CN110401629B - Authorization activation method and related device - Google Patents

Authorization activation method and related device Download PDF

Info

Publication number
CN110401629B
CN110401629B CN201910420312.0A CN201910420312A CN110401629B CN 110401629 B CN110401629 B CN 110401629B CN 201910420312 A CN201910420312 A CN 201910420312A CN 110401629 B CN110401629 B CN 110401629B
Authority
CN
China
Prior art keywords
authorization
certificate
application server
information
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910420312.0A
Other languages
Chinese (zh)
Other versions
CN110401629A (en
Inventor
欧岳
陈丽玲
许栋
陈康裕
万林佳
王俊山
高永贵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201910420312.0A priority Critical patent/CN110401629B/en
Publication of CN110401629A publication Critical patent/CN110401629A/en
Application granted granted Critical
Publication of CN110401629B publication Critical patent/CN110401629B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

The application discloses a method for activating authorization, which comprises the following steps: receiving a certificate authorization request sent by a client, wherein the certificate authorization request carries use subject information, and the use subject information comprises user information associated with an application server; generating a certificate authorization file according to the certificate authorization request; and sending the certificate authorization file to the application server so that the application server determines an authorization activation result according to the certificate authorization file, and storing authorization information in a local database of the application server according to the authorization activation result, wherein the authorization information is derived from the certificate authorization file. The embodiment of the application also discloses an activation authorization device, a SaaS server and an application server. The application server can acquire the authorization information from the SaaS server, so that the privatized deployment of enterprise data can be realized, the security of data storage is improved, and the potential safety hazard that the data is leaked is reduced.

