CN107451435B - Management and control method, management and control machine and management and control system of hardware encryption machine - Google Patents
Management and control method, management and control machine and management and control system of hardware encryption machine Download PDFInfo
- Publication number
- CN107451435B CN107451435B CN201610371292.9A CN201610371292A CN107451435B CN 107451435 B CN107451435 B CN 107451435B CN 201610371292 A CN201610371292 A CN 201610371292A CN 107451435 B CN107451435 B CN 107451435B
- Authority
- CN
- China
- Prior art keywords
- management
- api
- instruction
- management instruction
- hsm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Abstract
The present disclosure relates to the field of computer security, and in particular, to a management and control method, a management and control machine, and a management and control system for a hardware encryption machine. The method is used for improving the management efficiency and the operation and maintenance safety of the hardware encryption machine. The method comprises the following steps: an API layer is abstracted from the management and control system and used for shielding the difference of all HSMs so as to realize the uniform management of the HSMs, and a manager can send a management instruction to a target HSM only by inputting the management instruction in a uniform operation interface and calling at least one API matched with the instruction type of the management instruction through the management and control system. Therefore, differential operation and maintenance management does not need to be carried out on different target HSMs, the management efficiency of the HSMs is effectively improved, and the operation and maintenance safety is improved.
Description
Technical Field
The present disclosure relates to the field of computer security, and in particular, to a management and control method, a management and control machine, and a management and control system for a hardware encryption machine.
Background
In the prior art, in order to improve the Security of user data, a Hardware Security Module (HSM) technology is widely used.
The traditional operation and maintenance management of the HSM is generally completed through a linux command line or a graphical interface tool customized by a manufacturer, and the operation and maintenance management must be manually completed by an administrator with professional knowledge. For example, the administrator accesses the terminal device to the designated HSM through the network, and completes the operation and maintenance of the HSM by inputting a linux command or operating a terminal interface tool.
However, the conventional HSM conventional operation and maintenance management has the following defects:
1. the operation process is extremely complex, errors are easy to occur, and the requirement on professional quality of administrators is high.
2. The management efficiency is low, and the administrator needs to manage one HSM and one HSM.
3. The administrator directly operates the target HSM, has the highest authority, and the data security cannot be guaranteed.
The above-mentioned drawbacks result in the HSM providing a quality, secure and low-cost service to customers.
Disclosure of Invention
The embodiment of the application provides a management and control method, a management and control machine and a management and control system of a hardware encryption machine, which are used for improving the efficiency and the safety of the hardware encryption machine.
The embodiment of the application provides the following specific technical scheme:
an HSM management and control machine comprising:
and the interface layer is provided with at least one API, and is provided with a mapping relation between the instruction type of the management instruction and the API, wherein one API at least defines one communication specification of the HSM.
A management and control system of HSM comprises:
the input and output module is used for receiving a management instruction; a matching module for determining a target HSM based on the management instruction; the interface module is used for determining at least one API corresponding to a preset management instruction based on the mapping relation between the instruction type of the management instruction and the API, and sending the management instruction to the target HSM through the at least one API; wherein an API defines at least one communication specification for the HSM.
Optionally, the interface module is further configured to: presetting a mapping relation between an instruction type of a management instruction and an API (application program interface), and specifically comprising the following steps: respectively configuring at least one corresponding API aiming at each instruction type of the management instruction in advance; respectively establishing a mapping relation between each instruction type and the corresponding identification information of at least one API; or respectively establishing a mapping relation between each instruction type and the calling address of the corresponding at least one API.
Optionally, after receiving the management instruction and before sending the management instruction to the target HSM, the matching module is further configured to: and performing authority verification based on the identity information carried by the management instruction, and determining that the authority verification is passed.
Optionally, when receiving a management instruction and determining the target HSM based on the management instruction, the matching module is configured to: determining a corresponding target HSM based on the identification information of the target HSM carried by the management instruction; or, determining a corresponding target HSM based on the index information of the target HSM carried by the management instruction; or, based on a binding relationship preset corresponding to the management instruction, determining a corresponding target HSM.
