enterprises use its inside (or special) network to be interconnected at together by its process-specified equipment or industrial intelligent equipment (Intelligent Electric Device-IED), form production control system network.Inner (or special) network of this industrial enterprise is referred to as industry internet.
Large enterprise, as Utilities Electric Co., oil-gas transportation enterprise, with mineral resources be developed as main large-scale Mining Group, its holding company is often distributed in the whole nation and even all parts of the world, only uses internal network cannot meet its requirements analysis.Along with the development of industry internet, industry internet is no longer confined to a station or a city, utilize the hardware and software facility of existing public network (ten thousand dimension the Internets), two or more industry internets are carried out communication connection, a central control system is made to exercise supervision to all sub-production control systems and to control, also energy communication mutually between multiple sub-production control system is made, form a larger industry internet, more optimal control and use are carried out to its resource.
And, in order to improve running efficiency of system, equally loaded, improve system robustness, industry internet uses distributed system usually, distributed data base, Distributed Services etc. are provided, are carried out information gathering, data storage, information processing respectively by servers different in industry internet, transmit, service etc. is provided.Industry internet distributed system is an integrated system, the operating system (i.e. distributed operating system) that one overall will be had in the entire system, it is responsible for the work such as Resource Distribution and Schedule, task division, information transmission, control coordination of total system (comprising every platform computer), and provides the interface of a unified interface, standard for user.This distributed operating system is generally positioned at the central control system of industry internet.There is distributed operating system, user realizes action required by unified interface and uses system resource, as for operation be perform on which computer or use the resource of which computer to be then the thing of system, user need not understand, and that is system of users is transparent.
Because the information transmitted in industry internet is industrial internal information, the service provided is internal services, therefore has high requirement to the fail safe of information and confidentiality.In order to ensure fail safe, in industry internet, in acquisition service or data, before information, user, client and application process all need to carry out corresponding authentication.The essence of certification confirms the whether true and whether effective process of certified object exactly.General employing cryptographic technique, uses the certified object of digital certificate authentication, reaches and confirms whether true, the effective object of certified object.
Only by identification with after differentiating, just utilize the IP address at its request service place to set up tunnel (VPN), be connected to the server that corresponding with service is provided by VPN, obtain respective service, data, information etc.VPN and Virtual Private Network, being set up the connection of interim a, safety by a common network (normally internet), is safe, a stable tunnel through chaotic common network.
But for industry internet distributed system, only carry out authentication to user, client and application process, its safe class is inadequate for the industry internet requiring high security.Further, IP address is only utilized to set up VPN to ensure that the mode of communication security is inadequate equally for distributed system.For existing industry internet distributed system, be applicable to distributed environment, the high demand for security of data can be ensured the network security access control apparatus of (i.e. the confidentiality of data, integrality and non-repudiation) in the urgent need to one.
Summary of the invention
The technical problem that the present invention mainly solves is to provide a kind of industrial Internet distributed system safety access control device, make, while the fail safe of the industry internet adopting distributed computing technology is protected, to meet the Resource orientation demand of industry internet under distributed environment.
In order to solve the problems of the technologies described above, the invention provides a kind of industrial Internet distributed system safety access control device, comprise network communication port, be connected with server in described industry internet or client by inner private network or public network, also comprise:
The identity of a pair user and server and accessing operation authority carry out the Certificate Authority module of certification, the accessing operation of a pair user or server carries out the Audit Module of auditing, and the object resource of a pair user or server access operation carries out the Resource orientation module of memory location positioning control;
Described Certificate Authority module, Audit Module and Resource orientation module are all connected with described network communication port; Described Certificate Authority module, by the authentication information of described network communication port accepts from subscription client or server, carries out the authentication and authorization of identity and accessing operation authority; Described Audit Module receives the accessing operation information from subscription client or server by described network communications port, audits to described accessing operation; Described Resource orientation module is connected with described Audit Module, after the audit of described accessing operation information by described Audit Module, positions the memory location of the object resource of described accessing operation.
As the improvement of technique scheme, this device also comprises certificate authority and the certificate repository that a pair digital certificate carries out basic management operation, and described basic management operation at least comprises certificate authority, index, stores and revoke;
Described certificate authority is connected with described Certificate Authority module, described certificate repository is connected with described Certificate Authority module with described certificate authority respectively, described certificate authority is issued in credentialing process for user, by described Certificate Authority module for user distributes Role and privilege, described certificate authority is that this user issues the digital certificate comprising Role Information, and this digital certificate is kept at certificate repository; Described Certificate Authority module, when carrying out certification to user identity and accessing operation authority, reads the digital certificate of this user from described certificate repository.