Description

Authorization activation method and related device
Technical Field
The present application relates to the field of information security technologies, and in particular, to a method for activating authorization and a related device.
Background
With the development of internet technology and the maturity of application Software, a Software-as-a-Service (SaaS) model starts to rise. The SaaS provider builds a network infrastructure, a software and hardware operation platform required by informatization for an enterprise and is responsible for a series of services such as early-stage implementation, later-stage maintenance and the like, and the enterprise can use the information system through the Internet without purchasing software and hardware, building a machine room and recruiting technicians.
At present, an enterprise can manage enterprise operation activities based on software provided by a SaaS provider, without maintaining the software, and the SaaS provider can manage and maintain the software with full authority, and can manage data inside the enterprise.
However, enterprise data often involves a number of important secrets that the enterprise cannot reveal. Therefore, the storage location of the data may cause a problem that the enterprise does not trust the SaaS service provider, and a security risk that the data is leaked may occur.
Disclosure of Invention
The embodiment of the application provides an authorization activation method and a related device, an application server can acquire authorization information from a SaaS server, so that privatized deployment of enterprise data can be realized, the security of data storage is improved, and the potential safety hazard that data is leaked is reduced.
In view of the above, a first aspect of the present application provides a method for activating authorization, including:
receiving a certificate authorization request sent by a client, wherein the certificate authorization request carries use subject information, and the use subject information comprises user information associated with an application server;
generating a certificate authorization file according to the certificate authorization request;
and sending the certificate authorization file to the application server so that the application server determines an authorization activation result according to the certificate authorization file, and storing authorization information in a local database of the application server according to the authorization activation result, wherein the authorization information is derived from the certificate authorization file.
A second aspect of the present application provides a method of activating authorization, comprising:
acquiring a certificate authorization file, wherein the certificate authorization file is generated by a software as a service (SaaS) server according to the certificate authorization request, the certificate authorization request carries use subject information, and the use subject information comprises user information associated with an application server;
determining an authorization activation result according to the certificate authorization file;
and storing authorization information in a local database of the application server according to the authorization activation result, wherein the authorization information is derived from the certificate authorization file.
A third aspect of the present application provides an activation authorization apparatus, including:
the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is used for receiving a certificate authorization request sent by a client, the certificate authorization request carries using subject information, and the using subject information comprises using party information related to an application server;
the generating module is used for generating a certificate authorization file according to the certificate authorization request received by the receiving module;
a sending module, configured to send the certificate authority file generated by the generating module to the application server, so that the application server determines an authorization activation result according to the certificate authority file, and stores authorization information in a local database of the application server according to the authorization activation result, where the authorization information is derived from the certificate authority file.
In one possible design, in a first implementation of the third aspect of an embodiment of the present application,
the generating module is specifically configured to obtain certificate source data according to the certificate authorization request;
encrypting the certificate source data by adopting a first secret key to obtain a certificate file to be encrypted;
encrypting the first key by adopting a second key to obtain a signature data segment;
and encrypting the certificate file to be encrypted and the signature data segment by adopting a third key to obtain the certificate authorization file.
In one possible design, in a second implementation of the third aspect of the embodiments of the present application,
the sending module is specifically configured to send the certificate authority file to the application server through a hypertext transfer security protocol HTTPS channel.
In a possible design, in a third implementation manner of the third aspect of the embodiment of the present application, the activation authorization apparatus further includes a verification module;
the receiving module is further configured to receive a serial number sent by the application server after the sending module sends the certificate authorization file to the application server, where the serial number is a unique identifier corresponding to the certificate authorization file;
the checking module is configured to check the serial number received by the receiving module to obtain the authorization activation result;
the sending module is further configured to send the authorization information and token information to the application server if the authorization activation result obtained through verification by the verification module is verification success, where the token information is an identity of a user associated with the application server;
the sending module is further configured to feed back the authorization activation result to the application server if the authorization activation result obtained through the verification by the verification module is a verification failure.
In one possible design, in a fourth implementation of the third aspect of the embodiments of the present application,
the receiving module is further configured to receive token information verification requests periodically sent by the application server;
the checking module is further configured to check the token information according to the token information checking request received by the receiving module to obtain an information checking result;
the sending module is further configured to send the authorization information to the application server if the information verification result obtained by the verification module is successful, so that the application server updates the authorization information to the local database.
In a possible design, in a fifth implementation manner of the third aspect of the embodiment of the present application, the activation authorization apparatus further includes a determination module;
the receiving module is further configured to receive an authorization activation message sent by the application server after the sending module sends the certificate authorization file to the application server;
the determining module is configured to determine an effective usage duration according to the authorization activation message received by the receiving module;
the sending module is further configured to send an authorization termination request to the application server when it is detected that the usage duration of the application server reaches the effective usage duration determined by the determining module, so that the application server enters an inactive state according to the authorization termination request.
In one possible design, in a sixth implementation form of the third aspect of the embodiments of the present application,
the generating module is further configured to generate token information according to the certificate authorization request after the receiving module receives the certificate authorization request sent by the client, where the token information is an identity of a user associated with the application server;
the sending module is specifically configured to send the certificate authorization file and the token information to the application server, so that the application server verifies the certificate authorization file and the token information, determines the authorization activation result, and stores the authorization information in the local database of the application server if the authorization activation result is successful in verification.
A fourth aspect of the present application provides an activation authorization apparatus, including:
the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring a certificate authorization file, the certificate authorization file is generated by a software as a service (SaaS) server according to a certificate authorization request, the certificate authorization request carries using subject information, and the using subject information comprises using party information associated with an application server;
the determining module is used for determining an authorization activation result according to the certificate authorization file acquired by the acquiring module;
and the storage module is used for storing authorization information in a local database of the application server according to the authorization activation result determined by the determination module, wherein the authorization information is derived from the certificate authorization file.
In one possible design, in a first implementation of the fourth aspect of the embodiments of the present application,
the determining module is specifically configured to send a serial number to the SaaS server, so that the SaaS server verifies the serial number to obtain the authorization activation result, where the serial number is a unique identifier corresponding to the certificate authorization file;
the storage module is specifically configured to receive the authorization information and token information sent by the SaaS server if the authorization activation result is that verification is successful, where the token information is an identity of a user associated with an application server;
storing the authorization information and the token information in the local database of the application server.
In one possible design, in a second implementation manner of the fourth aspect of the embodiment of the present application, the activation authorization apparatus further includes a sending module, a receiving module, and an updating module;
the sending module is used for the storage module to store authorization information in a local database of the application server according to the authorization activation result and then periodically send a token information verification request to the SaaS server so that the SaaS server verifies the token information according to the token information verification request to obtain an information verification result;
the receiving module is used for receiving the authorization information sent by the SaaS server if the information verification result is that the verification is successful;
the updating module is used for updating the authorization information received by the receiving module to the local database.
In a possible design, in a third implementation manner of the fourth aspect of the embodiment of the present application, the activation authorization apparatus further includes an entry module;
the sending module is further configured to, after the storage module stores authorization information in a local database of the application server according to the authorization activation result, send an authorization activation message to the SaaS server, so that the SaaS server determines an effective use duration according to the authorization activation message;
the receiving module is further configured to receive an authorization termination request sent by the SaaS server when the SaaS server detects that the service duration of the application server reaches the effective service duration;
the entry module is configured to enter an inactive state according to the authorization termination request received by the receiving module.
In one possible design, in a fourth implementation of the fourth aspect of the embodiment of the present application,
the obtaining module is specifically configured to obtain the certificate authorization file and token information, where the token information is an identity of a user associated with the application server;
the determining module is specifically configured to verify the certificate authorization file and the token information, and determine the authorization activation result;
the storage module is specifically configured to store the authorization information in the local database of the application server if the authorization activation result is that verification is successful.
In one possible design, in a fifth implementation form of the fourth aspect of the embodiments of the present application,
the acquisition module is also used for acquiring the effective use duration;
the entry module is further configured to enter an inactive state when it is detected that the usage duration of the application server reaches the effective usage duration acquired by the acquisition module.
A fifth aspect of the present application provides a software as a service, SaaS, server, including a memory, a transceiver, a processor, and a bus system;
wherein the memory is used for storing programs;
the processor is used for executing the program in the memory and comprises the following steps:
receiving a certificate authorization request sent by a client, wherein the certificate authorization request carries use subject information, and the use subject information comprises user information associated with an application server;
generating a certificate authorization file according to the certificate authorization request;
sending the certificate authorization file to the application server so that the application server determines an authorization activation result according to the certificate authorization file and stores authorization information in a local database of the application server according to the authorization activation result, wherein the authorization information is derived from the certificate authorization file;
the bus system is used for connecting the memory and the processor so as to enable the memory and the processor to communicate.
A sixth aspect of the present application provides an application server, comprising a memory, a transceiver, a processor, and a bus system;
wherein the memory is used for storing programs;
the processor is used for executing the program in the memory and comprises the following steps:
acquiring a certificate authorization file, wherein the certificate authorization file is generated by a software as a service (SaaS) server according to the certificate authorization request, the certificate authorization request carries use subject information, and the use subject information comprises user information associated with an application server;
determining an authorization activation result according to the certificate authorization file;
storing authorization information in a local database of the application server according to the authorization activation result, wherein the authorization information is derived from the certificate authorization file;
the bus system is used for connecting the memory and the processor so as to enable the memory and the processor to communicate.
A seventh aspect of the present application provides a computer-readable storage medium having stored therein instructions, which, when run on a computer, cause the computer to perform the method of the above-described aspects.
According to the technical scheme, the embodiment of the application has the following advantages:
in the embodiment of the application, an authorization activation method is provided, and includes that a SaaS server receives a certificate authorization request sent by a client, wherein the certificate authorization request carries use subject information, the use subject information includes user information associated with an application server, then the SaaS server generates a certificate authorization file according to the certificate authorization request, and finally the SaaS server sends the certificate authorization file to the application server, so that the application server determines an authorization activation result according to the certificate authorization file, authorization information is stored in a local database of the application server according to the authorization activation result, and the authorization information is derived from the certificate authorization file. Through the mode, the application server can acquire the authorization information from the SaaS server, so that the privatized deployment of enterprise data can be realized, the safety of data storage is improved, and the potential safety hazard that the data is leaked is reduced.
Drawings
FIG. 1 is a schematic diagram of an interaction of a physical device activating an authorization system according to an embodiment of the present application;
FIG. 2 is a schematic diagram of an architecture of an activation authorization system according to an embodiment of the present application;
FIG. 3 is a schematic diagram of an embodiment of a method for activating authorization in an embodiment of the present application;
FIG. 4 is a block diagram of a flow framework for activation authorization in an embodiment of the present application;
FIG. 5 is a schematic diagram of an interface for importing a certificate authority file according to an embodiment of the present application;
FIG. 6 is a diagram illustrating a file structure of a certificate authority file in an embodiment of the present application;
FIG. 7 is a schematic diagram illustrating an encryption process of a certificate authority file according to an embodiment of the present application;
FIG. 8 is a flow chart illustrating online activation authorization in an embodiment of the present application;
FIG. 9 is a schematic flow chart of the timing check based on online status in the embodiment of the present application;
FIG. 10 is a flow chart illustrating offline activation authorization in an embodiment of the present application;
FIG. 11 is a schematic diagram of another embodiment of a method for activating authorization in an embodiment of the present application;
FIG. 12 is a schematic diagram of an embodiment of an activation authorization apparatus in an embodiment of the present application;
FIG. 13 is a schematic diagram of another embodiment of an activation authorization apparatus in an embodiment of the application;
FIG. 14 is a schematic diagram of another embodiment of an activation authorization apparatus in an embodiment of the application;
FIG. 15 is a schematic diagram of an embodiment of an activation authorization apparatus in an embodiment of the present application;
FIG. 16 is a schematic diagram of another embodiment of an activation authorization apparatus in an embodiment of the present application;