Optionally, when the management instruction is sent to the target HSM through an API, the interface module is configured to: determining a protocol format agreed with the target HSM, wherein the protocol format conforms to the AIP-defined communication specification; and calling the API, generating a message carrying the management instruction based on the protocol format, and sending the message carrying the management instruction to the target HSM.
Optionally, further comprising: and the execution module is used for generating a message carrying the management instruction based on the protocol format according to the scheduling of the API, and then sending the message carrying the management instruction to the target HSM.
Optionally, the interface module is further configured to: and receiving a message which is returned by the target HSM and carries a response message, analyzing the message based on the protocol format, extracting the response message, and sending the response message to the management terminal through the API.
Optionally, further comprising: and the execution module is used for receiving a message which is returned by the target HSM and carries a response message, analyzing the message based on the protocol format and extracting the response message.
A management and control method of HSM comprises the following steps:
receiving a management instruction, and determining a target HSM based on the management instruction; determining at least one API corresponding to a preset management instruction based on a mapping relation between the instruction type of the management instruction and the API; wherein an API defines at least one communication specification for the HSM; sending the management instructions to the target HSM through the at least one API.
Optionally, the preset mapping relationship between the instruction type of the management instruction and the API includes: respectively configuring at least one corresponding API aiming at each instruction type of the management instruction in advance; respectively establishing a mapping relation between each instruction type and the corresponding identification information of at least one API; or respectively establishing a mapping relation between each instruction type and the calling address of the corresponding at least one API.
Optionally, after receiving the management instruction, before sending the management instruction to the target HSM, the method further includes: and performing authority verification based on the identity information carried by the management instruction, and determining that the authority verification is passed.
Optionally, receiving a management instruction, and determining a target HSM based on the management instruction includes: determining a corresponding target HSM based on the identification information of the target HSM carried by the management instruction; or, determining a corresponding target HSM based on the index information of the target HSM carried by the management instruction; or, based on a binding relationship preset corresponding to the management instruction, determining a corresponding target HSM.
Optionally, sending the management instruction to the target HSM through an API, including: determining a protocol format agreed with the target HSM, wherein the protocol format conforms to the AIP defined communication specification; and calling the API, generating a message carrying the management instruction based on the protocol format, and sending the message carrying the management instruction to the target HSM.
Optionally, the instruction type of the management instruction includes, but is not limited to, any one of the following types: initialization instructions, upgrade instructions, downgrade instructions, copy instructions, clone instructions, backup instructions, restore instructions.
Optionally, further comprising: and receiving a message carrying a response message returned by the target HSM, analyzing the message carrying the response message based on the protocol format, extracting the response message, and sending the response message to a management terminal through the API.
In the embodiment of the application, the management personnel can send the management instruction to the target HSM only by inputting the management instruction in the unified operation interface and calling the API matched with the instruction type of the management instruction through the management system. Therefore, differential operation and maintenance management does not need to be carried out on different target HSMs, the management efficiency of the HSMs is effectively improved, and the operation and maintenance cost is reduced.
Drawings
Fig. 1 is a schematic diagram of an HSM management method in an embodiment of the present application;
fig. 2 is a flow chart of HSM management in an embodiment of the present application;
fig. 3 is a functional structure diagram of a management and control system in an embodiment of the present application.
Detailed Description
In order to improve the management efficiency of the hardware encryption machine and reduce the operation and maintenance cost, in the embodiment of the application, an interface layer is abstracted for all the HSMs in the management and control system, the difference between the HSMs of different manufacturers is shielded through the interface layer, and the operation and maintenance management of the HSMs is unified. The interface layer provides a programmable interface externally, and the management and control system realizes the automatic operation and maintenance management of the HSM by calling the interface layer.
Preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
Referring to fig. 1, in the embodiment of the present Application, an Interface layer is redefined in the management and control system, and the Interface layer includes a set of all-purpose Application Programming Interfaces (APIs) defined by a Software Development Kit (SDK), where the set of APIs includes an API set for implementing a series of HSM management operations. Among them, the so-called HSM management operations include initialization operations, upgrade operations, copy operations, clone operations, backup operations, restore operations, and the like. The so-called API defines the field content that the management command needs to carry and the field content that needs to carry in the returned response message, and the specific service implementation is not completed by the API, but by the execution module corresponding to each HSM.
