CN111526014A - System and method for unified management of clustered deployment application passwords - Google Patents
System and method for unified management of clustered deployment application passwords Download PDFInfo
- Publication number
- CN111526014A CN111526014A CN202010313694.XA CN202010313694A CN111526014A CN 111526014 A CN111526014 A CN 111526014A CN 202010313694 A CN202010313694 A CN 202010313694A CN 111526014 A CN111526014 A CN 111526014A
- Authority
- CN
- China
- Prior art keywords
- password
- host
- application
- file
- storage interface
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 12
- 230000008569 process Effects 0.000 claims abstract description 6
- 238000007726 management method Methods 0.000 claims description 35
- 230000004048 modification Effects 0.000 abstract description 10
- 238000012986 modification Methods 0.000 abstract description 10
- 230000008878 coupling Effects 0.000 abstract description 5
- 238000010168 coupling process Methods 0.000 abstract description 5
- 238000005859 coupling reaction Methods 0.000 abstract description 5
- 238000013478 data encryption standard Methods 0.000 description 9
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
- H04L9/0897—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a system and a method for uniformly managing a clustered deployment application password, wherein in a management system, an independent password file storage interface host is established outside a clustered application host; the password file storage interface host receives the password file after the uniform modification and carries out DES encryption on the password file; and distributing the ciphertext file generated in the DES encryption process to the clustered application host to realize the unified management and deployment of the application password of the application host. By the technical scheme, the password is uniformly modified and uniformly deployed, the system safety is improved, the password leakage risk is reduced, the flexibility of password management of the system is improved, and the coupling with the application and the misoperation risk are reduced.
Description
Technical Field
The invention relates to the technical field of computer management, in particular to a unified management system and a unified management method for clustered deployment application passwords.
Background
At present, for most operator service support systems, access to a database or a host is indispensable for applications based on different service deployment modes. When accessing a host or a database, the application can access the database through sqlplus, FTP, SFTP and other modes according to the plaintext information of the host or the database password stored in different positions of the application, so that the aim of acquiring the database information or the host file information and the like by the application is fulfilled.
However, in the existing management process of clustered application hosts, the host or database plaintext storage security coefficient of application access in a cluster is low, the host or database of application access in the cluster is difficult to modify passwords uniformly, the host or database passwords and the application are stored in the same account number, misoperation is easy to occur easily, the application cannot run normally, and the storage positions of the host or database passwords are not uniform, so that maintenance in the future is not facilitated.
Disclosure of Invention
Aiming at least one of the problems, the invention provides a system and a method for uniformly managing a clustered application password, which are characterized in that a single password file storage interface host is added outside a clustered application host node, the password file storage interface host is utilized to realize the password receiving, encryption, ciphertext file generation and ciphertext file distribution, the application hosts in a cluster receive ciphertext files, and then the ciphertext files are read through a public password program to realize decryption, thereby completing the uniform modification and uniform deployment of the password, improving the system safety, reducing the password leakage risk, improving the flexibility of system password management, reducing the coupling with the application and the misoperation risk, and solving the problems of more application hosts and databases in the clustered deployment, low password plaintext storage, large password separate management difficulty, high safety factor, low cost and the like, And the password is difficult to modify in batch.
In order to achieve the above object, the present invention provides a unified management system for clustered application passwords, wherein an independent password file storage interface host is established outside a clustered application host; the password file storage interface host receives the password file which is modified uniformly and carries out DES encryption on the password file; and distributing the ciphertext file generated in the DES encryption process to the clustered application host to realize the unified management and deployment of the application password of the application host.
In the above technical solution, preferably, the password file storage interface host is connected to a security portal through an interface, and a password file generated by modifying a password in the security portal is pushed to the password file storage interface host.
In the above technical solution, preferably, the password file is encrypted by AES and then pushed to the password file storage interface host.
In the above technical solution, preferably, the application host modifies the password by the security portal after stopping the service.