FIG. 17 is a schematic diagram of another embodiment of an activation authorization apparatus in an embodiment of the application;
fig. 18 is a schematic structural diagram of a server in the embodiment of the present application.
Detailed Description
The embodiment of the application provides an authorization activation method and a related device, an application server can acquire authorization information from a SaaS server, so that privatized deployment of enterprise data can be realized, the security of data storage is improved, and the potential safety hazard that data is leaked is reduced.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the drawings described above, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are, for example, capable of operation in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "corresponding" and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be understood that the activation authorization method provided by the present application can be applied to a SaaS service model, which is a development trend of future management software and is greatly different from a traditional license model software. Compared with the traditional service mode, the SaaS service mode has a plurality of unique characteristics, for example, the SaaS service mode not only reduces or cancels the traditional software authorization cost, but also manufacturers deploy the application software on a uniform server, the expenditure of server hardware, network security equipment and software upgrading maintenance of users is avoided, and the users can obtain the required software and services through the Internet without investments except personal computers and Internet connection. Furthermore, a large number of new technologies, such as web services and the like, provide simpler, more flexible and more practical SaaS service modes.
It should be understood that the activation authorization method provided by the application can be applied to government affairs application programs based on a SaaS service mode, the number of mobile social netizens and public accounts can be greatly increased along with the continuous enhancement of mobile social attraction, and the participation of netizens in public events and social hot topics can be further expanded. With more and more government agencies, social organizations, mainstream media, and public individuals residing on mobile networks, it is imperative that government applications move towards public affairs. The government affair application program has novel and various expression forms and can send various information such as characters, pictures, voice, video, geographical positions and the like. Therefore, government affair application programs based on the SaaS service mode need to have more reliable data storage conditions, that is, privatized deployment is realized. The software is directly deployed on the server of an enterprise in the privatized deployment mode, and different from a deployment system in a SaaS service mode, a user does not need to install the software locally and can obtain the service only through internet access. In the SaaS service model system, an enterprise acquires a desired function by purchasing a service of a SaaS provider, but data processed by the enterprise through the service is stored in a server of the SaaS service provider without exception. But often the enterprise's data involves many secrets that the enterprise cannot reveal. The storage location of the data often causes distrust of the SaaS service provider by the enterprise.
In view of this, the activation authorization method provided by the present application enables an application server (i.e., an enterprise's own server) to obtain a certificate authorization file, thereby implementing privatized deployment. For convenience of understanding, the present application provides an authorization activation method, which is applied to an authorization activation system shown in fig. 1, please refer to fig. 1, where fig. 1 is an interaction schematic diagram of an entity apparatus of an authorization activation system in an embodiment of the present application, as shown in the figure, an enterprise may enter contract order information through a Customer Relationship Management (CRM) client, and then a SaaS service provider reviews the contract order information. After the audit is passed, the enterprise can receive the certificate authorization file issued by the SaaS server through a short message or a mail. An enterprise imports a certificate authorization file through a system service management client under a client deployment environment, sends the imported certificate authorization file to a SaaS server, and if the SaaS server successfully verifies the certificate authorization file, authorization information is issued to an application server, so that the application server has the privatized deployment permission.
It should be noted that the CRM client is disposed on a terminal device, where the terminal device includes but is not limited to a tablet computer, a notebook computer, a palm computer, a mobile phone, and a Personal Computer (PC), and the like, and the CRM client is not limited herein.
For convenience of further understanding, please refer to fig. 2, where fig. 2 is a schematic diagram of an architecture of an activation authorization system in an embodiment of the present application, as shown in the figure, a SaaS system is deployed on a SaaS server, a certificate controlled user deployment environment is deployed on an application server, the SaaS system generates a certificate authorization file, data interaction is implemented between the SaaS system and the certificate controlled user deployment environment through a hypertext Transfer Protocol over Secure Socket Layer (HTTPS), and the certificate controlled user deployment environment may determine a use function range R, a use validity period T, a number of users N, and the like according to authorization information in the certificate authorization file. The usage function range R indicates a group using the function, such as a corporation limited a, and some groups have certificates for annual fee charges and have an extranet function, such as extranet services that can use communication application interconnection, a red packet function, Voice over Internet Protocol (VoIP), and the like. Some groups do not have the function of the external network, so that a purchase-off mode can be selected, the function of the external network cannot be used in the purchase-off mode, the new version cannot be upgraded, and the patch package can be updated. The validity period T is the service function usage validity period. Use is limited by not extending the life span. The number of people N is used to represent the amount of user account data that can be created in the currently deployed user environment.
With reference to fig. 3, an embodiment of the method for activating authorization in the present application includes:
101. the method comprises the steps that a SaaS server receives a certificate authorization request sent by a client side, wherein the certificate authorization request carries use subject information, and the use subject information comprises user information related to an application server;
in this embodiment, a SaaS server receives a certificate authorization request sent by a client, where the client may specifically be a CRM system, and for convenience of understanding, please refer to fig. 4, fig. 4 is a schematic view of a flow framework for activating authorization in this embodiment of the application, and as shown in the figure, a user first enters order information related to a contract into the CRM system, that is, applies for local deployment authorization. The CRM system can be a webpage or an application program, and related personnel can perform auditing. The order information includes, but is not limited to, deployment Identification (ID), order enterprise, applicant, approver, and deployer information. The order information mainly records related information of a privatized deployment contract order on a CRM system, and after the related examination and approval is passed, a deployment ID and an enterprise ID which have a unique association relation with a certificate authorization file are generated.
After the related personnel passes the audit, in step S1, the CRM system applies to the certificate management system for creating a certificate authorization request, that is, the SaaS server receives the certificate authorization request sent by the client, where the certificate authorization request carries usage subject information, and the usage subject information includes user information associated with the application server.
102. The SaaS server generates a certificate authorization file according to the certificate authorization request;
in this embodiment, the SaaS server generates a certificate authorization file according to a certificate authorization request sent by a client. The certificate authorization request carries use subject information, the use subject information comprises user information related to the application server, and the main application records required information generated by configuration of a registration deployment environment of an enterprise after an order contract CRM system passes examination and approval. Specifically, the used subject information includes, but is not limited to, an organization abbreviation and full name, an organization domain, an administrator name, an administrator phone number, an administrator mailbox, and the like. The certificate authorization file generated by the SaaS server is an effective certificate for activating and using the service in the user environment, and functions and services based on the same certificate authorization file are all directed to deployment enterprises or groups.
The certificate authority file comprises certificate information, the certificate information is used for activation and verification of the user deployment environment, the certificate information records relevant legal information of the current deployment environment and enterprises, and the certificate information comprises but is not limited to a model, a certificate type, the number of registered users, subscription permission time and a certificate purchase type.
103. The SaaS server sends a certificate authorization file to the application server so that the application server determines an authorization activation result according to the certificate authorization file and stores authorization information in a local database of the application server according to the authorization activation result, wherein the authorization information is derived from the certificate authorization file.
In this embodiment, after the SaaS server generates the certificate authorization file, the SaaS server may issue the certificate authorization file to the user side in a short message or email manner, so that a user administrator may import the certificate authorization file through a client managed by a system service of the application server, where an operation of importing the certificate authorization file requires to request to access a certificate management system of the SaaS server, check the certificate authorization file, and send authorization information only after the check is passed (that is, an authorization activation result is a successful check). It is understood that, in practical applications, the manner of determining the authorized activation result may be through offline verification or online verification. If the authorization activation result is successful, the application server can store the authorization information in a local database of the application server, and the authorization information is derived from the certificate authorization file.
For ease of understanding, with continued reference to FIG. 4, a user may import a certificate authority file into a user deployment environment, deployed in an application server, through a system service management client. Referring to fig. 5, fig. 5 is an interface schematic diagram of importing a certificate authority file in the embodiment of the present application, as shown in the figure, a user imports the certificate authority file from a management page of a system service management client, then sends an application activation authorization to a certificate management system in a SaaS server in step S3, the certificate management system verifies authorization information in the certificate authority file, and after the verification is passed, the authorization information is issued to an application server in step S4, so that the application server stores the authorization information in a local database of the application server. Finally, after the application server completes local activation, a notification of activation completion is sent to the SaaS server in step S5, so that the SaaS server confirms that the application server has completed activation. In addition, in step S6, the system service management client may also obtain the enterprise activation status from the SaaS server, that is, notify the SaaS server that the activation status is completed.
It can be understood that the authorization information is derived from a certificate authorization file, please refer to fig. 6, where fig. 6 is a file configuration diagram of the certificate authorization file in the embodiment of the present application, and as shown in the figure, the certificate authorization file includes 6 types of information, which are respectively enterprise information (such as identity characteristic information, such as enterprise abbreviation, enterprise full name, authorized number, Media Access Control (MAC) address, and extranet IP address), application information (such as information about whether to use, whether to deploy formally, whether to renew the fee annually, and whether to buy the file), a serial number (i.e., an identification number unique to the certificate authorization file), enterprise certificate information (such as login encryption information and identity token (token) information), a remaining authorization valid duration (i.e., a valid duration), and other auxiliary information (such as latest activation time). The authorization information in the present application includes, but is not limited to, the authorized number of persons, the expiration date, the range of permitted functions, and the enterprise certificate information.
In the embodiment of the application, an authorization activation method is provided, and includes that a SaaS server receives a certificate authorization request sent by a client, wherein the certificate authorization request carries use subject information, the use subject information includes user information associated with an application server, then the SaaS server generates a certificate authorization file according to the certificate authorization request, and finally the SaaS server sends the certificate authorization file to the application server, so that the application server determines an authorization activation result according to the certificate authorization file, authorization information is stored in a local database of the application server according to the authorization activation result, and the authorization information is derived from the certificate authorization file. Through the mode, the application server can acquire the authorization information from the SaaS server, so that the privatized deployment of enterprise data can be realized, the safety of data storage is improved, and the potential safety hazard that the data is leaked is reduced.
Optionally, on the basis of the embodiment corresponding to fig. 3, in a first optional embodiment of the method for activating authorization provided in the embodiment of the present application, the generating, by the SaaS server, a certificate authorization file according to the certificate authorization request may include:
the SaaS server acquires certificate source data according to the certificate authorization request;
the SaaS server encrypts the certificate source data by adopting a first secret key to obtain a certificate file to be encrypted;
the SaaS server encrypts the first key by adopting a second key to obtain a signature data section;
and the SaaS server encrypts the certificate file to be encrypted and the signature data segment by adopting a third secret key to obtain the certificate authorization file.
In this embodiment, a method for encrypting a certificate data source to obtain a certificate authority file is introduced. For convenience of understanding, please refer to fig. 7, where fig. 7 is a schematic view of an encryption flow of the certificate authority file in the embodiment of the present application, and as shown in the figure, the SaaS server obtains certificate source data, content of the certificate source data is specific data in the certificate authority file corresponding to fig. 6, and data volume of the certificate source data is large and needs to have high privacy, so that the certificate source data is required to be encrypted. First, in step a1, a symmetric encryption method is used to generate a to-be-encrypted certificate file for the certificate source data, that is, the first KEY1 is used to encrypt the certificate source data, and a to-be-encrypted certificate file E1 is generated. Then, in step a2, the first KEY1 is encrypted with the second KEY2 to generate a signed data segment E2, and the first KEY is signed by asymmetric encryption once, so that the security of the certificate source data can be improved. Adding the to-be-encrypted certificate file E1 and the data signature section E2, and finally, in the step A3, symmetrically encrypting the to-be-encrypted certificate file E1 and the data signature section E2 by using a third KEY KEY3 to obtain an encryption character string F1 corresponding to the certificate authority file.
It can be understood that the application server needs to decrypt the certificate authority file in a corresponding manner so as to verify the integrity and validity of the certificate authority file.
Symmetric encryption is also called private key encryption, i.e. the sender and receiver of a message use the same key to encrypt and decrypt data. The symmetric Encryption Algorithm adopted by the application includes but is not limited to Advanced Encryption Standard (AES), Data Encryption Standard (DES), Triple Data Encryption Algorithm (TDEA), block Encryption Algorithm (Blowfish), block cipher Algorithm (RC5) and International Data Encryption Algorithm (IDEA).
The encryption process of symmetric encryption is as follows: plaintext + encryption algorithm + private key > ciphertext;
the decryption process of the symmetric encryption is as follows: ciphertext, a decryption algorithm and a private key are plaintext;
the key used in symmetric encryption is called a private key, which represents a private key of an individual, i.e. the key cannot be compromised. The private key in the encryption process and the private key used in the decryption process are the same key.
The asymmetric signature is different from asymmetric encryption in that the asymmetric signature is encrypted by a private key and decrypted by a public key, and the asymmetric encryption is encrypted by the public key and decrypted by the private key. The present application uses asymmetric signatures, it being understood that in practical applications, asymmetric encryption may also be used.