In short, as shown in fig. 1, the above can also be understood as follows: redesigning a management controller, redefining an interface layer in the management machine, arranging at least one API in the interface layer, and arranging a mapping relation between an instruction type of a management instruction (namely HSM management operation) and the API, wherein one API at least defines a communication specification of the HSM.
For example, referring to table 1, in the embodiment of the present application, a set of API interfaces defined in the API layer is as follows:
as shown in table 1, API 1 implements an API interface used in initialization operation:
TABLE 1
As shown in fig. 1, the management and control system may call different execution modules (also called SDK implementation) through an interface layer, the different SDKs implement HSMs corresponding to different manufacturers, and specific logic executed by each SDK implementation is autonomously developed by each manufacturer and is pre-installed in the management and control system. One SDK implementation is mainly used for completing information interaction with the corresponding HSM according to a protocol format specified by a corresponding manufacturer, so that the sending of a management instruction and the receiving of a response message are completed.
Therefore, the difference between the HSMs can be shielded through the interface layer, so that the HSMs of different manufacturers can be brought into the management and control system for unified scheduling management.
Referring to fig. 2, in the embodiment of the present application, a specific process of HSM management is as follows:
step 200: the management and control system receives a management instruction sent by a management end.
Specifically, the instruction type of the management instruction may be various, including but not limited to any one of the following instructions: initialization instructions, upgrade instructions, downgrade instructions, copy instructions, clone instructions, backup instructions, restore instructions.
In the subsequent process, the management and control system may determine which API to call according to the instruction type of the management instruction.
Further, the management instruction also carries identification information of the target HSM, or index information of the target HSM, or a preset binding relationship between the management instruction and the target HSM, and in a subsequent process, the management and control system may further determine which execution module to continue to be called through the called API (also called SDK implementation) based on the information carried in the management instruction.
Optionally, as shown in fig. 2, an input/output module in the management and control system may receive a management instruction sent by the management end.
Step 201: and the management and control system carries out authority verification on the management end based on the management instruction and determines that the management end passes the authority verification.
Because the management terminal can be operated manually or automatically by the device, in order to avoid hacker intrusion caused by permission information leakage, the management and control system needs to perform permission verification on the management terminal based on the identity information of the management terminal carried by the management instruction, and perform subsequent operation after the management terminal is determined to pass the permission verification.
Optionally, as shown in fig. 2, the permission verification process may be completed by a matching module in the management and control system.
Of course, the management and control system may not perform the permission verification immediately after receiving the management instruction, and only needs to complete the permission verification before sending the management instruction to the target HSM.
Step 202: and the management and control system records logs.
Specifically, the management and control system can record the identity information, the authority verification result and the received management instruction of the management end in a log file through the matching module, and the management and control system is used for later-stage system operation and maintenance.
Alternatively, as shown in fig. 2, the matching module in the management and control system may complete the operation related to logging.
Step 203: and the management and control system calls a corresponding API based on the instruction type of the management instruction.
Optionally, an API defines a communication specification with the target HSM under one instruction type; for example, the field content carried in the message sent to the target HSM and the field content carried in the response message returned by the target HSM are defined. Therefore, when the management system receives management instructions of different instruction types, the APIs required to be called are different.
In this embodiment, the management and control system may respectively configure at least one corresponding API for each instruction type of the management instruction in advance, specifically, may preset a mapping relationship between the instruction type and the identification information of the API, or may also preset a mapping relationship between the instruction type and a call address of the API, so that the management and control system may find the corresponding API in time corresponding to the instruction type of the currently received management instruction based on the mapping relationship.
For example, assuming that the instruction type of the management instruction is an initialization instruction, the management and control system determines that the API to be called is API 1 according to the mapping relationship.
Another example is: assuming that the instruction type of the management instruction is a backup instruction, the management and control system determines that the API to be called is API 4 according to the mapping relationship.
Etc., no more than by way of example.
Of course, the management and control system may also determine a plurality of corresponding APIs corresponding to the instruction type of the currently received management instruction, and respectively call the corresponding target HSM by using each API.
Alternatively, as shown in fig. 2, the API call operation may be completed by an interface module located at an interface layer in the management system.
Step 204: the management and control system further calls an execution module set corresponding to the target HSM through the called API.