As the improvement of technique scheme, this device also comprises a resource management module, be connected with Resource orientation module, the component repository of the management and utilization system overall situation, resource allocation ATL, common information model pattern description file and CIM semantic model storehouse.
As the improvement of technique scheme, in described distributed system, object resource is divided into and can disposes object resource and plain objects resource, plain objects resource and the object resource disposed belonging to it are stored in same server, each object resource comprises a unique corresponding resource and indicates, this resource indicates the upper level comprised belonging to this object resource can dispose object resource identification code and this resource identification code two parts, register the resource sign and memory address that can dispose object resource in Resource orientation module, this Resource orientation module also comprises further:
Sub module stored, can dispose the resource sign of object resource and the corresponding relation of memory address described in preserving;
Search submodule, for indicating according to the resource in accessing operation request, determine whether requested resource is to dispose object resource, if can object resource be disposed, this resource identification code part in then indicating according to described resource, searches the memory address of this object resource from the corresponding relation that described sub module stored is preserved; If plain objects resource, then in indicating according to described resource, upper level can dispose object resource identification code portions, searches the memory address of this object resource from the corresponding relation that described sub module stored is preserved;
Feedback submodule, for the described memory address found is fed back to accessing operation requesting party, obtains required object resource by accessing operation requesting party from the server that this memory address is corresponding.
As the improvement of technique scheme, this device also comprises a rights database, the authority information that the user for preserving different role is corresponding;
Described Certificate Authority module is after checking digital certificate validity, described rights database is associated with Role Information according to the username information in digital certificate, therefrom extract the authority information of user, return the user interface comprising accessing operation in its extent of competence to user.
As the improvement of technique scheme, when described Certificate Authority module is also for server generation behavior in described industry internet, authentication is carried out to this server, if certification by; allow this server that the behavior occurs; If certification is not passed through, refuse this server and the behavior occurs;
Described server behavior at least comprises one of following or its combination in any:
Startup of server, server providing services, server provide data, server provides operation and server uses system resource.
As the improvement of technique scheme, described certificate authority, also for being the server-assignment digital certificate in described industry internet and key, by the information of described server and the digital certificate distributed and key bindings, and is saved in described certificate repository;
Described Certificate Authority module obtains the digital certificate of server from described certificate repository, verify digital certificate and the key of described server, and whether the server info that digital certificate is bound mates with the server info in described certification, realizes the authentication to described server.
Embodiment of the present invention compared with prior art, the main distinction and effect thereof are: for industry internet arranges the secure access control device of an applicable distributed environment, gather the module of the identity of user and server and accessing operation authority being carried out to authentication and authorization in the apparatus, to the module that the accessing operation of user or server is audited, the object resource of user and server access is carried out to the module of unified resource location.Effectively guarantee access industrial Internet advertising distribution system and the fail safe of the user of obtaining information/service or server identity, authority validity.And, to make in industry internet user and server without the need to knowing the actual storage locations of required object resource, only need by the unified Resource orientation platform of distributed system, corresponding server can be navigated to, object resource needed for acquisition, it is quick, convenient to realize, and meets the demand under distributed environment.
As further improvement, object resource in distributed system is divided into and can disposes object resource and plain objects resource, be stored in each distributed server, plain objects resource and the object resource disposed belonging to it are stored in same server, each object resource comprises a resource ID, and the upper level comprised in ID belonging to this object resource can dispose object resource identification code and this object resource identification code two parts.ID and the memory address that only can dispose object resource are sent to Resource orientation facility registration; During Resource orientation module searches resource, first determine whether to dispose object resource, if can object resource be disposed, then according to this resource identification code part, search this object resource memory address; If plain objects resource, then can dispose object resource identification code portions according to upper level, search this object resource memory address; Resources requesting party obtains required object resource from memory address corresponding server.For comprising mass data and the various distributed system of resource type, this Resource orientation mode accelerates resource lookup and locating speed greatly, and owing to only needing registration can dispose object resource ID during resource registering, therefore big data quantity, polymorphic type information resources registration problem is solved, reduce the requirements such as the power system capacity to Resource orientation facility, handling property, effectively avoid Resource orientation facility to cause system bottleneck.
In addition, it is safe that the present invention to have abolished in traditional concept server in distributed network, without the need to the idea of authentication, by to providing the server of service to carry out real-time identity authentication in distributed network, the legitimacy of the service that server provides is inscribed when guaranteeing each, the validity of the data provided, effectively avoid the situation that server is stolen, meet the demand for security of user, comprise the confidentiality of data, integrality and non-repudiation, the level of security that distributed network is reached can meet the system of the contour demand for security of industry internet, comprise electric power, oil gas, the high level demand for security of user in the industrial circles such as traffic.
Accompanying drawing explanation
Below in conjunction with the drawings and specific embodiments, the present invention is described in further detail.
Fig. 1 is secure access control device and Services in Distributed System device/client's side link structural representation in the present invention one better embodiment;
Fig. 2 is the present invention one better embodiment industrial Internet distributed system safety access control device structure chart.
Embodiment
For making the object, technical solutions and advantages of the present invention clearly, below in conjunction with accompanying drawing, embodiments of the present invention are described in further detail.
The present invention one better embodiment relates to a kind of industrial Internet distributed system safety access control device, as security control mechanism and the distributed platform of industry internet distributed system, it comprises network communication port, is directly or indirectly connected with Servers-all in industry internet and client by dedicated network (internal network) or public network.These servers in the zones of different of industry internet, can realize different services, operation etc., as each server can be distributed in one-level main website, the secondary main website, even substation of zones of different.Client can be connected to this device in any region by network, as shown in Figure 1.
In present embodiment, client realizes authentication by this device, logs in distributed system, determines its own right, the object resource of the required accessing operation in location (in extent of competence), finally obtain required service intra vires.Server realizes authentication by this device, logs in distributed system, determines its own right, also obtains intra vires required object resource, intra vires for user provides service etc. by this device location.And, this secure access control device is except carrying out except Certificate Authority to the identity of client and server and authority, after also completing Resource orientation user and server, being connected to located server, further each operation of user and server is audited, guarantee that service that the operation performed by it obtains is all in its extent of competence.By multi-faceted multiple authentication Audit Mechanism, guarantee the safety and stability of industry internet distributed system.
Specifically, the secure access control device of present embodiment mainly comprises: the identity of a pair user and server and accessing operation authority carry out the Certificate Authority module of certification, the accessing operation of a pair user or server carries out the Audit Module of auditing, the object resource of a pair user or server access operation carries out the Resource orientation module of memory location positioning control, as shown in Figure 2.
Wherein, Certificate Authority module, Audit Module are all connected with network communication port with Resource orientation module; Certificate Authority module, by the authentication information of network communication port accepts from subscription client or server, carries out the authentication and authorization of identity and accessing operation authority; Audit Module receives the accessing operation information from subscription client or server by network communications port, audits to accessing operation; Resource orientation module is connected with Audit Module, after accessing operation information is by the audit of Audit Module, positions the memory location of the object resource of accessing operation.Audit Module can invokes authentication authorization module, completing the identity of client/server and the certification of authority to performing this accessing operation, determining that whether accessing operation is legal; Also directly can carry out certification to the identity of client/server and authority, determine that whether accessing operation is legal.
This secure access control device also comprises certificate authority and the certificate repository that a pair digital certificate carries out basic management operation, and basic management operation at least comprises certificate authority, index, stores and revoke.
Certificate authority is connected with Certificate Authority module, certificate repository is connected with Certificate Authority module with certificate authority respectively, certificate authority is issued in credentialing process for user, by Certificate Authority module for user distributes Role and privilege, certificate authority is that this user issues the digital certificate comprising Role Information, and this digital certificate is kept at certificate repository; Certificate Authority module, when carrying out certification to user identity and accessing operation authority, reads the digital certificate of this user from certificate repository.
This device also comprises a resource management module, be connected with Resource orientation module, the component repository of the management and utilization system overall situation, resource allocation ATL, common information model (Common InformationModel is called for short " CIM ") pattern description file and CIM semantic model storehouse.
This device also comprises a rights database, the authority information that the user for preserving different role is corresponding;
Certificate Authority module, after checking digital certificate validity, according to the username information in digital certificate and Role Information associated permissions database, is therefrom extracted the authority information of user, is returned the user interface comprising accessing operation in its extent of competence to user.
As the improvement of technique scheme, when Certificate Authority module is also for server generation behavior in industry internet, authentication is carried out to this server, if certification by; allow this server that the behavior occurs; If certification is not passed through, refuse this server and the behavior occurs.Server behavior at least comprises: startup of server, server providing services, server provide data, server provides operation and server uses system resource etc.
Corresponding, certificate authority can also be used for for the server-assignment digital certificate in industry internet and key, by the information of server and the digital certificate distributed and key bindings, and is saved in certificate repository; Certificate Authority module obtains the digital certificate of server from certificate repository, the digital certificate of authentication server and key, and whether the server info that digital certificate is bound mates with the server info in certification, realizes the authentication to server.
In sum, in present embodiment, user will access the service in industry internet, first need to log in industrial Internet distributed system safety access control device, by Certificate Authority module certification carried out to the identity of user and determine its authority, returning the user interface (user interface only comprise operation that this user have permission) corresponding with its authority to user.When user needs to carry out concrete accessing operation by client, further the accessing operation authority of user is audited by Audit Module, if audit by; allow it to carry out this accessing operation, if audit not by; forbid this accessing operation, guarantee security of system.And, without the need to knowing, request service is positioned at that station server to user, no matter user needs to carry out what accessing operation, all only need ask to secure access control device, be that user carries out Resource orientation by Resource orientation module, determine the position at the object resource place that required service is corresponding, according to the result that Resource orientation module returns, find corresponding server to obtain respective service.
Except carry out identity purview certification and audit in user level except, in server aspect, server needs the certification carrying out identity and authority equally.Start at server, service is provided, data are provided, when operation being provided and using the behavior such as system resource, need equally to carry out certification and audit to its identity and authority, after passing through authentication, this server can start, provide service, provide data, provide operation etc.; After by audit, this server can carry out Resource orientation, use system resource, conduct interviews to other servers operation.
Visible, it is safe that the secure access control device of present embodiment to have abolished in traditional concept server in distributed network, without the need to the idea of authentication, by to providing the server of service to carry out real-time identity authentication in distributed network, the legitimacy of the service that server provides is inscribed when guaranteeing each, the validity of the data provided, effectively avoid the situation that server is stolen, meet the demand for security of industry internet system, comprise the confidentiality of data, integrality and non-repudiation, the level of security that industry internet distributed system is reached can meet the system of high demand for security in industrial circle, comprise electric power, oil gas, there is in the industrial circles such as traffic the system of high-level demand for security.And, guarantee that in industry internet, user and server are without the need to knowing the actual storage locations of required object resource, only need by the unified Resource orientation platform of distributed system, corresponding server can be navigated to, object resource needed for acquisition, it is quick, convenient to realize, and meets the demand under distributed environment.
As the improvement of technique scheme, in the distributed system of present embodiment, object resource is divided into and can disposes object resource and plain objects resource, plain objects resource and the object resource disposed belonging to it are stored in same server, each object resource comprises a unique corresponding resource and indicates, this resource indicates the upper level comprised belonging to this object resource can dispose object resource identification code and this resource identification code two parts, in Resource orientation module, the resource sign and memory address that can dispose object resource are registered, this Resource orientation module also comprises further:
Sub module stored, for preserving the corresponding relation of resource sign and the memory address can disposing object resource;
Search submodule, for indicating according to the resource in accessing operation request, determine whether requested resource is to dispose object resource, if can object resource be disposed, this resource identification code part in then indicating according to resource, searches the memory address of this object resource from the corresponding relation that sub module stored is preserved; If plain objects resource, then in indicating according to resource, upper level can dispose object resource identification code portions, searches the memory address of this object resource from the corresponding relation that sub module stored is preserved;
Feedback submodule, for the memory address found is fed back to accessing operation requesting party, obtains required object resource by accessing operation requesting party from the server that this memory address is corresponding.
That is, in this system, the ID and memory address that can dispose object resource only need be sent to Resource orientation facility registration by each server; During Resource orientation module searches resource, first determine whether to dispose object resource, if can object resource be disposed, then according to this resource identification code part, search this object resource memory address; If plain objects resource, then can dispose object resource identification code portions according to upper level, search this object resource memory address; Resources requesting party obtains required object resource from memory address corresponding server.For comprising mass data and the various distributed system of resource type, this Resource orientation technology accelerates resource lookup and locating speed greatly, and owing to only needing registration can dispose object resource ID during resource registering, therefore big data quantity, polymorphic type information resources registration problem is solved, reduce the requirements such as the power system capacity to Resource orientation facility, handling property, effectively avoid Resource orientation facility to cause system bottleneck.
Although by referring to some of the preferred embodiment of the invention, to invention has been diagram and describing, but those of ordinary skill in the art should be understood that and can do various change to it in the form and details, and without departing from the spirit and scope of the present invention.