In the above technical solution, preferably, the password file storage interface host distributes the ciphertext file to the application host via FTP.
The invention further provides a unified management method for the clustered deployment application passwords, which is applied to the unified management system for the clustered deployment application passwords in any one of the above technical solutions, and comprises the following steps: sending the uniformly modified password file to a password file storage interface host independent of the clustered application host; the password file storage interface host carries out DES encryption on the password file and generates a ciphertext file; and distributing the ciphertext file to the application host.
In the above technical solution, preferably, the password file storage interface host is connected to a security portal through an interface, and a password file formed by modifying a password through the security portal is pushed to the password file storage interface host.
In the above technical solution, preferably, the password file is encrypted by AES and then pushed to the password file storage interface host.
In the above technical solution, preferably, the application host modifies the password by the security portal after stopping the service.
In the above technical solution, preferably, the password file storage interface host distributes the ciphertext file to the application host via FTP.
Compared with the prior art, the invention has the beneficial effects that: the independent password file storage interface host is added outside the clustered application host node, the password file storage interface host is used for receiving, encrypting, generating and distributing the password file, the application host in the cluster receives the ciphertext file and then reads the ciphertext file through a public password program to decrypt, so that the unified modification and unified deployment of the password are completed, the system safety is improved, the password leakage risk is reduced, the flexibility of system password management is improved, the coupling with the application and the misoperation risk are reduced, and the problems that the number of the application host and a database in the clustered deployment is large, the password plaintext storage safety factor is low, the password separate management difficulty is large, the password is difficult to modify in batches and the like are solved.
Drawings
Fig. 1 is a schematic flowchart of a working principle of a clustered deployment application password unified management system according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
The invention is described in further detail below with reference to the attached drawing figures:
as shown in fig. 1, according to the unified management system for clustered application passwords provided by the present invention, an independent password file storage interface host is established outside a clustered application host; the password file storage interface host receives the password file after the uniform modification and carries out DES encryption on the password file; and distributing the ciphertext file generated in the DES encryption process to the clustered application host to realize the unified management and deployment of the application password of the application host.
In the embodiment, a single password file storage interface host is added outside a clustered application host node, and the password file storage interface host is utilized to realize password receiving, encryption, ciphertext file generation and ciphertext file distribution, the application host in the cluster receives the ciphertext file, stores the ciphertext file to a specified user and a specified directory (the authority is set to be the highest level, and an application program only has a file reading authority), reads the ciphertext file through a public password program to realize decryption, and therefore unified modification and unified deployment of passwords are completed. Because the password is in an encryption storage mode on the application side, the system safety is improved, the password leakage risk is reduced, the flexibility of system password management is improved, the coupling with the application and the misoperation risk are reduced, and the problems that in the clustering deployment, the number of application hosts and databases is large, the password plaintext storage safety coefficient is low, the password separate management difficulty is large, the password batch modification is difficult and the like are solved.
The password file storage interface host mainly stores a host password or a database password used by an application program into a password file by using a DES (data encryption standard) encryption algorithm (the password file comprises a password label, a database instance name/host name, an encryption user and an encryption password). The target host of password management, namely the application host, mainly receives the ciphertext file pushed by the password file storage interface host, the application program in the application host reads the host or database password to be used through the public password program for use, and the DES encryption algorithm is the existing algorithm and is not described herein again.
Specifically, in the implementation process, a separate password management user is created between the password file storage interface host and the application host, and the password management user stores the encrypted password file for the application program to use. The password management user account of the password file storage interface host has the authority of pushing the encrypted password file to the corresponding user and directory of the application host, and push distribution is preferably realized in an FTP mode.
Further, the file format of the host password and the file format of the database password may be as shown in tables 1 and 2 below.
TABLE 1 host password File Format
H | Name of label | HOSTIP | HOSTUSER | HOSTPASSWD |
1 | HostName_user | xx.xx.xx.xx | crmappa | fB!wSY0i_xyz |
Description of file fields:
h// host serial number identification
Tag name// application generates tag to security vendor according to business requirement
HOSTIP// host IP address
HOSTUSER// username
HOSTPASSSWD// user password
TABLE 2 database password File Format
H | Name of label | DBSERV | DBUSER | DBPASSWD |
1 | ServName_user | Crmadb1 | dbrun | fB!wSY0i_xyz |
Description of file fields:
d// sequence numbering
Tag name// generating tag to security vendor according to business requirement
DBSERV// database instance name
DBUSER// database username
DBPASSSWD// user password
In the above embodiment, preferably, the password file storage interface host is connected to the security portal through an interface, and a password file generated by modifying a password in the security portal is pushed to the password file storage interface host.
In the above embodiment, preferably, the password file is encrypted by AES and then pushed to the password file storage interface host, and the AES encryption algorithm is an existing algorithm and is not described herein again.
In the above embodiment, preferably, the application host modifies the password by the security portal after stopping the service.
In the above embodiment, preferably, the password file storage interface host distributes the ciphertext file to the application host through the FTP, and the FTP distribution algorithm is an existing algorithm and is not described herein again.
The invention also provides a unified management method for the application passwords deployed in a clustering manner, which is applied to the unified management system for the application passwords deployed in a clustering manner in any one of the embodiments, and the unified management method comprises the following steps: sending the uniformly modified password file to a password file storage interface host independent of the clustered application host; the password file storage interface host carries out DES encryption on the password file and generates a ciphertext file; and distributing the ciphertext file to the application host.
In the embodiment, a single password file storage interface host is added outside a clustered application host node, and the password file storage interface host is utilized to realize password receiving, encryption, ciphertext file generation and ciphertext file distribution, the application host in the cluster receives the ciphertext file, stores the ciphertext file to a specified user and a specified directory (the authority is set to be the highest level, and an application program only has a file reading authority), reads the ciphertext file through a public password program to realize decryption, and therefore unified modification and unified deployment of passwords are completed. Because the password is in an encryption storage mode on the application side, the system safety is improved, the password leakage risk is reduced, the flexibility of system password management is improved, the coupling with the application and the misoperation risk are reduced, and the problems that in the clustering deployment, the number of application hosts and databases is large, the password plaintext storage safety coefficient is low, the password separate management difficulty is large, the password batch modification is difficult and the like are solved.
In the above embodiment, preferably, the password file storage interface host is connected to the security portal through an interface, and a password file formed by modifying a password through the security portal is pushed to the password file storage interface host.
In the above embodiment, preferably, the password file is encrypted by AES and then pushed to the password file storage interface host.
In the above embodiment, preferably, the application host modifies the password by the security portal after stopping the service.
In the above embodiment, preferably, the password file storage interface host distributes the ciphertext file to the application host via FTP.
The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes will occur to those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A unified management system for clustered deployment application passwords is characterized in that:
an independent password file storage interface host is established outside the clustered application host;
the password file storage interface host receives the password file which is modified uniformly and carries out DES encryption on the password file;
and distributing the ciphertext file generated in the DES encryption process to the clustered application host to realize the unified management and deployment of the application password of the application host.
2. The system according to claim 1, wherein the password file storage interface host is connected to a security portal through an interface, and a password file generated by modifying a password in the security portal is pushed to the password file storage interface host.
3. The unified management system for the clustered deployment application passwords according to claim 2, wherein the password file is encrypted by AES and then pushed to the password file storage interface host.
4. The system according to claim 2, wherein the application host modifies the password by the security portal after stopping the service.
5. The system according to claim 1, wherein the password file storage interface host distributes the ciphertext file to the application host via FTP.
6. A unified management method for passwords of clustered deployment applications, applied to the unified management system for passwords of clustered deployment applications according to any one of claims 1 to 5, comprising:
sending the uniformly modified password file to a password file storage interface host independent of the clustered application host;
the password file storage interface host carries out DES encryption on the password file and generates a ciphertext file;
and distributing the ciphertext file to the application host.
7. The unified management method for the clustered deployment application passwords according to claim 6, wherein the password file storage interface host is connected to a security portal through an interface, and a password file formed by modifying a password through the security portal is pushed to the password file storage interface host.
8. The method according to claim 7, wherein the password file is encrypted by AES and then pushed to the password file storage interface host.
9. The method for unified password management for clustered deployment applications as claimed in claim 7, wherein the application host modifies password by the security portal after stopping service.
10. The unified management method for the passwords for the clustered deployment applications as claimed in claim 6, wherein the password file storage interface host distributes the ciphertext file to the application host through FTP.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010313694.XA CN111526014A (en) | 2020-04-20 | 2020-04-20 | System and method for unified management of clustered deployment application passwords |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010313694.XA CN111526014A (en) | 2020-04-20 | 2020-04-20 | System and method for unified management of clustered deployment application passwords |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111526014A true CN111526014A (en) | 2020-08-11 |
Family
ID=71904046
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010313694.XA Pending CN111526014A (en) | 2020-04-20 | 2020-04-20 | System and method for unified management of clustered deployment application passwords |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111526014A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112861116A (en) * | 2021-02-03 | 2021-05-28 | 浪潮云信息技术股份公司 | Method and tool for realizing dynamic password loading based on sidecar mode |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104717195A (en) * | 2013-12-17 | 2015-06-17 | 中国移动通信集团福建有限公司 | Service system password management method and device |
-
2020
- 2020-04-20 CN CN202010313694.XA patent/CN111526014A/en active Pending
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104717195A (en) * | 2013-12-17 | 2015-06-17 | 中国移动通信集团福建有限公司 | Service system password management method and device |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112861116A (en) * | 2021-02-03 | 2021-05-28 | 浪潮云信息技术股份公司 | Method and tool for realizing dynamic password loading based on sidecar mode |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR100961737B1 (en) | Method for accessing information on object having tag, local server, ons proxy, program, tag creation method, device having tag writer, tag, and program for controlling device having tag writer | |
US8693690B2 (en) | Organizing an extensible table for storing cryptographic objects | |
US8429712B2 (en) | Centralized user authentication system apparatus and method | |
CN103262494A (en) | Cross-domain identity management for a whitelist-ased online secure device privisioning framework | |
CN101667240A (en) | Intelligent card and card writing method, equipment and system thereof | |
US10771261B1 (en) | Extensible unified multi-service certificate and certificate revocation list management | |
CN109347839B (en) | Centralized password management method and device, electronic equipment and computer storage medium | |
CN102034036A (en) | Permission management method and equipment | |
US10972266B2 (en) | Method, apparatus and computer program product for managing encryption key in a storage system | |
CN113098876B (en) | Product data chaining method and medium based on block chain and intelligent contract | |
US6968373B1 (en) | System, computer program, and method for network resource inventory | |
US8995665B1 (en) | Role based encryption without key management system | |
CN114372242A (en) | Ciphertext data processing method, authority management server and decryption server | |
CN111526014A (en) | System and method for unified management of clustered deployment application passwords | |
CN113127927B (en) | Attribute reconstruction encryption method and system for license chain data sharing and supervision | |
CN110011807B (en) | Key information maintenance method and system | |
US20230144072A1 (en) | Data storage server and client devices for securely storing data | |
KR102542213B1 (en) | Real-time encryption/decryption security system and method for data in network based storage | |
CN112199431B (en) | Metadata-based data sharing method and data sharing system | |
JP2005286402A (en) | Server and program for encryption key management terminal and program for acquiring encryption key system and method for encryption key management | |
CN112000727B (en) | Desensitization display method for dynamically configured service data | |
CN107332840A (en) | Authority intelligent management system and its method | |
CN111475802B (en) | Authority control method and device | |
US11983286B2 (en) | Managing queries with data processing permits | |
CN110598440B (en) | Distributed automatic encryption and decryption system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200811 |