In this embodiment, the execution modules are configured corresponding to different manufacturers, and one execution module may implement all business logic required by the corresponding manufacturer, such as initialization operation, copy operation, backup operation, and the like.
Since the APIs are distinguished based on the instruction types, any one API (hereinafter referred to as API X) may call all execution modules to perform the related operations required by the instruction type corresponding to API X for different vendors.
Since the management and control system determines the target HSM in step 200 based on the relevant information (e.g., the identification information of the target HSM, or the index information of the target HSM, or the binding relationship between the management instruction and the target HSM) carried in the management instruction, in step 204, the management and control system may identify which execution module should be called based on the target HSM.
Specifically, an API defines a communication specification with the target HSM under a corresponding instruction type, for example, field contents carried in a message sent to the target HSM and field contents carried in a response message returned by the target HSM, but a specific implementation manner is not specified, and specific implementation operations are all completed by corresponding execution modules. Therefore, when the management and control system calls the corresponding execution module through the API and sends the management instruction to the execution module, it is necessary to ensure that the content of the management instruction conforms to the communication specification defined by the API.
Optionally, as shown in fig. 2, the interface module in the management and control system may complete the selection of the execution module, and send the management instruction to the execution module.
Step 205: the management and control system sends the management instruction to the target HSM through the called execution module.
Specifically, as shown in fig. 2, the execution module needs to generate a message carrying a management instruction according to a protocol format agreed with the target HSM, and then send the message carrying the management instruction to the target HSM.
Since any target HSM and corresponding execution module are developed by the same vendor, what protocol format is used for communication between a target HSM and a corresponding execution module can be configured by the corresponding vendor, but the communication specification defined by the API called for implementation must be met.
For example, the management and control system calls the execution module X to communicate with the target HSM X through the API 1, and then when the execution module X interacts with the HSM X, the protocol format 1 used by the execution module X may be defined by itself, but needs to conform to the communication specification defined by the API 1.
For example, the management and control system calls the execution module X to communicate with the target HSM X through the API 2, so that the protocol format 2 used by the execution module X when interacting with the HSM X may be defined by itself, but needs to conform to the communication specification defined by the API 2.
It can be seen that the API only defines the communication specification, but the specific implementation process is still completed by each execution module, because different execution modules are developed by different manufacturers, even if two different execution modules are called through the same API, the protocol formats adopted when the two execution modules interact with the respective corresponding target HSMs may be different, and details are not repeated here.
The management and control API 1 is realized by using Java language, and defines a Java Interface which comprises all operation methods of HSM.
When the execution module X1 developed by the vendor a implements Java Interface, the data communication format (i.e., protocol format) adopted between the execution module X1 and the target HSM X1 is json, and then all the interactive management instructions and response messages between the execution module X1 and the target HSM X1 are encapsulated based on json.
When the execution module X2 developed by the vendor B implements Java Interface, the data communication format used between the execution module X2 and the target HSMX2 is xml, and then all the interactive management instructions and response messages between the execution module X2 and the target HSM X2 are encapsulated based on xml.
Further, the execution module may be disposed inside the management and control system, or may be independent of the management and control system and the HSM, and exists as a single device, and fig. 2 only describes that the execution module is located inside the management and control system as an example.
As can be seen from step 205, the important point of the embodiment of the present application is API management of the HSM, and the biggest difference from the conventional method is that the operation and maintenance management of the HSM is completely completed by the management and control system through the API.
On the other hand, in practical application, with further development of technology, if the functions of the API and the execution module implement an integrated layout, that is, different APIs include the function of the execution module, the API may also complete the encapsulation, sending, receiving, and parsing of the message according to the corresponding protocol format, which is not described in detail herein.
Step 206: the target HSM receives and executes the management instructions.
In general, the HSM includes a key storage chip and an encryption/decryption operation chip, the encryption storage chip is used for storing the key of the client, the encryption/decryption operation chip is used for performing encryption/decryption processing on the key of the client, and the management instruction can be used for managing data in these chips, such as initialization, copy, clone, backup, and the like.
The key usage and encryption/decryption method belong to the service operation category, and the embodiment of the present invention introduces the relevant operations in the operation and maintenance management stage, and therefore, the details are not described again.