Asymmetric encryption, also known as public key encryption, uses a pair of keys, a public key and a private key, and occurs in pairs. The private key is stored by the user and cannot be revealed to the outside. A public key refers to a public key that anyone can obtain. Encrypted with either the public or private key and decrypted with the other.
The ciphertext encrypted by the public key can only be decrypted by the private key, and the process is as follows:
plaintext + encryption algorithm + public key > ciphertext, ciphertext + decryption algorithm + private key > plaintext;
the ciphertext encrypted by the private key can only be decrypted by the public key, and the process is as follows:
plaintext + encryption algorithm + private key > ciphertext, ciphertext + decryption algorithm + public key > plaintext;
asymmetric encryption uses two different keys for encryption and decryption, and the symmetric encryption algorithms used in the present application include, but are not limited to, the RSA encryption Algorithm (Ron Rivest, Adi Shamir, Leonard Adleman, RSA Algorithm), the Elgamal Algorithm, the Elliptic encryption Algorithm (ECC), the Rabin encryption Algorithm, and the Diffie-Hellman Key Exchange Algorithm (Diffie-Hellman Key Exchange encryption Algorithm).
Secondly, in the embodiment of the present application, a method for generating a certificate authority file is provided, where a SaaS server first obtains certificate source data according to a certificate authority request, then the SaaS server encrypts the certificate source data by using a first key to obtain a to-be-encrypted certificate file, encrypts the first key by using a second key to obtain a signature data segment, and finally, the SaaS server encrypts the to-be-encrypted certificate file and the signature data segment by using a third key to obtain the certificate authority file. By the mode, the speed of encrypting and decrypting the certificate source data by adopting the symmetric encryption is high, the character string generated by encrypting the certificate source data by using the symmetric encryption is smaller than that of the original data source, and the symmetric key is subjected to asymmetric signature, so that the safety is improved, and the encryption and decryption performance is improved.
Optionally, on the basis of the foregoing embodiments corresponding to fig. 3, in a second optional embodiment of the method for activating authorization provided in the embodiment of the present application, sending a certificate authorization file to an application server may include:
and the SaaS server sends the certificate authorization file to the application server through a hypertext transfer security protocol (HTTPS) channel.
In this embodiment, a data transmission method between the SaaS server and the application server is introduced, that is, the SaaS server sends a certificate authorization file to the application server through an HTTPS channel. The HTTPS channel is a hypertext Transfer Protocol (HTTP) channel targeted for security, that is, an HTTP with better security. The security base of HTTPS is the Secure Sockets Layer (SSL), so SSL is required for encrypted details.
The HTTPS can encrypt and transmit data, namely, ciphertext is transmitted, and even a hacker intercepts the data in the transmission process, the data cannot be decoded, so that the safety of network communication is ensured. The TTP protocol provides data integrity, i.e. the content is transmitted through an integrity check; data privacy, namely, the content is symmetrically encrypted, and each connection generates a unique encryption key; identity authentication, that is, the third party cannot forge the identity of the server (client).
It should be noted that, in practical applications, the SaaS server and the application server may transmit not only the certificate authorization file but also other instructions and requests through the HTTPS channel, that is, the data interaction request link between the SaaS server and the application server all uses the encrypted data channel of the HTTPS.
Secondly, in the embodiment of the present application, a data transmission method between the SaaS server and the application server is provided, that is, the SaaS server sends a certificate authorization file to the application server through an HTTPS channel. By the aid of the method, safety of data transmission can be improved, and particularly for transmission of certificate authorization files, a more reliable transmission environment is needed, so that data transmission through an HTTPS channel can prevent data hijacking and tampering in the activation and verification processes.
Optionally, on the basis of each embodiment corresponding to fig. 3, in a third optional embodiment of the method for activating authorization provided in the embodiment of the present application, after the SaaS server sends the certificate authorization file to the application server, the method may further include:
the method comprises the steps that a SaaS server receives a serial number sent by an application server, wherein the serial number is a unique identifier corresponding to a certificate authorization file;
the SaaS server checks the serial number to obtain an authorization activation result;
if the authorization activation result is that the verification is successful, the SaaS server sends authorization information and token information to the application server, wherein the token information is an identity of a user associated with the application server;
the application server stores the authorization information and token information in a local database of the application server;
and if the authorization activation result is verification failure, the SaaS server feeds back the authorization activation result to the application server.
In this embodiment, a method for online activation of authorization is introduced, where a user may import a certificate authorization file after successfully applying for the certificate authorization file, where the certificate authorization file includes a serial number, and one certificate authorization file corresponds to a unique serial number. For convenience of understanding, please refer to fig. 8, where fig. 8 is a schematic flowchart of a process of online activation authorization in an embodiment of the present application, and as shown in the figure, specifically, the enterprise network area mainly includes an enterprise management backend and an enterprise local backend, both the enterprise management backend and the enterprise local backend are deployed on an enterprise server, and the SaaS network area includes a SaaS CGI, a SaaS certificate management system, and a CRM system, where both the SaaS CGI and the SaaS certificate management system are deployed on the SaaS server.
In step B1, the user applies for the certificate authority file through CRM, and in step B2, activation authorization or activation time extension may be selected according to circumstances, thereby completing application of the certificate authority file, in step B3, the application server obtains the certificate authority file, and in step B4, the application server performs integrity and validity check on the certificate authority file, and the check may be performed by processing the certificate authority file through symmetric decryption and asymmetric decryption, and further verifying the integrity and validity. After the verification is successful, in step B5 and step B6, the application server sends a serial number to the SaaS server through the HTTPS channel, and requests the SaaS server to verify the certificate authorization file, so as to obtain an authorization activation result. In step B7, if the SaaS server determines that the authorization activation result is successful, then in steps B8 to B10, authorization information (including the authorized number of people, the valid usage duration, the usage range, and the like) and token (token) information are sent to the application server, where the token information is an identity of a user associated with the application server. And after the authorization information and the token information are encrypted by the application server, the encrypted authorization information and the token information are written into a local database, so that the activation authorization is completed.
the token information is a string of character strings generated by the SaaS server and used as a token requested by the application server, after the SaaS server logs in for the first time, the SaaS server generates token information and returns the token information to the application server, and the application server only needs to take the token information to request data later, and does not need to take a user name and a password again.
The certificate authorization file is only used for activating the user deployment environment, and when the user deployment environment is activated and needs to use an extranet function, the user deployment environment is involved in requesting network services of the SaaS server. token information is mainly ID information used to verify the identity of a user. the token information is generated by requesting the SaaS server to check whether the certificate authorization file is legal or not, and when the certificate authorization file is legal and the user environment is allowed to be created and activated, the certificate system of the SaaS server generates a globally unique identity, which has a binding relationship with the user enterprise identity, that is, token information. token information may be used to verify that the user identity of the request is legitimate and may be used to encrypt the requested data.
After receiving the authorization information and the token information, the application server can store the authorization information and the token information in a local database of the application server, so that subsequent use is facilitated. If the authorization activation result is verification failure, the SaaS server feeds back the authorization activation result to the application server, and the application server can select to activate again or directly quit the activation process.
And thirdly, in the embodiment of the application, providing an online authorization activation method, namely, receiving a serial number sent by an application server by a SaaS server, verifying the serial number by the SaaS server to obtain an authorization activation result, if the authorization activation result is successful verification, sending authorization information and token information to the application server by the SaaS server, and then storing the authorization information and the token information in a local database of the application server by the application server. Through the mode, the scheme of online activation can ensure the safety of the whole authorization process only by ensuring the legality of the application server request and the safety of the data channel, and the serial number is the unique identifier generated after encryption, so that the uniqueness and the safety of the serial number are ensured. And the data interaction channel is an encryption channel using standard HTTPS, so that the security of data transmission in the network is ensured. And finally, token information is adopted for data verification, so that the pressure of the SaaS server can be reduced, frequent database query is reduced, and the SaaS server is more robust.
Optionally, on the basis of the foregoing embodiments corresponding to fig. 3, in a fourth optional embodiment of the method for activating authorization provided in the embodiment of the present application, after the application server stores the authorization information in the local database of the application server, the method may further include:
the method comprises the steps that a SaaS server receives token information verification requests periodically sent by an application server;
the SaaS server verifies the token information according to the token information verification request to obtain an information verification result;
if the information verification result is successful, the SaaS server sends authorization information to the application server;
the application server updates the authorization information to a local database.
In this embodiment, a timing verification method in an online state is introduced. In order to further monitor the service use condition of the application server, the application server may periodically send a token information verification request to the SaaS server in a networked state. For easy understanding, please refer to fig. 9, where fig. 9 is a schematic flowchart of a timing check based on an online status in an embodiment of the present application, and as shown in step C1, a user logs in to an application server by using an account and a password. In step C2 and step C3, the application server sends a token information verification request to the SaaS server. In step C4, the SaaS server verifies the token information according to the token information verification request, and obtains an information verification result. In step C5 and step C6, if the information verification result is that the verification is successful, the SaaS server sends the authorization information to the application server, and in step C7, the application server updates the received authorization information to the local database regardless of whether the authorization information changes.
And if the information verification result is verification failure, the SaaS server can inform the application server and can also stop the authorization of the application server.
Therefore, the token information of the application server is used by requesting the certificate system on the SaaS server side, and based on the logic of the timing detection, the authorization information (the use function range R, the use validity period T, and the number of users N) of the user is ensured to be used smoothly with a guarantee. The application server can regularly initiate a request to an authorization system of the SaaS server so as to verify the local data. If the abnormal use range, effective duration or the number of users are found, prompt and correction can be carried out in time.
Further, in the embodiment of the present application, a timing verification method in a networked state is provided, where a SaaS server receives a token information verification request periodically sent by an application server, and then the SaaS server verifies token information according to the token information verification request to obtain an information verification result, and if the information verification result is successful, the SaaS server sends authorization information to the application server, and finally the application server updates the authorization information to a local database. Through the mode, in a networking state, the SaaS server can also monitor the use condition of the application server at regular time, and prevent malicious tampering of authorization information such as use duration, number of users and use range on one side of the application server, so that the reliability and safety of privatized deployment are improved.
Optionally, on the basis of each embodiment corresponding to fig. 3, in a fifth optional embodiment of the method for activating authorization provided in the embodiment of the present application, after the SaaS server sends the certificate authorization file to the application server, the method may further include:
the method comprises the steps that an SaaS server receives an authorization activation message sent by an application server;
the SaaS server determines effective use duration according to the authorization activation message;
when detecting that the use duration of the application server reaches the effective use duration, the SaaS server sends an authorization termination request to the application server;
the application server enters an inactivated state according to the authorization termination request.
In this embodiment, a certificate validity processing method based on an online (i.e., external network connection) state is introduced. In a networked state, the application server and the SaaS server may communicate in real time, and thus, the application server may receive a request or an instruction sent by the SaaS server in the networked state. After the application server completes authorization activation, an authorization activation message can be sent to the SaaS server, the SaaS server knows that the current application server has activated authorization after obtaining the authorization activation message, and then the effective use duration of the authorization activation is confirmed, and countdown is started. The effective duration is a relative time, for example, 3 months, and thus the effective duration does not change. The SaaS server counts down from the moment when the application server completes authorization activation, and when the SaaS server detects that the use duration reaches the effective use duration, an authorization termination request is sent to the application server, so that the application server enters an inactivated state.
Specifically, for example, the effective usage duration is 3 months, the authorized activation time of the enterprise is 2019, 4, 25 and the expiration time is 2019, 7, 25, and the length of the authorized time is not changed even if the user modifies the current time of the system.
Further, in the embodiment of the present application, a certificate validity processing mode based on a networking state is provided, that is, the SaaS server first receives an authorization activation message sent by the application server, then determines an effective usage duration according to the authorization activation message, and when the SaaS server detects that the usage duration of the application server reaches the effective usage duration, sends an authorization termination request to the application server, so that the application server enters an inactive state according to the authorization termination request. By the method, the use validity period of the certificate authorization file can be effectively ensured, the relative valid duration is used as the authorization duration, and the use duration of the certificate authorization file cannot be changed even if a user modifies the system time, so that the reliability of privatization deployment is improved. In addition, in a networking state, the system time of the SaaS server is preferentially aligned, so that the reliability of the scheme is further improved.
Optionally, on the basis of each embodiment corresponding to fig. 3, in a sixth optional embodiment of the method for activating authorization provided in the embodiment of the present application, after the SaaS server receives a certificate authorization request sent by the client, the method may further include:
the SaaS server generates token information according to the certificate authorization request, wherein the token information is an identity of a user associated with the application server;
the SaaS server sends the certificate authorization file to the application server, so that the application server determines an authorization activation result according to the certificate authorization file, and stores authorization information in a local database of the application server according to the authorization activation result, where the method includes:
the SaaS server sends a certificate authorization file and token information to an application server;
the application server checks the certificate authorization file and token information to determine an authorization activation result;
and if the authorization activation result is successful verification, the application server stores the authorization information in a local database of the application server.
In this embodiment, a method for offline activation authorization is introduced, and after a user installs a service, the token information and a certificate authorization file may be imported through an email, a short message, or in another manner. It is understood that token information is generated by the SaaS server according to the certificate authority request. For easy understanding, please refer to fig. 10, fig. 10 is a schematic flow chart of the offline activation authorization in the embodiment of the present application, as shown in step D1, the user applies for the certificate authorization document through the CRM, and in step D2, the activation authorization or the extended activation time may be selected according to the situation, thereby completing the application of the certificate authorization document. In step D3, the SaaS server generates token information. In step D4, the user imports the certificate authority file and token information through the application server, and then in step D5, the application server verifies the imported certificate authority file and token information, specifically, verifies the integrity and validity of the imported certificate authority file by using the initially packaged decryption key, and verifies the valid duration and identity information of the token information to obtain an authorization activation result. In step D6, if the authorization activation result is that the verification is successful, the application server stores the authorization information in the local database of the application server. In step D7, the user is prompted to complete the activation authorization.
And thirdly, in the embodiment of the application, providing an offline activation authorization method, that is, generating token information by a SaaS server according to a certificate authorization request, acquiring a certificate authorization file and the token information generated by the SaaS server by an application server in an offline state, then verifying the certificate authorization file and the token information, determining an authorization activation result, and if the authorization activation result is successful, storing the authorization information in a local database of the application server by the application server. By the mode, the application server can verify the token information generated by the certificate authorization request in an off-line state, and even if the application server is not networked, the security and the reliability of privatized deployment can be achieved.
With reference to the above description, the following describes a method for activating authorization from the perspective of an application server, and referring to fig. 11, an embodiment of the method for activating authorization in this embodiment of the present application includes:
201. the method comprises the steps that an application server obtains a certificate authorization file, wherein the certificate authorization file is generated by a software as a service (SaaS) server according to a certificate authorization request, the certificate authorization request carries use subject information, and the use subject information comprises use party information related to the application server;
in this embodiment, after the SaaS server generates the certificate authority file, the application server may obtain the certificate authority file from the SaaS server. The certificate authority file comprises certificate information, the certificate information is used for activation and verification of the user deployment environment, the certificate information records relevant legal information of the current deployment environment and enterprises, and the certificate information comprises but is not limited to a model, a certificate type, the number of registered users, subscription permission time and a certificate purchase type.
And the SaaS server generates a certificate authorization file according to the certificate authorization request sent by the client. The certificate authorization request carries use subject information, the use subject information comprises user information related to the application server, and the main application records required information generated by configuration of a registration deployment environment of an enterprise after an order contract CRM system passes examination and approval. For details, reference may be made to each embodiment corresponding to fig. 3, which is not described herein again.
202. The application server determines an authorization activation result according to the certificate authorization file;
in this embodiment, the application server determines the authorization activation result according to the certificate authorization file, and it can be understood that, in actual application, the manner of determining the authorization activation result may be through offline verification or online verification. If the authorization activation result is successful, the application server can store the authorization information in a local database of the application server, and the authorization information is derived from the certificate authorization file.
For details, reference may be made to each embodiment corresponding to fig. 3, which is not described herein again.
203. And the application server stores the authorization information in a local database of the application server according to the authorization activation result, wherein the authorization information is derived from the certificate authorization file.
In this embodiment, the application server determines an authorization activation result according to the certificate authorization file, and stores authorization information in a local database of the application server according to the authorization activation result, where the authorization information is derived from the certificate authorization file. Specifically, if the authorization activation result is successful, the application server stores the authorization information in a local database of the application server.
In the embodiment of the application, an authorization activation method is provided, and includes that an application server obtains a certificate authorization file, wherein the certificate authorization file is generated by a software as a service (SaaS) server according to a certificate authorization request, the certificate authorization request carries usage subject information, the usage subject information includes user information associated with the application server, an authorization activation result is determined according to the certificate authorization file, and finally, the application server stores authorization information in a local database of the application server according to the authorization activation result, and the authorization information is derived from the certificate authorization file. Through the mode, the application server can acquire the authorization information from the SaaS server, so that the privatized deployment of enterprise data can be realized, the safety of data storage is improved, and the potential safety hazard that the data is leaked is reduced.
Optionally, on the basis of the foregoing embodiments corresponding to fig. 11, in a first optional embodiment of the method for activating authorization provided in the embodiment of the present application, the method further includes:
the application server acquires the effective use duration;
and when detecting that the use duration of the application server reaches the effective use duration, the application server enters an inactivated state.
In this embodiment, a certificate validity processing method based on an offline (i.e., no external network) state is introduced. In an offline state, the application server and the SaaS server cannot communicate in real time, and therefore, the application server determines an effective use duration according to the authorization information, and the effective use duration is not changed by a relative time, for example, 3 months. And counting down from the moment when the application server completes the authorization activation, and entering an inactivated state when the application server detects that the use duration reaches the effective use duration.
Specifically, for example, the effective usage duration is 3 months, the authorized activation time of the enterprise is 2019, 4, 25 and the expiration time is 2019, 7, 25, and the length of the authorized time is not changed even if the user modifies the current time of the system.
Secondly, in the embodiment of the present application, a certificate validity period processing mode based on an offline state is provided, that is, an application server first obtains an effective use duration, and when it is detected that the use duration of the application server reaches the effective use duration, the application server enters an inactive state. By the method, the use validity period of the certificate authorization file can be effectively ensured, the relative valid duration is used as the authorization duration, and the use duration of the certificate authorization file cannot be changed even if a user modifies the system time, so that the reliability of privatization deployment is improved.
Referring to fig. 12, fig. 12 is a schematic diagram of an embodiment of the activation authorization apparatus in the embodiment of the present application, and the activation authorization apparatus 30 includes:
a receiving module 301, configured to receive a certificate authorization request sent by a client, where the certificate authorization request carries usage subject information, and the usage subject information includes user information associated with an application server;
a generating module 302, configured to generate a certificate authority file according to the certificate authority request received by the receiving module 301;
a sending module 303, configured to send the certificate authority file generated by the generating module 302 to the application server, so that the application server determines an authorization activation result according to the certificate authority file, and stores authorization information in a local database of the application server according to the authorization activation result, where the authorization information is derived from the certificate authority file.
In this embodiment, a receiving module 301 receives a certificate authorization request sent by a client, where the certificate authorization request carries usage subject information, the usage subject information includes user information associated with an application server, a generating module 302 generates a certificate authorization file according to the certificate authorization request received by the receiving module 301, and a sending module 303 sends the certificate authorization file generated by the generating module 302 to the application server, so that the application server determines an authorization activation result according to the certificate authorization file, and stores authorization information in a local database of the application server according to the authorization activation result, where the authorization information is derived from the certificate authorization file.
In the embodiment of the application, an activation authorization device is provided, where a SaaS server receives a certificate authorization request sent by a client, where the certificate authorization request carries usage subject information, the usage subject information includes user side information associated with an application server, the SaaS server generates a certificate authorization file according to the certificate authorization request, and finally the SaaS server sends the certificate authorization file to the application server, so that the application server determines an authorization activation result according to the certificate authorization file, and stores authorization information in a local database of the application server according to the authorization activation result, where the authorization information is derived from the certificate authorization file. Through the mode, the application server can acquire the authorization information from the SaaS server, so that the privatized deployment of enterprise data can be realized, the safety of data storage is improved, and the potential safety hazard that the data is leaked is reduced.
Optionally, on the basis of the embodiment corresponding to fig. 12, in another embodiment of the activation authorization apparatus 30 provided in the embodiment of the present application,
the generating module 302 is specifically configured to obtain certificate source data according to the certificate authorization request;
encrypting the certificate source data by adopting a first secret key to obtain a certificate file to be encrypted;
encrypting the first key by adopting a second key to obtain a signature data segment;
and encrypting the certificate file to be encrypted and the signature data segment by adopting a third key to obtain the certificate authorization file.
Secondly, in the embodiment of the present application, a method for generating a certificate authority file is provided, where a SaaS server first obtains certificate source data according to a certificate authority request, then the SaaS server encrypts the certificate source data by using a first key to obtain a to-be-encrypted certificate file, encrypts the first key by using a second key to obtain a signature data segment, and finally, the SaaS server encrypts the to-be-encrypted certificate file and the signature data segment by using a third key to obtain the certificate authority file. By the mode, the speed of encrypting and decrypting the certificate source data by adopting the symmetric encryption is high, the character string generated by encrypting the certificate source data by using the symmetric encryption is smaller than that of the original data source, and the symmetric key is subjected to asymmetric signature, so that the safety is improved, and the encryption and decryption performance is improved.
Optionally, on the basis of the embodiment corresponding to fig. 12, in another embodiment of the activation authorization apparatus 30 provided in the embodiment of the present application,
the sending module 303 is specifically configured to send the certificate authority file to the application server through a hypertext transfer security protocol HTTPS channel.
Secondly, in the embodiment of the present application, a data transmission method between the SaaS server and the application server is provided, that is, the SaaS server sends a certificate authorization file to the application server through an HTTPS channel. By the aid of the method, safety of data transmission can be improved, and particularly for transmission of certificate authorization files, a more reliable transmission environment is needed, so that data transmission through an HTTPS channel can prevent data hijacking and tampering in the activation and verification processes.
Optionally, on the basis of the embodiment corresponding to fig. 12, please refer to fig. 13, in another embodiment of the activation authorization apparatus 30 provided in the embodiment of the present application, the activation authorization apparatus 30 further includes a verification module 304;
the receiving module 301 is further configured to receive a serial number sent by the application server after the sending module 303 sends the certificate authority file to the application server, where the serial number is a unique identifier corresponding to the certificate authority file;
the checking module 304 is configured to check the serial number received by the receiving module 301 to obtain the authorization activation result;
the sending module 303 is further configured to send the authorization information and token information to the application server if the authorization activation result obtained through the verification by the verification module 304 is a verification success, where the token information is an identity of a user associated with the application server;
the sending module 303 is further configured to feed back the authorization activation result to the application server if the authorization activation result obtained through the verification by the verifying module 304 is a verification failure.
And thirdly, in the embodiment of the application, providing an online authorization activation method, namely, receiving a serial number sent by an application server by a SaaS server, verifying the serial number by the SaaS server to obtain an authorization activation result, if the authorization activation result is successful verification, sending authorization information and token information to the application server by the SaaS server, and then storing the authorization information and the token information in a local database of the application server by the application server. Through the mode, the scheme of online activation can ensure the safety of the whole authorization process only by ensuring the legality of the application server request and the safety of the data channel, and the serial number is the unique identifier generated after encryption, so that the uniqueness and the safety of the serial number are ensured. And the data interaction channel is an encryption channel using standard HTTPS, so that the security of data transmission in the network is ensured. And finally, token information is adopted for data verification, so that the pressure of the SaaS server can be reduced, frequent database query is reduced, and the SaaS server is more robust.
Optionally, on the basis of the embodiment corresponding to fig. 13, in another embodiment of the activation authorization apparatus 30 provided in the embodiment of the present application,
the receiving module 301 is further configured to receive a token information verification request periodically sent by the application server;
the verifying module 304 is further configured to verify the token information according to the token information verifying request received by the receiving module 301, so as to obtain an information verifying result;
the sending module 303 is further configured to send the authorization information to the application server if the information verification result obtained by the verification performed by the verification module 304 is a verification success, so that the application server updates the authorization information to the local database.
Further, in the embodiment of the present application, a timing verification method in a networked state is provided, where a SaaS server receives a token information verification request periodically sent by an application server, and then the SaaS server verifies token information according to the token information verification request to obtain an information verification result, and if the information verification result is successful, the SaaS server sends authorization information to the application server, and finally the application server updates the authorization information to a local database. Through the mode, in a networking state, the SaaS server can also monitor the use condition of the application server at regular time, and prevent malicious tampering of authorization information such as use duration, number of users and use range on one side of the application server, so that the reliability and safety of privatized deployment are improved.
Optionally, on the basis of the embodiment corresponding to fig. 12 or fig. 13, please refer to fig. 14, in another embodiment of the activation authorization apparatus 30 provided in the embodiment of the present application, the activation authorization apparatus further includes a determining module 305;
the receiving module 301 is further configured to receive an authorization activation message sent by the application server after the sending module 303 sends the certificate authorization file to the application server;
the determining module 305 is configured to determine a valid usage duration according to the authorization activation message received by the receiving module 301;
the sending module 303 is further configured to send an authorization termination request to the application server when it is detected that the usage duration of the application server reaches the effective usage duration determined by the determining module 305, so that the application server enters an inactive state according to the authorization termination request.
Further, in the embodiment of the present application, a certificate validity processing mode based on a networking state is provided, that is, the SaaS server first receives an authorization activation message sent by the application server, then determines an effective usage duration according to the authorization activation message, and when the SaaS server detects that the usage duration of the application server reaches the effective usage duration, sends an authorization termination request to the application server, so that the application server enters an inactive state according to the authorization termination request. By the method, the use validity period of the certificate authorization file can be effectively ensured, the relative valid duration is used as the authorization duration, and the use duration of the certificate authorization file cannot be changed even if a user modifies the system time, so that the reliability of privatization deployment is improved. In addition, in a networking state, the system time of the SaaS server is preferentially aligned, so that the reliability of the scheme is further improved.
Optionally, on the basis of the above-mentioned embodiment corresponding to fig. 12, 13 or 14, in another embodiment of the activation authorization apparatus 30 provided in the embodiment of the present application,
the generating module 302 is further configured to, after the receiving module 301 receives a certificate authorization request sent by a client, generate token information according to the certificate authorization request, where the token information is an identity of a user associated with the application server;
the sending module 303 is specifically configured to send the certificate authorization file and the token information to the application server, so that the application server verifies the certificate authorization file and the token information, determines the authorization activation result, and stores the authorization information in the local database of the application server if the authorization activation result is successful in verification.
And thirdly, in the embodiment of the application, providing an offline activation authorization method, that is, generating token information by a SaaS server according to a certificate authorization request, acquiring a certificate authorization file and the token information generated by the SaaS server by an application server in an offline state, then verifying the certificate authorization file and the token information, determining an authorization activation result, and if the authorization activation result is successful, storing the authorization information in a local database of the application server by the application server. By the mode, the application server can verify the token information generated by the certificate authorization request in an off-line state, and even if the application server is not networked, the security and the reliability of privatized deployment can be achieved.
Referring to fig. 15, fig. 15 is a schematic view of an embodiment of the activation authorization apparatus in the embodiment of the present application, and the activation authorization apparatus 40 includes:
an obtaining module 401, configured to obtain a certificate authorization file, where the certificate authorization file is generated by a software as a service (SaaS) server according to the certificate authorization request, the certificate authorization request carries usage subject information, and the usage subject information includes user information associated with an application server;
a determining module 402, configured to determine an authorization activation result according to the certificate authorization file acquired by the acquiring module 401;
a storage module 403, configured to store, according to the authorization activation result determined by the determining module 402, authorization information in a local database of the application server, where the authorization information is derived from the certificate authorization file.
In this embodiment, an obtaining module 401 obtains a certificate authorization file, where the certificate authorization file is generated by a software as a service SaaS server according to a certificate authorization request, the certificate authorization request carries usage subject information, the usage subject information includes usage party information associated with an application server, a determining module 402 determines an authorization activation result according to the certificate authorization file obtained by the obtaining module 401, and a storage module 403 stores authorization information in a local database of the application server according to the authorization activation result determined by the determining module 402, where the authorization information is derived from the certificate authorization file.
In the embodiment of the application, an authorization activation method is provided, and includes that an application server obtains a certificate authorization file, wherein the certificate authorization file is generated by a software as a service (SaaS) server according to a certificate authorization request, the certificate authorization request carries usage subject information, the usage subject information includes user information associated with the application server, an authorization activation result is determined according to the certificate authorization file, and finally, the application server stores authorization information in a local database of the application server according to the authorization activation result, and the authorization information is derived from the certificate authorization file. Through the mode, the application server can acquire the authorization information from the SaaS server, so that the privatized deployment of enterprise data can be realized, the safety of data storage is improved, and the potential safety hazard that the data is leaked is reduced.
Alternatively, on the basis of the embodiment corresponding to fig. 15, in another embodiment of the activation authorization apparatus 40 provided in the embodiment of the present application,
the determining module 402 is specifically configured to send a serial number to the SaaS server, so that the SaaS server verifies the serial number to obtain the authorization activation result, where the serial number is a unique identifier corresponding to the certificate authorization file;
the storage module 403 is specifically configured to receive the authorization information and token information sent by the SaaS server if the authorization activation result is that verification is successful, where the token information is an identity of a user associated with an application server;
storing the authorization information and the token information in the local database of the application server.
And thirdly, in the embodiment of the application, providing an online authorization activation method, namely, receiving a serial number sent by an application server by a SaaS server, verifying the serial number by the SaaS server to obtain an authorization activation result, if the authorization activation result is successful verification, sending authorization information and token information to the application server by the SaaS server, and then storing the authorization information and the token information in a local database of the application server by the application server. Through the mode, the scheme of online activation can ensure the safety of the whole authorization process only by ensuring the legality of the application server request and the safety of the data channel, and the serial number is the unique identifier generated after encryption, so that the uniqueness and the safety of the serial number are ensured. And the data interaction channel is an encryption channel using standard HTTPS, so that the security of data transmission in the network is ensured. And finally, token information is adopted for data verification, so that the pressure of the SaaS server can be reduced, frequent database query is reduced, and the SaaS server is more robust.
Optionally, on the basis of the embodiment corresponding to fig. 15, please refer to fig. 16, in another embodiment of the activation authorization apparatus 40 provided in the embodiment of the present application, the activation authorization apparatus 40 further includes a sending module 404, a receiving module 405, and an updating module 406;
the sending module 404 is configured to, after the storage module 403 stores the authorization information in the local database of the application server according to the authorization activation result, periodically send a token information verification request to the SaaS server, so that the SaaS server verifies the token information according to the token information verification request to obtain an information verification result;
the receiving module 405 is configured to receive the authorization information sent by the SaaS server if the information verification result is that verification is successful;
the updating module 406 is configured to update the authorization information received by the receiving module 406 to the local database.
Further, in the embodiment of the present application, a timing verification method in a networked state is provided, where a SaaS server receives a token information verification request periodically sent by an application server, and then the SaaS server verifies token information according to the token information verification request to obtain an information verification result, and if the information verification result is successful, the SaaS server sends authorization information to the application server, and finally the application server updates the authorization information to a local database. Through the mode, in a networking state, the SaaS server can also monitor the use condition of the application server at regular time, and prevent malicious tampering of authorization information such as use duration, number of users and use range on one side of the application server, so that the reliability and safety of privatized deployment are improved.
Optionally, on the basis of the embodiment corresponding to fig. 16, please refer to fig. 17, in another embodiment of the activation authorization apparatus 40 provided in the embodiment of the present application, the activation authorization apparatus 40 further includes an entry module 407;
the sending module 404 is further configured to, after the storage module 403 stores authorization information in a local database of the application server according to the authorization activation result, send an authorization activation message to the SaaS server, so that the SaaS server determines an effective use duration according to the authorization activation message;
the receiving module 405 is further configured to receive an authorization termination request sent by the SaaS server when the SaaS server detects that the usage duration of the application server reaches the effective usage duration;
the entering module 407 is configured to enter an inactive state according to the authorization termination request received by the receiving module 405.
Further, in the embodiment of the present application, a certificate validity processing mode based on a networking state is provided, that is, the SaaS server first receives an authorization activation message sent by the application server, then determines an effective usage duration according to the authorization activation message, and when the SaaS server detects that the usage duration of the application server reaches the effective usage duration, sends an authorization termination request to the application server, so that the application server enters an inactive state according to the authorization termination request. By the method, the use validity period of the certificate authorization file can be effectively ensured, the relative valid duration is used as the authorization duration, and the use duration of the certificate authorization file cannot be changed even if a user modifies the system time, so that the reliability of privatization deployment is improved. In addition, in a networking state, the system time of the SaaS server is preferentially aligned, so that the reliability of the scheme is further improved.
Alternatively, on the basis of the above-mentioned embodiments corresponding to fig. 15, 16 or 17, in another embodiment of the activation authorization apparatus 40 provided in the embodiment of the present application,
the obtaining module 401 is specifically configured to obtain the certificate authority file and token information, where the token information is an identity of a user associated with the application server;
the determining module 402 is specifically configured to verify the certificate authorization file and the token information, and determine the authorization activation result;
the storage module 403 is specifically configured to store the authorization information in the local database of the application server if the authorization activation result is that verification is successful.
And thirdly, in the embodiment of the application, providing an offline activation authorization method, that is, generating token information by a SaaS server according to a certificate authorization request, acquiring a certificate authorization file and the token information generated by the SaaS server by an application server in an offline state, then verifying the certificate authorization file and the token information, determining an authorization activation result, and if the authorization activation result is successful, storing the authorization information in a local database of the application server by the application server. By the mode, the application server can verify the token information generated by the certificate authorization request in an off-line state, and even if the application server is not networked, the security and the reliability of privatized deployment can be achieved.
Optionally, on the basis of the embodiment corresponding to fig. 17, in another embodiment of the activation authorization apparatus 40 provided in the embodiment of the present application,
the obtaining module 401 is further configured to obtain an effective usage duration;
the entering module 407 is further configured to enter an inactive state when it is detected that the usage duration of the application server reaches the effective usage duration acquired by the acquiring module 401.
Secondly, in the embodiment of the present application, a certificate validity period processing mode based on an offline state is provided, that is, an application server first obtains an effective use duration, and when it is detected that the use duration of the application server reaches the effective use duration, the application server enters an inactive state. By the method, the use validity period of the certificate authorization file can be effectively ensured, the relative valid duration is used as the authorization duration, and the use duration of the certificate authorization file cannot be changed even if a user modifies the system time, so that the reliability of privatization deployment is improved.
Fig. 18 is a schematic diagram of a server structure provided by an embodiment of the present application, where the server 500 may have a relatively large difference due to different configurations or performances, and may include one or more Central Processing Units (CPUs) 522 (e.g., one or more processors) and a memory 532, and one or more storage media 530 (e.g., one or more mass storage devices) for storing applications 542 or data 544. Memory 532 and storage media 530 may be, among other things, transient storage or persistent storage. The program stored on the storage medium 530 may include one or more modules (not shown), each of which may include a series of instruction operations for the server. Still further, the central processor 522 may be configured to communicate with the storage medium 530, and execute a series of instruction operations in the storage medium 530 on the server 500.
The server 500 may also include one or more power supplies 526, one or more wired or wireless network interfaces 550, one or more input-output interfaces 558, and/or one or more operating systems 541, such as Windows Server, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, and so forth.
The steps performed by the server in the above embodiment may be based on the server structure shown in fig. 18.
In this embodiment, the CPU 522 in the SaaS server is configured to execute the following steps:
receiving a certificate authorization request sent by a client, wherein the certificate authorization request carries use subject information, and the use subject information comprises user information associated with an application server;
generating a certificate authorization file according to the certificate authorization request;
sending the certificate authorization file to the application server so that the application server determines an authorization activation result according to the certificate authorization file and authorizes the application server according to the authorization activation result
In this embodiment of the present application, the CPU 522 in the application server is configured to execute the following steps:
acquiring a certificate authorization file, wherein the certificate authorization file is generated by a software as a service (SaaS) server according to the certificate authorization request, the certificate authorization request carries use subject information, and the use subject information comprises user information associated with an application server;
determining an authorization activation result according to the certificate authorization file;
and storing authorization information in a local database of the application server according to the authorization activation result, wherein the authorization information is derived from the certificate authorization file.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.

Claims (13)

1. A method of activating authorization, comprising:
receiving a certificate authorization request sent by a client, wherein the certificate authorization request carries use subject information, and the use subject information comprises user information associated with an application server;
generating a certificate authorization file according to the certificate authorization request;
sending the certificate authorization file to the application server so that the application server determines an authorization activation result according to the certificate authorization file and stores authorization information in a local database of the application server according to the authorization activation result, wherein the authorization information is derived from the certificate authorization file;
receiving a serial number sent by the application server, wherein the serial number is a unique identifier corresponding to the certificate authorization file;
checking the serial number to obtain the authorization activation result;
if the authorization activation result is that verification is successful, the authorization information and token information are sent to the application server, wherein the token information is an identity of a user associated with the application server;
and if the authorization activation result is verification failure, feeding back the authorization activation result to the application server.
2. The method of claim 1, wherein generating a certificate authority file according to the certificate authority request comprises:
acquiring certificate source data according to the certificate authorization request;
encrypting the certificate source data by adopting a first secret key to obtain a certificate file to be encrypted;
encrypting the first key by adopting a second key to obtain a signature data segment;
and encrypting the certificate file to be encrypted and the signature data segment by adopting a third key to obtain the certificate authorization file.
3. The method of claim 1, wherein sending the certificate authority file to the application server comprises:
and sending the certificate authorization file to the application server through a hypertext transfer security protocol (HTTPS) channel.
4. The method of claim 1, further comprising:
receiving token information verification requests periodically sent by the application server;
checking the token information according to the token information checking request to obtain an information checking result;
and if the information verification result is successful verification, sending the authorization information to the application server so that the application server updates the authorization information to the local database.
5. The method of claim 1, wherein after sending the certificate authority file to the application server, the method further comprises:
receiving an authorization activation message sent by the application server;
determining an effective use duration according to the authorization activation message;
and when detecting that the use time of the application server reaches the effective use time, sending an authorization termination request to the application server so as to enable the application server to enter an inactivated state according to the authorization termination request.
6. The method according to any one of claims 1 to 3, wherein after receiving the certificate authorization request sent by the client, the method further comprises:
generating token information according to the certificate authorization request, wherein the token information is an identity of a user associated with the application server;
the sending the certificate authorization file to the application server to enable the application server to determine an authorization activation result according to the certificate authorization file, and storing authorization information in a local database of the application server according to the authorization activation result includes:
and sending the certificate authorization file and the token information to the application server so that the application server verifies the certificate authorization file and the token information, determining an authorization activation result, and if the authorization activation result is successful verification, storing the authorization information in the local database of the application server.
7. A method of activating authorization, comprising:
acquiring a certificate authorization file, wherein the certificate authorization file is generated by a software as a service (SaaS) server according to a certificate authorization request, the certificate authorization request carries use subject information, and the use subject information comprises user information associated with an application server;
determining an authorization activation result according to the certificate authorization file;
storing authorization information in a local database of the application server according to the authorization activation result, wherein the authorization information is derived from the certificate authorization file;
wherein the determining an authorization activation result according to the certificate authorization file includes:
sending a serial number to the SaaS server so that the SaaS server checks the serial number to obtain the authorization activation result, wherein the serial number is a unique identifier corresponding to the certificate authorization file;
the storing authorization information in a local database of the application server according to the authorization activation result includes:
if the authorization activation result is successful verification, receiving the authorization information and token information sent by the SaaS server, wherein the token information is an identity of a user associated with an application server;
storing the authorization information and the token information in the local database of the application server.
8. The method of claim 7, wherein after storing authorization information in a local database of the application server according to the authorization activation result, the method further comprises:
periodically sending a token information verification request to the SaaS server so that the SaaS server verifies the token information according to the token information verification request to obtain an information verification result;
if the information verification result is successful, receiving the authorization information sent by the SaaS server;
and updating the authorization information to the local database.
9. The method of claim 7, wherein after storing authorization information in a local database of the application server according to the authorization activation result, the method further comprises:
sending an authorization activation message to the SaaS server so that the SaaS server determines the effective use duration according to the authorization activation message;
when the SaaS server detects that the service duration of the application server reaches the effective service duration, receiving an authorization termination request sent by the SaaS server;
and entering an inactivated state according to the authorization termination request.
10. The method of claim 7, wherein obtaining the certificate authority file comprises:
acquiring the certificate authorization file and token information, wherein the token information is an identity of a user associated with the application server;
the determining an authorization activation result according to the certificate authorization file includes:
verifying the certificate authorization file and the token information to determine the authorization activation result;
the storing authorization information in a local database of the application server according to the authorization activation result includes:
and if the authorization activation result is successful verification, storing the authorization information in the local database of the application server.
11. The method of claim 10, further comprising:
obtaining effective use duration;
and when detecting that the use duration of the application server reaches the effective use duration, entering an inactivated state.
12. An activation authorization apparatus, comprising:
the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is used for receiving a certificate authorization request sent by a client, the certificate authorization request carries using subject information, and the using subject information comprises using party information related to an application server;
the generating module is used for generating a certificate authorization file according to the certificate authorization request received by the receiving module;
a sending module, configured to send the certificate authority file generated by the generating module to the application server, so that the application server determines an authorization activation result according to the certificate authority file, and stores authorization information in a local database of the application server according to the authorization activation result, where the authorization information is derived from the certificate authority file;
the receiving module is further configured to receive a serial number sent by the application server after the sending module sends the certificate authorization file to the application server, where the serial number is a unique identifier corresponding to the certificate authorization file;
the checking module is used for checking the serial number received by the receiving module to obtain the authorization activation result;
the sending module is further configured to send the authorization information and token information to the application server if the authorization activation result obtained through verification by the verification module is verification success, where the token information is an identity of a user associated with the application server;
the sending module is further configured to feed back the authorization activation result to the application server if the authorization activation result obtained through the verification by the verification module is a verification failure.
13. An activation authorization apparatus, comprising:
the software as a service (SaaS) server comprises an acquisition module, a storage module and a management module, wherein the acquisition module is used for acquiring a certificate authorization file, the certificate authorization file is generated by the software as a service (SaaS) server according to a certificate authorization request, the certificate authorization request carries using subject information, and the using subject information comprises using party information associated with an application server;
the determining module is used for determining an authorization activation result according to the certificate authorization file acquired by the acquiring module;
the storage module is used for storing authorization information in a local database of the application server according to the authorization activation result determined by the determination module, wherein the authorization information is derived from the certificate authorization file;
the determining module is specifically configured to send a serial number to the SaaS server, so that the SaaS server verifies the serial number to obtain the authorization activation result, where the serial number is a unique identifier corresponding to the certificate authorization file;
the storage module is specifically configured to receive the authorization information and token information sent by the SaaS server if the authorization activation result is that verification is successful, where the token information is an identity of a user associated with an application server; storing the authorization information and the token information in the local database of the application server.
CN201910420312.0A 2019-05-20 2019-05-20 Authorization activation method and related device Active CN110401629B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910420312.0A CN110401629B (en) 2019-05-20 2019-05-20 Authorization activation method and related device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910420312.0A CN110401629B (en) 2019-05-20 2019-05-20 Authorization activation method and related device

Publications (2)

Publication Number Publication Date
CN110401629A CN110401629A (en) 2019-11-01
CN110401629B true CN110401629B (en) 2021-10-01

Family

ID=68323015

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910420312.0A Active CN110401629B (en) 2019-05-20 2019-05-20 Authorization activation method and related device

Country Status (1)

Country Link
CN (1) CN110401629B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11451396B2 (en) * 2019-11-05 2022-09-20 Microsoft Technology Licensing, Llc False positive reduction in electronic token forgery detection
CN110971617A (en) * 2019-12-24 2020-04-07 苏州思必驰信息科技有限公司 Voice equipment authorization method, authentication method and system
CN111163090A (en) * 2019-12-30 2020-05-15 重庆同汇勘测规划有限公司 Authorization method and system based on server time service equipment
CN112395574B (en) * 2020-12-04 2024-02-23 航天信息股份有限公司 Safe login management method
CN112953951B (en) * 2021-03-02 2022-04-12 浪潮云信息技术股份公司 User login verification and security detection method and system based on domestic CPU
CN113542016B (en) * 2021-06-30 2024-03-22 深圳市天视通视觉有限公司 Activation method and device based on serial number and computer readable storage medium
CN114745149B (en) * 2022-02-17 2023-12-05 惠州市博实结科技有限公司 Software authorization management method
CN114884668A (en) * 2022-03-17 2022-08-09 阿里巴巴(中国)有限公司 Resource management method and computer-readable storage medium
CN115146252B (en) * 2022-09-05 2023-02-21 深圳高灯计算机科技有限公司 Authorization authentication method, system, computer device and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102663009A (en) * 2012-03-19 2012-09-12 华侨大学 Web-service integration method supporting data privatization of enterprise users
CN104580316A (en) * 2013-10-24 2015-04-29 深圳市国信互联科技有限公司 Software authorization management method and software authorization management system
CN109255208A (en) * 2018-09-04 2019-01-22 山东浪潮云投信息科技有限公司 A kind of authorization method and system of software service product

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140026222A1 (en) * 2012-07-18 2014-01-23 Vikram Venkata Koka Framework for providing electronic licenses and licensing programs
US9804862B2 (en) * 2013-12-02 2017-10-31 Crowdin, Inc. Translatable texts identification in in-context localization utilizing pseudo-language and an external server
US9755922B2 (en) * 2015-03-26 2017-09-05 Ca, Inc. Minimized installation of point of presence software agents by use of pre-installed browser
CN109309683B (en) * 2018-10-30 2021-09-14 泰华智慧产业集团股份有限公司 Token-based client identity authentication method and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102663009A (en) * 2012-03-19 2012-09-12 华侨大学 Web-service integration method supporting data privatization of enterprise users
CN104580316A (en) * 2013-10-24 2015-04-29 深圳市国信互联科技有限公司 Software authorization management method and software authorization management system
CN109255208A (en) * 2018-09-04 2019-01-22 山东浪潮云投信息科技有限公司 A kind of authorization method and system of software service product

Also Published As

Publication number Publication date
CN110401629A (en) 2019-11-01

Similar Documents

Publication Publication Date Title
CN110401629B (en) Authorization activation method and related device
WO2022206349A1 (en) Information verification method, related apparatus, device, and storage medium
KR102018971B1 (en) Method for enabling network access device to access wireless network access point, network access device, application server and non-volatile computer readable storage medium
CN109088889B (en) SSL encryption and decryption method, system and computer readable storage medium
CN108241517B (en) Software upgrading method, client and electronic equipment
EP2954448B1 (en) Provisioning sensitive data into third party network-enabled devices
JP5490772B2 (en) Method and apparatus for storage and computation of access control client
WO2017020452A1 (en) Authentication method and authentication system
CN109639427B (en) Data sending method and equipment
US20080005339A1 (en) Guided enrollment and login for token users
US20100266128A1 (en) Credential provisioning
CN109302369B (en) Data transmission method and device based on key verification
CN108243176B (en) Data transmission method and device
CN110597538A (en) Software upgrading method based on OTA upgrading system and OTA upgrading system
CN111131416B (en) Service providing method and device, storage medium and electronic device
KR20010108150A (en) Authentication enforcement using decryption and authentication in a single transaction in a secure microprocessor
US11626998B2 (en) Validated payload execution
CN110933484A (en) Management method and device of wireless screen projection equipment
CN113497778A (en) Data transmission method and device
WO2020114377A1 (en) Secure distributed key management system
JP5992535B2 (en) Apparatus and method for performing wireless ID provisioning
CN110138558B (en) Transmission method and device of session key and computer-readable storage medium
US20140237627A1 (en) Protecting data in a mobile environment
CN110572454A (en) Advertisement delivery system for guaranteeing safety of advertisement delivery process
US20190305940A1 (en) Group shareable credentials

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant