CN111541665A - Data access method, device, storage medium and cluster type security management platform - Google Patents
Data access method, device, storage medium and cluster type security management platform Download PDFInfo
- Publication number
- CN111541665A CN111541665A CN202010300207.6A CN202010300207A CN111541665A CN 111541665 A CN111541665 A CN 111541665A CN 202010300207 A CN202010300207 A CN 202010300207A CN 111541665 A CN111541665 A CN 111541665A
- Authority
- CN
- China
- Prior art keywords
- client
- digital certificate
- data access
- browser
- servers
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 58
- 238000012795 verification Methods 0.000 claims abstract description 12
- 238000012545 processing Methods 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 6
- 230000008569 process Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 3
- 238000013473 artificial intelligence Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- VBMOHECZZWVLFJ-GXTUVTBFSA-N (2s)-2-[[(2s)-6-amino-2-[[(2s)-6-amino-2-[[(2s,3r)-2-[[(2s,3r)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-2-[[(2s)-2,6-diaminohexanoyl]amino]-5-(diaminomethylideneamino)pentanoyl]amino]propanoyl]amino]hexanoyl]amino]propanoyl]amino]hexan Chemical compound NC(N)=NCCC[C@@H](C(O)=O)NC(=O)[C@H](CCCCN)NC(=O)[C@H](CCCCN)NC(=O)[C@H]([C@@H](C)O)NC(=O)[C@H]([C@H](O)C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCN=C(N)N)NC(=O)[C@@H](N)CCCCN VBMOHECZZWVLFJ-GXTUVTBFSA-N 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 108010068904 lysyl-arginyl-alanyl-lysyl-alanyl-lysyl-threonyl-threonyl-lysyl-lysyl-arginine Proteins 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a data access method, a data access device, a computer readable storage medium and a cluster type security management platform. The method comprises the steps of generating digital certificates for all servers in a cluster in advance, and uploading all the digital certificates to a browser end; when a data access request sent by a client is received, feeding back corresponding digital certificate information in a browser to the client; the client is any one or more servers in the cluster; if feedback information of successful verification of the digital certificate sent by the client is received, displaying a login page of the browser to the client; if the login information input by the client is judged to be accurate, verifying the validity of the digital certificate of the client; when the validity of the digital certificate of the client is successfully verified, the client is allowed to log in the browser to access data, the application is high in safety, user information and user accessible resources can be better protected, and the integrity, validity and non-repudiation of user data are effectively guaranteed.
Description
Technical Field
The present application relates to the field of data interaction technologies, and in particular, to a data access method, an apparatus, a computer-readable storage medium, and a cluster-based security management platform.
Background
For a clustered security management platform, the related art adopts a username + password authentication mode to ensure the remote access security, and the data of the user is transmitted in a plaintext form. The management mode is as simple as possible, but is easy to attack, for example, a packet capture tool can be used for directly capturing user password information, the security is low, the user information and user accessible resources cannot be well protected, and the integrity, the effectiveness and the non-repudiation of user data cannot be guaranteed.
In view of this, how to better protect user information and user accessible resources, and effectively ensure integrity, validity and non-repudiation of user data is a technical problem to be solved by those skilled in the art.
Disclosure of Invention
The application provides a data access method, a data access device, a computer readable storage medium and a cluster type security management platform, which have high security, can better protect user information and user accessible resources, and effectively ensure the integrity, effectiveness and non-repudiation of user data.
In order to solve the above technical problems, embodiments of the present invention provide the following technical solutions:
an embodiment of the present invention provides a data access method, including:
generating digital certificates for all servers in the cluster in advance, and uploading all the digital certificates to a browser end;
when a data access request sent by a client is received, feeding back corresponding digital certificate information in the browser to the client; the client is any one or more servers in the cluster;
if feedback information of successful verification of the digital certificate sent by the client is received, displaying a login page of the browser to the client;
if the login information input by the client is judged to be accurate, verifying the validity of the digital certificate of the client;
and when the validity of the digital certificate of the client is successfully verified, allowing the client to log in the browser for data access.
Optionally, before verifying the validity of the digital certificate of the client, the method further includes:
when a digital certificate downloading request of a first server is received, revoking the digital certificate corresponding to the first server and stored in the browser, generating a new digital certificate for the first server, and simultaneously issuing the new digital certificate to the first server.
Optionally, the verifying the validity of the digital certificate of the client includes:
verifying whether the digital certificate of the client is revoked;
if the digital certificate of the client is not revoked, verifying whether the digital certificate of the client is in a valid period;
if the digital certificate of the client is in the valid period, verifying whether the digital certificate of the client is accurate;
and if the digital certificate of the client is accurate, the digital certificate of the client is valid.
Optionally, the generating a digital certificate for each server in the cluster in advance includes:
when registration requests of a plurality of servers are received at the same time, a pre-installed OpenSSL password toolkit is called by using a batch processing command, and digital certificates in a p12 format are generated for the corresponding servers based on self-built CA certificates and the respective user information of the servers.
Optionally, the digital certificate is used by the client after verifying that the use password input by the client is accurate.
Another aspect of the embodiments of the present invention provides a data access apparatus, including:
the digital certificate generation module is used for generating digital certificates for all servers in the cluster in advance, and all the digital certificates are uploaded to the browser end;
the client side verification digital certificate module is used for feeding back corresponding digital certificate information in the browser to the client side when receiving a data access request sent by the client side; the client is any one or more servers in the cluster;
the login page display module is used for displaying the login page of the browser to the client if feedback information of successful verification of the digital certificate sent by the client is received;
the certificate validity judging module is used for verifying the validity of the digital certificate of the client if the login information input by the client is judged to be accurate;
and the login permitting module is used for permitting the client to log in the browser for data access when the validity of the digital certificate of the client is successfully verified.
An embodiment of the present invention further provides a data access apparatus, including a processor, where the processor is configured to implement the steps of the data access method according to any one of the foregoing embodiments when executing the computer program stored in the memory.
An embodiment of the present invention further provides a computer-readable storage medium, where a data access program is stored on the computer-readable storage medium, and when executed by a processor, the data access program implements the steps of the data access method according to any one of the foregoing items.
The embodiment of the present invention finally provides a cluster-type security management platform, which includes a browser as a server, a plurality of servers as clients, and a data processor for executing the steps of the data access method according to any one of the previous items; and each server and each browser register corresponding user roles in the platform in advance.
Optionally, the browser is Nginx, the system framework is springboot, and the data processor generates the digital certificate for each server based on a pre-installed OpenSSL password toolkit.
The technical scheme provided by the application has the advantages that the server side serves as a client side and is used for inputting the personal certificate into the browser when registering an account, and the user inputs login information from a login page of the browser, so that the server side and the browser side can perform double-factor verification according to the personal certificate and the login information, namely the client side and the browser verify each other, the safety strength of identity authentication is fundamentally improved by combining the bidirectional authentication with digital signature, the user needs to provide two different factors to prove the identity of the user, the information of the user and resources accessible to the user are better protected, and the data access safety is high.
In addition, the embodiment of the invention also provides a corresponding implementation device, a computer readable storage medium and a cluster type security management platform aiming at the data access method, so that the method has higher practicability, and the device and the computer readable storage medium have corresponding advantages.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions of the related art, the drawings required to be used in the description of the embodiments or the related art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic flowchart of a data access method according to an embodiment of the present invention;
fig. 2 is a block diagram of a specific embodiment of a data access device according to an embodiment of the present invention;
fig. 3 is a block diagram of another embodiment of a data access device according to an embodiment of the present invention;
fig. 4 is a structural diagram of a specific implementation of the clustered security management platform according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the disclosure, the invention will be described in further detail with reference to the accompanying drawings and specific embodiments. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," "third," "fourth," and the like in the description and claims of this application and in the above-described drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "comprising" and "having," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements but may include other steps or elements not expressly listed.
Having described the technical solutions of the embodiments of the present invention, various non-limiting embodiments of the present application are described in detail below.
Referring to fig. 1, fig. 1 is a schematic flow chart of a data access method according to an embodiment of the present invention, where the embodiment of the present invention may include the following:
s101: and generating digital certificates for all the servers in the cluster in advance, and uploading all the digital certificates to the browser side.
In the application, a plurality of servers as clients can access the browser end at the same time or at different times, and the browser end serves as a server end to provide data resource access for each server. Before accessing data to the browser, the server needs to register user information with the subject execution language, and when registering a user, the subject execution language generates a digital certificate for the user, and the digital certificate can be generated by using any existing digital certificate generation software tool, which is not limited in this application, for example, an OpenSSL password toolkit. In an alternative embodiment, when registration requests of a plurality of servers are received simultaneously, a pre-installed OpenSSL password kit may be invoked by using a batch command, and a digital certificate in a p12 format is generated for the corresponding server based on the self-established CA certificate and the respective user information of the servers. The format of the digital certificate file can be PKCS #12, the file can be stored on the host computer of the user, namely in the server, when in use, the use password of the file needs to be input, and the word certificate is used by the client after verifying that the use password input by the client is accurate. The password is a dynamic password which can be a one-time pad, for example, and the identity authentication process can support a one-way/two-way authentication mode, so that the security strength of identity authentication is fundamentally improved.
S102: and when a data access request sent by the client is received, feeding back corresponding digital certificate information in the browser to the client.
In S101, the client pre-imports the digital certificate into the browser, so as to improve security, when the client accesses the browser, the client needs to verify the browser, that is, to verify whether the browser has the digital certificate of the client, if so, the client continues to access the browser, and if not, the client does not access the browser. The client can be any one server or a plurality of servers in the cluster, and the implementation of the application is not affected.
S103: and if feedback information of successful verification of the digital certificate sent by the client is received, displaying a login page of the browser to the client.
In this step, the client only verifies whether the browser stores the digital certificate or not, if so, the client can continue to access the browser, in order to further improve the security performance, after the client verifies the server, that is, the browser verifies whether the client is an authorized user or not, and displays a login page of the browser for the client user, so that the client user inputs the same login information through the man-machine interaction module, the login information can be a user name and a login password, and the login password can be a fixed password or a one-time password, which does not affect the implementation of the present application.
S104: and if the login information input by the client is judged to be accurate, verifying the validity of the digital certificate of the client.
In the method and the device, after the login information of the client user is verified to be accurate, the validity of the digital certificate of the client can be further verified, wherein the validity of the digital certificate comprises that the digital certificate is not expired, the digital certificate is accurate and the digital certificate is not revoked. Optionally, the process of verifying the validity of the digital certificate may include:
verifying whether the digital certificate of the client is revoked;
and if the digital certificate of the client is not revoked, verifying whether the digital certificate of the client is in the valid period. To ensure the validity of the digital certificate verification, a certificate validity period, such as 6 months, may be specified in advance, and may be counted from the time the digital certificate is generated.
If the digital certificate of the client is in the valid period, verifying whether the digital certificate of the client is accurate;
and if the digital certificate of the client is accurate, the digital certificate of the client is valid.
S105: and when the validity of the digital certificate of the client is successfully verified, allowing the client to log in the browser for data access.
It should be noted that, if the login information is wrong or the validity of the digital certificate is not verified successfully, the user is not allowed to log in the browser for data access.
In the technical scheme provided by the embodiment of the invention, the server side and the server side are related, the server side serves as a client side and is used for inputting the personal certificate into the browser when registering an account, and a user inputs login information from a login page of the browser, so that the server side and the browser side can carry out two-factor verification according to the personal certificate and the login information, namely the client side and the browser verify each other, the two-way authentication is combined with a digital signature to fundamentally improve the safety intensity of identity authentication, the user needs to provide two different factors to prove the identity of the user, the information of the user and resources accessible to the user are better protected, and the data access safety is high.
It is understood that the digital certificate on the client may be lost, and the digital certificate on the client is only generated during registration, and the present application further provides a digital certificate downloading function, for unambiguous purposes, embodiments of the present invention are described differently using a first server, which may be any one server or a plurality of servers, and may include:
and when a digital certificate downloading request of the first server is received, revoking the digital certificate corresponding to the first server stored in the browser, generating a new digital certificate for the first server, and simultaneously issuing the new digital certificate to the first server.
Optionally, when the personal certificate of the user is lost, the OpenSSL tool kit may be operated by using a batch processing command to revoke the original personal certificate, generate a new certificate for the original personal certificate, and then issue the new digital certificate to the first server.
It should be noted that, in the present application, there is no strict sequential execution order among the steps, and as long as the logical order is met, the steps may be executed simultaneously or according to a certain preset order, and fig. 1 is only an exemplary manner, and does not represent that only the execution order is the order.
The embodiment of the invention also provides a corresponding device for the data access method, so that the method has higher practicability. Wherein the means can be described separately from the functional module point of view and the hardware point of view. In the following, the data access device provided by the embodiment of the present invention is introduced, and the data access device described below and the data access method described above may be referred to correspondingly.
Based on the angle of the functional module, referring to fig. 2, fig. 2 is a block diagram of a data access device according to an embodiment of the present invention, in an embodiment, the data access device may include:
the digital certificate generation module 201 is configured to generate digital certificates for the servers in the cluster in advance, and each digital certificate is uploaded to the browser.
The client side verification digital certificate module 202 is used for feeding back corresponding digital certificate information in the browser to the client side when receiving a data access request sent by the client side; a client is any one or more servers within a cluster.
And the login page display module 203 is configured to display the login page of the browser to the client if the feedback information that the digital certificate sent by the client is successfully verified is received.
And the certificate validity judging module 204 is configured to verify the validity of the digital certificate of the client if it is judged that the login information input by the client is accurate.
And the login permitting module 205 is configured to permit the client to log in the browser for data access when the validity of the digital certificate of the client is successfully checked.
Optionally, in some embodiments of this embodiment, the apparatus may further include a digital certificate downloading module, for example, where the digital certificate downloading module is configured to revoke the digital certificate corresponding to the first server and stored in the browser when receiving a digital certificate downloading request from the first server, generate a new digital certificate for the first server, and issue the new digital certificate to the first server at the same time.
Optionally, in other embodiments of this embodiment, the digital certificate generating module 201 may be configured to, when registration requests of multiple servers are received at the same time, invoke a pre-installed OpenSSL password toolkit by using a batch processing command, and generate a digital certificate in a p12 format for the corresponding server based on the self-built CA certificate and the respective user information of the servers.
The functions of the functional modules of the data access device according to the embodiments of the present invention may be specifically implemented according to the method in the foregoing method embodiments, and the specific implementation process may refer to the description related to the foregoing method embodiments, which is not described herein again.
Therefore, the embodiment of the invention has high safety, can better protect the user information and the user accessible resources, and effectively ensures the integrity, effectiveness and non-repudiation of the user data.
The data access device mentioned above is described from the perspective of the functional module, and further, the present application also provides a data access device described from the perspective of hardware. Fig. 3 is a block diagram of another data access device according to an embodiment of the present application. As shown in fig. 3, the apparatus comprises a memory 30 for storing a computer program;
a processor 31 for implementing the steps of the data access method as mentioned in the above embodiments when executing the computer program.
The processor 31 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and the like. The processor 31 may be implemented in at least one hardware form of a DSP (Digital Signal Processing), an FPGA (Field-Programmable Gate Array), and a PLA (Programmable Logic Array). The processor 31 may also include a main processor and a coprocessor, where the main processor is a processor for processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 31 may be integrated with a GPU (Graphics Processing Unit), which is responsible for rendering and drawing the content required to be displayed on the display screen. In some embodiments, the processor 31 may further include an AI (Artificial Intelligence) processor for processing a calculation operation related to machine learning.
Memory 30 may include one or more computer-readable storage media, which may be non-transitory. Memory 30 may also include high speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In this embodiment, the memory 30 is at least used for storing the following computer program 301, wherein after being loaded and executed by the processor 31, the computer program can implement the relevant steps of the data access method disclosed in any of the foregoing embodiments. In addition, the resources stored by the memory 30 may also include an operating system 302, data 303, and the like, and the storage may be transient storage or permanent storage. Operating system 302 may include Windows, Unix, Linux, etc. Data 303 may include, but is not limited to, data corresponding to data access results, and the like.
In some embodiments, the data access device may further include a display 32, an input/output interface 33, a communication interface 34, a power source 35, and a communication bus 36.
Those skilled in the art will appreciate that the configuration shown in FIG. 3 does not constitute a limitation of the data access device and may include more or fewer components than those shown, such as sensor 37.
The functions of the functional modules of the data access device according to the embodiments of the present invention may be specifically implemented according to the method in the foregoing method embodiments, and the specific implementation process may refer to the description related to the foregoing method embodiments, which is not described herein again.
Therefore, the embodiment of the invention has high safety, can better protect the user information and the user accessible resources, and effectively ensures the integrity, effectiveness and non-repudiation of the user data.
It is to be understood that, if the data access method in the above embodiments is implemented in the form of software functional units and sold or used as a stand-alone product, it may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application may be substantially or partially implemented in the form of a software product, which is stored in a storage medium and executes all or part of the steps of the methods of the embodiments of the present application, or all or part of the technical solutions. And the aforementioned storage medium includes: a U disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), an electrically erasable programmable ROM, a register, a hard disk, a removable magnetic disk, a CD-ROM, a magnetic or optical disk, and other various media capable of storing program codes.
Based on this, the embodiment of the present invention further provides a computer-readable storage medium, in which a data access program is stored, and the data access program is executed by a processor, and the steps of the data access method according to any one of the above embodiments are provided.
The functions of the functional modules of the computer-readable storage medium according to the embodiment of the present invention may be specifically implemented according to the method in the foregoing method embodiment, and the specific implementation process may refer to the related description of the foregoing method embodiment, which is not described herein again.
Therefore, the embodiment of the invention has high safety, can better protect the user information and the user accessible resources, and effectively ensures the integrity, effectiveness and non-repudiation of the user data.
An embodiment of the present invention further provides a clustered security management platform, referring to fig. 4, which may include a browser 41 as a server, a plurality of servers 421, 422, …, and 42N as clients, and a data processor 43 for performing the steps of the data access method in any of the previous embodiments; each server and browser 41 registers a corresponding user role in the platform in advance.
Optionally, the browser may be a Nginx, which is a high-performance HTTP and reverse proxy web server; the platform can be built on a springboot frame; the data processor can generate digital certificates for each server based on an OpenSSL password tool packet which is a software library packet of open source codes, and an application program can use the packet to carry out safe communication, so that eavesdropping is avoided, the identity of a connector at the other end is confirmed, and the data processor can be used as a multipurpose cross-platform password tool. By adopting the OpenSSL public key technology to digitally sign the information, the integrity, the effectiveness and the non-repudiation of the data can be effectively ensured.
The functions of the functional modules of the clustered security management platform according to the embodiment of the present invention may be specifically implemented according to the method in the foregoing method embodiment, and the specific implementation process may refer to the related description of the foregoing method embodiment, which is not described herein again.
Therefore, the embodiment of the invention has high safety, can better protect the user information and the user accessible resources, and effectively ensures the integrity, effectiveness and non-repudiation of the user data.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
A data access method, a data access device, a computer-readable storage medium, and a clustered security management platform provided in the present application are described in detail above. The principles and embodiments of the present invention are explained herein using specific examples, which are presented only to assist in understanding the method and its core concepts. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present application.
Claims (10)
1. A method of data access, comprising:
generating digital certificates for all servers in the cluster in advance, and uploading all the digital certificates to a browser end;
when a data access request sent by a client is received, feeding back corresponding digital certificate information in the browser to the client; the client is any one or more servers in the cluster;
if feedback information of successful verification of the digital certificate sent by the client is received, displaying a login page of the browser to the client;
if the login information input by the client is judged to be accurate, verifying the validity of the digital certificate of the client;
and when the validity of the digital certificate of the client is successfully verified, allowing the client to log in the browser for data access.
2. The data access method of claim 1, wherein before verifying the validity of the digital certificate of the client, the method further comprises:
when a digital certificate downloading request of a first server is received, revoking the digital certificate corresponding to the first server and stored in the browser, generating a new digital certificate for the first server, and simultaneously issuing the new digital certificate to the first server.
3. The data access method of claim 2, wherein the verifying the validity of the client's digital certificate comprises:
verifying whether the digital certificate of the client is revoked;
if the digital certificate of the client is not revoked, verifying whether the digital certificate of the client is in a valid period;
if the digital certificate of the client is in the valid period, verifying whether the digital certificate of the client is accurate;
and if the digital certificate of the client is accurate, the digital certificate of the client is valid.
4. The data access method of any one of claims 1 to 3, wherein the pre-generating digital certificates for the servers in the cluster comprises:
when registration requests of a plurality of servers are received at the same time, a pre-installed OpenSSL password toolkit is called by using a batch processing command, and digital certificates in a p12 format are generated for the corresponding servers based on self-built CA certificates and the respective user information of the servers.
5. The data access method of claim 4, wherein the digital certificate is used by the client in verifying that the password entered by the client is accurate.
6. A data access device, comprising:
the digital certificate generation module is used for generating digital certificates for all servers in the cluster in advance, and all the digital certificates are uploaded to the browser end;
the client side verification digital certificate module is used for feeding back corresponding digital certificate information in the browser to the client side when receiving a data access request sent by the client side; the client is any one or more servers in the cluster;
the login page display module is used for displaying the login page of the browser to the client if feedback information of successful verification of the digital certificate sent by the client is received;
the certificate validity judging module is used for verifying the validity of the digital certificate of the client if the login information input by the client is judged to be accurate;
and the login permitting module is used for permitting the client to log in the browser for data access when the validity of the digital certificate of the client is successfully verified.
7. A data access arrangement comprising a processor for implementing the steps of the data access method of any one of claims 1 to 5 when executing a computer program stored in a memory.
8. A computer-readable storage medium, having stored thereon a data access program which, when executed by a processor, implements the steps of the data access method of any one of claims 1 to 5.
9. A clustered security management platform comprising a browser as a server, a plurality of servers as clients and a data processor performing the steps of the data access method according to any one of claims 1 to 5; and each server and each browser register corresponding user roles in the platform in advance.
10. The clustered security management platform of claim 9, wherein the browser is Nginx, the system framework is springboot, and the data processor generates digital certificates for the servers based on a pre-installed OpenSSL cryptographic toolkit.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010300207.6A CN111541665A (en) | 2020-04-16 | 2020-04-16 | Data access method, device, storage medium and cluster type security management platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010300207.6A CN111541665A (en) | 2020-04-16 | 2020-04-16 | Data access method, device, storage medium and cluster type security management platform |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111541665A true CN111541665A (en) | 2020-08-14 |
Family
ID=71975024
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010300207.6A Withdrawn CN111541665A (en) | 2020-04-16 | 2020-04-16 | Data access method, device, storage medium and cluster type security management platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111541665A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111970301A (en) * | 2020-08-27 | 2020-11-20 | 北京浪潮数据技术有限公司 | Container cloud platform safety communication system |
| CN112202727A (en) * | 2020-09-11 | 2021-01-08 | 苏州浪潮智能科技有限公司 | Server-side verification user management method, system, terminal and storage medium |
| CN112492044A (en) * | 2020-12-09 | 2021-03-12 | 恒生电子股份有限公司 | Cache data sharing method and device, equipment and computer readable storage medium |
| CN114157432A (en) * | 2021-11-25 | 2022-03-08 | 上海派拉软件股份有限公司 | Digital certificate acquisition method, device, electronic equipment, system and storage medium |
| CN114499940A (en) * | 2021-12-22 | 2022-05-13 | 联想(北京)有限公司 | Network connection method, device and computer readable medium |
| CN114844699A (en) * | 2022-04-29 | 2022-08-02 | 济南浪潮数据技术有限公司 | Method, device and medium for accessing BMC console |
| CN115102744A (en) * | 2022-06-16 | 2022-09-23 | 京东科技信息技术有限公司 | Data access method and device |
-
2020
- 2020-04-16 CN CN202010300207.6A patent/CN111541665A/en not_active Withdrawn
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111970301A (en) * | 2020-08-27 | 2020-11-20 | 北京浪潮数据技术有限公司 | Container cloud platform safety communication system |
| CN112202727A (en) * | 2020-09-11 | 2021-01-08 | 苏州浪潮智能科技有限公司 | Server-side verification user management method, system, terminal and storage medium |
| CN112492044A (en) * | 2020-12-09 | 2021-03-12 | 恒生电子股份有限公司 | Cache data sharing method and device, equipment and computer readable storage medium |
| CN114157432A (en) * | 2021-11-25 | 2022-03-08 | 上海派拉软件股份有限公司 | Digital certificate acquisition method, device, electronic equipment, system and storage medium |
| CN114499940A (en) * | 2021-12-22 | 2022-05-13 | 联想(北京)有限公司 | Network connection method, device and computer readable medium |
| CN114844699A (en) * | 2022-04-29 | 2022-08-02 | 济南浪潮数据技术有限公司 | Method, device and medium for accessing BMC console |
| CN115102744A (en) * | 2022-06-16 | 2022-09-23 | 京东科技信息技术有限公司 | Data access method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111541665A (en) | Data access method, device, storage medium and cluster type security management platform | |
| CN111935094B (en) | Database access method, device, system and computer readable storage medium | |
| US10756908B1 (en) | User authentication with self-signed certificate and identity verification | |
| US10382426B2 (en) | Authentication context transfer for accessing computing resources via single sign-on with single use access tokens | |
| CN110493202B (en) | Login token generation and verification method and device and server | |
| US20200117585A1 (en) | Method and apparatus for computer-aided testing of a blockchain | |
| CN110177124B (en) | Identity authentication method based on block chain and related equipment | |
| KR20160138063A (en) | Techniques to operate a service with machine generated authentication tokens | |
| JP2017535837A (en) | System and method for integrating authentication services into a network architecture | |
| JP2017524214A (en) | Company authentication through third-party authentication support | |
| CN106796630B (en) | User authentication | |
| EP2947840A1 (en) | Certificateless multi-agent signature method and apparatus | |
| CN103716292A (en) | Cross-domain single-point login method and device thereof | |
| CN106716957A (en) | Efficient and reliable attestation | |
| CN110175448B (en) | Trusted device login authentication method and application system with authentication function | |
| CN103716285A (en) | Single sign on method, proxy server and single sign on system | |
| CN109362074A (en) | The method of h5 and server-side safety communication in a kind of mixed mode APP | |
| US20190297071A1 (en) | Managing security credentials | |
| US11283789B2 (en) | Single sign-on techniques using client side encryption and decryption | |
| US9237017B2 (en) | Lightweight authentication for on-premise rich clients | |
| US10148629B1 (en) | User-friendly multifactor authentication | |
| CN114760070A (en) | Digital certificate issuing method, digital certificate issuing center and readable storage medium | |
| CN113395275B (en) | Cloud platform safety protection function control method, system and storage medium | |
| CN116232683A (en) | Authentication method, device and computer medium of industrial micro-service system | |
| CN107787494B (en) | Recovery of login across reboots |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20200814 |
|
| WW01 | Invention patent application withdrawn after publication |