Step 207: and the target HSM returns a message carrying a response message to a corresponding execution module in the management and control system, wherein the response message carries an execution result of the management instruction.
Because the target HSM module and the corresponding execution module communicate with each other in a protocol format configured by a manufacturer, after receiving a message carrying a response message, the execution module needs to parse the message and extract the response message that can be identified by the management and control system.
Step 208: and an execution module in the management and control system sends the response message obtained by analysis to a local input and output module.
Specifically, when the execution module in the management and control system sends the response message returned by the target HSM to the local input/output module through the corresponding API, it is necessary to ensure that the content of the response message conforms to the communication specification defined by the API.
Step 209: and the management and control system performs log recording corresponding to the response message.
As shown in fig. 2, corresponding to the log content recorded in step 202, the matching module in the management and control system continues to record the execution result of the management instruction, so as to ensure the integrity of the log data.
Step 210: and the management and control system returns the execution result of the management instruction to the management terminal based on the received response message.
In the embodiment of the application, an interface layer is abstracted to realize the operation and maintenance management of the HSM, the difference between HSMs of different manufacturers is shielded, and the HSM is independent of a certain specific language or software and hardware and can be realized under any software and hardware environment.
Obviously, by adopting the technical scheme provided by the application, the target HSM is guaranteed to be uniformly scheduled and managed in the cloud environment, and the reusable data security service is provided for the client.
Referring to fig. 3, in the embodiment of the present application, the management and control system at least includes an input/output module 30, a matching module 31 and an interface module 32, wherein,
an input/output module 30 for receiving a management instruction;
a matching module 31, configured to determine a target HSM based on the management instruction;
the interface module 32 is configured to determine at least one API corresponding to a preset management instruction based on a mapping relationship between an instruction type of the management instruction and the API, and send the management instruction to the target HSM through the at least one API; wherein an API defines at least one communication specification for the HSM.
Optionally, the interface module 32 is further configured to:
presetting a mapping relation between an instruction type of a management instruction and an API (application program interface), and specifically comprising the following steps: respectively configuring at least one corresponding API aiming at each instruction type of the management instruction in advance; respectively establishing a mapping relation between each instruction type and the corresponding identification information of at least one API; or respectively establishing a mapping relation between each instruction type and the calling address of the corresponding at least one API.
Optionally, after receiving the management instruction and before sending the management instruction to the target HSM, the matching module 31 is further configured to:
and performing authority verification based on the identity information carried by the management instruction, and determining that the authority verification is passed.
Optionally, when receiving a management instruction and determining the target HSM based on the management instruction, the matching module 31 is configured to:
determining a corresponding target HSM based on the identification information of the target HSM carried by the management instruction; or, determining a corresponding target HSM based on the index information of the target HSM carried by the management instruction; or, based on a binding relationship preset corresponding to the management instruction, determining a corresponding target HSM.
Optionally, when the management instruction is sent to the target HSM through an API, the interface module 32 is configured to:
determining a protocol format agreed with the target HSM, wherein the protocol format conforms to the AIP-defined communication specification; and calling the API, generating a message carrying the management instruction based on the protocol format, and sending the message carrying the management instruction to the target HSM.
Optionally, further comprising:
and the execution module 33 is configured to generate a packet carrying the management instruction based on the protocol format according to the scheduling of the API, and then send the packet carrying the management instruction to the target HSM.
Optionally, the interface module 32 is further configured to:
and receiving a message which is returned by the target HSM and carries a response message, analyzing the message based on the protocol format, extracting the response message, and sending the response message to the management terminal through the API.
Optionally, further comprising:
and the execution module 33 is configured to receive a message carrying a response message returned by the target HSM, analyze the message based on the protocol format, and extract the response message.
In the embodiment of the application, an API layer is abstracted from the management and control system and used for shielding the difference of each HSM so as to realize the uniform management of the HSM, and a manager only needs to input a management instruction in a uniform operation interface and then calls the API matched with the instruction type of the management instruction through the management and control system so as to send the management instruction to the target HSM. Therefore, differential operation and maintenance management does not need to be carried out on different target HSMs, the management efficiency of the HSMs is effectively improved, and the operation and maintenance safety is improved.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the embodiments of the present application without departing from the spirit and scope of the embodiments of the present application. Thus, if such modifications and variations of the embodiments of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to encompass such modifications and variations.
Claims (11)
1. The utility model provides a management and control system of hardware encryption machine HSM which characterized in that includes:
the input and output module is used for receiving a management instruction;
the matching module is used for carrying out authority verification based on the identity information carried by the management instruction, and determining a target HSM based on the management instruction after the authority verification is passed;
the interface module is used for determining at least one API corresponding to a preset management instruction and determining a protocol format agreed with the target HSM based on a mapping relation between an instruction type of the preset management instruction and an Application Programming Interface (API), wherein the protocol format conforms to a communication specification defined by the API; calling the API, generating a message carrying the management instruction based on the protocol format, and sending the message carrying the management instruction to the target HSM; wherein an API defines at least one communication specification for the HSM.
2. The system of claim 1, wherein the interface module is further to: presetting a mapping relation between an instruction type of a management instruction and an API (application program interface), and specifically comprising the following steps:
respectively configuring at least one corresponding API aiming at each instruction type of the management instruction in advance;
respectively establishing a mapping relation between each instruction type and the corresponding identification information of at least one API; or respectively establishing a mapping relation between each instruction type and the calling address of the corresponding at least one API.
3. The system of claim 1, wherein upon receiving a management instruction and determining a target HSM based on the management instruction, the matching module is to:
determining a corresponding target HSM based on the identification information of the target HSM carried by the management instruction; alternatively, the first and second electrodes may be,
determining a corresponding target HSM based on the index information of the target HSM carried by the management instruction; alternatively, the first and second electrodes may be,
and determining a corresponding target HSM based on a binding relationship preset corresponding to the management instruction.
4. The system of claim 1, further comprising:
and the execution module is used for generating a message carrying the management instruction based on the protocol format according to the scheduling of the API, and then sending the message carrying the management instruction to the target HSM.
5. The system of claim 1, wherein the interface module is further to:
and receiving a message which is returned by the target HSM and carries a response message, analyzing the message based on the protocol format, extracting the response message, and sending the response message to a management terminal through the API.
6. The system of claim 1, further comprising:
and the execution module is used for receiving a message which is returned by the target HSM and carries a response message, analyzing the message based on the protocol format and extracting the response message.
7. A management and control method for a hardware encryption machine (HSM) is characterized by comprising the following steps:
receiving a management instruction, performing authority verification based on identity information carried by the management instruction, and determining a target HSM based on the management instruction after the authority verification is passed;
determining at least one API corresponding to a preset management instruction based on a mapping relation between the instruction type of the management instruction and an Application Programming Interface (API); wherein an API defines at least one communication specification for the HSM;
determining a protocol format agreed with the target HSM, wherein the protocol format conforms to the communication specification defined by the API;
and calling the API, generating a message carrying the management instruction based on the protocol format, and sending the message carrying the management instruction to the target HSM.
8. The method of claim 7, wherein presetting a mapping relationship between an instruction type of a management instruction and an API comprises:
respectively configuring at least one corresponding API aiming at each instruction type of the management instruction in advance;
respectively establishing a mapping relation between each instruction type and the corresponding identification information of at least one API; or respectively establishing a mapping relation between each instruction type and the calling address of the corresponding at least one API.
9. The method of claim 7, wherein receiving a management instruction and determining a target HSM based on the management instruction comprises:
determining a corresponding target HSM based on the identification information of the target HSM carried by the management instruction; alternatively, the first and second electrodes may be,
determining a corresponding target HSM based on the index information of the target HSM carried by the management instruction; alternatively, the first and second electrodes may be,
and determining a corresponding target HSM based on a binding relationship preset corresponding to the management instruction.
10. The method of claim 7, wherein the instruction type of the management instruction includes, but is not limited to, any one of the following types:
initialization instructions, upgrade instructions, downgrade instructions, copy instructions, clone instructions, backup instructions, restore instructions.
11. The method of claim 7, further comprising:
and receiving a message carrying a response message returned by the target HSM, analyzing the message carrying the response message based on the protocol format, extracting the response message, and sending the response message to a management terminal through the API.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610371292.9A CN107451435B (en) | 2016-05-30 | 2016-05-30 | Management and control method, management and control machine and management and control system of hardware encryption machine |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610371292.9A CN107451435B (en) | 2016-05-30 | 2016-05-30 | Management and control method, management and control machine and management and control system of hardware encryption machine |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107451435A CN107451435A (en) | 2017-12-08 |
| CN107451435B true CN107451435B (en) | 2021-03-23 |
Family
ID=60484942
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610371292.9A Active CN107451435B (en) | 2016-05-30 | 2016-05-30 | Management and control method, management and control machine and management and control system of hardware encryption machine |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107451435B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113282950B (en) * | 2021-07-26 | 2021-12-21 | 阿里云计算有限公司 | Operation and maintenance method, device, equipment and system of encryption machine |
| CN116707806B (en) * | 2023-08-09 | 2023-10-31 | 中电信量子科技有限公司 | Password equipment management method and management platform |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1744595A (en) * | 2004-09-01 | 2006-03-08 | 中国民生银行股份有限公司 | Web-based financial self-help service system and its control method |
| CN203135901U (en) * | 2012-08-21 | 2013-08-14 | 中国银联股份有限公司 | Encryption equipment management device |
| CN103825698A (en) * | 2014-01-20 | 2014-05-28 | 中国建设银行股份有限公司 | Password security management system and method |
| CN105515875A (en) * | 2015-12-25 | 2016-04-20 | 广东亿迅科技有限公司 | Switchboard management method |
-
2016
- 2016-05-30 CN CN201610371292.9A patent/CN107451435B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1744595A (en) * | 2004-09-01 | 2006-03-08 | 中国民生银行股份有限公司 | Web-based financial self-help service system and its control method |
| CN203135901U (en) * | 2012-08-21 | 2013-08-14 | 中国银联股份有限公司 | Encryption equipment management device |
| CN103825698A (en) * | 2014-01-20 | 2014-05-28 | 中国建设银行股份有限公司 | Password security management system and method |
| CN105515875A (en) * | 2015-12-25 | 2016-04-20 | 广东亿迅科技有限公司 | Switchboard management method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107451435A (en) | 2017-12-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2018006789A1 (en) | Parameter checking method and apparatus, and network management server and computer storage medium | |
| US11301287B2 (en) | Pattern-based orchestration of cloud provisioning tasks at runtime | |
| EP3176697B1 (en) | Type-to-type analysis for cloud computing technical components | |
| US9762439B2 (en) | Configuration command template creation assistant using cross-model analysis to identify common syntax and semantics | |
| CN109670297B (en) | Method and device for opening service permission, storage medium and electronic equipment | |
| US9104451B2 (en) | Dynamic communication between script and execution layers | |
| CN110096424B (en) | Test processing method and device, electronic equipment and storage medium | |
| CN102799519A (en) | Automatic test method for cluster file system | |
| CN107247648B (en) | Method, device and system for realizing remote project system supervision based on Docker | |
| WO2018001091A1 (en) | Method and device for updating virtualized network function (vnf), and vnf packet | |
| CN110362490B (en) | Automatic testing method and system for integrating iOS and Android mobile applications | |
| CN111061685A (en) | Log query method and device, node equipment and storage medium | |
| CN113330419A (en) | Equipment application installation method and device | |
| CN107451435B (en) | Management and control method, management and control machine and management and control system of hardware encryption machine | |
| CN110187986B (en) | Command management method, system, device and computer readable storage medium | |
| CN109657167B (en) | Data acquisition method, device, server and storage medium | |
| US11418573B1 (en) | File transfer abstraction on a computer network | |
| US10180900B2 (en) | Recordation of user interface events for script generation | |
| CN114239026A (en) | Information desensitization conversion processing method, device, computer equipment and storage medium | |
| CN114237853A (en) | Task execution method, device, equipment, medium and program product applied to heterogeneous system | |
| CN104836831B (en) | A kind of object method of servicing for Internet of Things | |
| CN102647419B (en) | Security policy online detection system facing to terminal computers | |
| CN106778193B (en) | Client and UI interaction method | |
| CN114389868A (en) | Method, system and device for distributing cloud resources and storage medium | |
| CN111241173B (en) | Method and system for data interaction among multiple systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |