CN111818081A

CN111818081A - Virtual encryption machine management method and device, computer equipment and storage medium

Info

Publication number: CN111818081A
Application number: CN202010710077.3A
Authority: CN
Inventors: 陈阳欣; 董志强; 李滨; 姬生利
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2020-07-22
Filing date: 2020-07-22
Publication date: 2020-10-23
Anticipated expiration: 2040-07-22
Also published as: CN111818081B

Abstract

The present application relates to cloud computing, cloud security, and virtualization technologies, and in particular, to a method and system for managing a virtual cryptographic engine, a computer device, and a storage medium. The method comprises the following steps: receiving a service request sent by a user side through a private network; the service request carries a first target network address, wherein the first target network address is a network address which is distributed when the virtual encryption machine is deployed and is used for external communication of the virtual encryption machine under a private network; acquiring a security group corresponding to the virtual encryption machine according to the first target network address; filtering the service request through a security group; forwarding the filtered service request according to a second target network address so as to send the filtered service request to the virtual encryption machine; the second target network address is a network address under a private network which is allocated when the hardware encryption machine virtualizes the virtual encryption machine and is internally communicated with the virtual encryption machine. By adopting the method, the performance of the encryption machine can be prevented from being influenced by receiving invalid requests or suffering from attacks.

Description

Virtual encryption machine management method and device, computer equipment and storage medium

Technical Field

The present application relates to the field of cloud encryption technologies, and in particular, to a method and an apparatus for managing a virtual cryptographic engine, a computer device, and a storage medium.

Background

In a common secure communication scenario, a hardware encryptor is generally used for privatization deployment, and then the deployed encryptor is accessed to implement a corresponding service, for example, a key distributed by the encryptor is used to encrypt or sign corresponding service data, so as to ensure the security of the service data. However, by directly accessing the encryption device, the encryption device may receive a plurality of invalid requests, and the encryption device is easily attacked, which results in the performance of the encryption device being degraded.

Disclosure of Invention

In view of the foregoing, it is desirable to provide a virtual cryptographic engine management method, apparatus, computer device and storage medium capable of avoiding performance degradation of the cryptographic engine due to receiving an invalid request or being attacked.

A virtual crypto-engine management method, the method comprising:

receiving a service request sent by a user side through a private network; the service request carries a first target network address, wherein the first target network address is a network address which is distributed when a virtual encryption machine is deployed and is used for the virtual encryption machine to communicate with the outside under the private network;

acquiring a security group corresponding to the virtual encryption machine according to the first target network address; the security group is configured according to network isolation requirements of the virtual encryption machine when the virtual encryption machine is deployed;

filtering the service request through the security group;

acquiring a second target network address according to the first target network address, and forwarding the filtered service request according to the second target network address so as to send the filtered service request to the virtual encryption machine; the second target network address is a network address under the private network, which is allocated when the hardware encryption machine virtualizes the virtual encryption machine and is communicated internally for the virtual encryption machine.

A virtual crypto-engine management system, the system comprising:

the server is used for selecting a virtual encryption machine from an encryption machine resource pool when an encryption machine deployment request is received, acquiring a first target network address for external communication under a private network according to an encryption machine identifier of the virtual encryption machine, and establishing an association relation between the first target network address and the virtual encryption machine; when the hardware encryption machine virtualizes the virtual encryption machine, acquiring a second target network address for internal communication in the private network according to the encryption machine identifier, and establishing an association relationship between the second target network address and the virtual encryption machine; configuring a security group according to the network isolation requirement of the virtual encryption machine;

the network equipment is used for receiving a service request sent by a user side through a special network; the service request carries a first target network address; determining a security group corresponding to the virtual encryption machine; the security group is configured according to network isolation requirements of the virtual encryption machine when the virtual encryption machine is deployed; filtering the service request through the security group; and acquiring a second target network address according to the first target network address, and forwarding the filtered service request according to the second target network address so as to send the filtered service request to the virtual encryption machine.

A computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the following steps when executing the computer program:

filtering the service request through the security group;

A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of:

filtering the service request through the security group;

The virtual encryption machine management method, the virtual encryption machine management device, the computer equipment and the storage medium are used for deploying the virtual encryption machine, and distributing a first target network address for external communication and a second target network address for internal communication for the virtual encryption machine in a private network, so that a user side sends a service request by using the first target network address and forwards the service request to the virtual encryption machine through the second target network address, and the user side is prevented from directly accessing the encryption machine, and the safety of the virtual encryption machine can be ensured. In addition, before the service requests are sent to the virtual encryption machine, the service requests are filtered by utilizing the safety group, so that the invasion of malicious requests can be avoided, the flooding of irrelevant or invalid requests can be avoided, the network throughput capacity of the virtual encryption machine is ensured, and the performance of the virtual encryption machine is favorably improved.

Drawings

FIG. 1 is a diagram of an application environment of a virtual cryptographic engine management method in one embodiment;

FIG. 2 is a flow diagram that illustrates a method for virtual cryptographic engine management in one embodiment;

FIG. 3 is a flowchart illustrating the step of issuing security groups in one embodiment;

FIG. 4 is a schematic diagram of a page showing a virtual cryptographic machine in one embodiment;

FIG. 5 is a diagram of an interface for selecting a security group, according to one embodiment;

FIG. 6 is a block diagram illustrating an embodiment of a security group controlling VSM traffic using outbound and inbound rules in a VPC network;

FIG. 7 is a block diagram illustrating the communication of a virtual encryption machine with a VIP address in one embodiment;

FIG. 8 is a flowchart illustrating a method for managing a virtual cryptographic engine in accordance with another embodiment;

FIG. 9 is a flowchart illustrating migration steps performed when an exception occurs in the virtual cryptographic machine in one embodiment;

FIG. 10a is a flowchart that illustrates the steps of deploying a virtual cryptographic machine, in one embodiment;

FIG. 10b is a flowchart that illustrates the steps of deploying a virtual cryptographic machine, in one embodiment;

FIG. 11 is a schematic diagram of an encryptor configuration page in one embodiment;

FIG. 12 is a block diagram of a system architecture in accordance with one embodiment;

fig. 13 is a schematic structural diagram of a client side according to an embodiment;

FIG. 14 is a flowchart illustrating the steps of deploying a virtual cryptographic machine in another embodiment;

FIG. 15 is a block diagram illustrating an architecture of an operator in one embodiment;

FIG. 16 is a block diagram illustrating the architecture of traffic flows in one embodiment;

fig. 17 is a schematic diagram of an interface for remotely connecting a cloud CVM according to an embodiment;

FIG. 18 is a page diagram of a landing page for the CVM to manage virtual crypto-machines in one embodiment;

FIG. 19 is a block diagram showing the structure of an apparatus for deploying an encryption engine according to an embodiment;

FIG. 20 is a diagram illustrating an internal structure of a computer device in one embodiment.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.

In the present application, the technical fields of cloud computing, cloud security, and virtualization are related, and first, the cloud computing, cloud security, and virtualization technologies are introduced respectively:

cloud computing (cloud computing) is a computing model that distributes computing tasks over a pool of resources formed by a large number of computers, enabling various application systems to obtain computing power, storage space, and information services as needed. The network that provides the resources is referred to as the "cloud". Resources in the "cloud" appear to the user as being infinitely expandable and available at any time, available on demand, expandable at any time, and paid for on-demand.

As a basic capability provider of cloud computing, a cloud computing resource pool (called as an ifas (Infrastructure as a Service) platform for short is established, and multiple types of virtual resources are deployed in the resource pool and are selectively used by external clients.

According to the logic function division, a PaaS (Platform as a Service) layer can be deployed on an IaaS (Infrastructure as a Service) layer, a SaaS (Software as a Service) layer is deployed on the PaaS layer, and the SaaS can be directly deployed on the IaaS. PaaS is a platform on which software runs, such as a database, a web container, etc. SaaS is a variety of business software, such as web portal, sms, and mass texting. Generally speaking, SaaS and PaaS are upper layers relative to IaaS.

Cloud Security (Cloud Security) refers to a generic term for Security software, hardware, users, organizations, secure Cloud platforms for Cloud-based business model applications. The cloud security integrates emerging technologies and concepts such as parallel processing, grid computing and unknown virus behavior judgment, abnormal monitoring of software behaviors in the network is achieved through a large number of meshed clients, the latest information of trojans and malicious programs in the internet is obtained and sent to the server for automatic analysis and processing, and then the virus and trojan solution is distributed to each client.

The main research directions of cloud security include: 1) the cloud computing security mainly researches how to guarantee the security of the cloud and various applications on the cloud, including the security of a cloud computer system, the secure storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like; 2) the cloud of the security infrastructure mainly researches how to adopt cloud computing to newly build and integrate security infrastructure resources and optimize a security protection mechanism, and comprises the steps of constructing a super-large-scale security event and an information acquisition and processing platform through a cloud computing technology, realizing the acquisition and correlation analysis of mass information, and improving the handling control capability and the risk control capability of the security event of the whole network; 3) the cloud security service mainly researches various security services, such as anti-virus services and the like, provided for users based on a cloud computing platform.

Virtualization (Virtualization) is a resource management (optimization) technology that abstracts and transforms various physical resources of a computer (I/O devices such as CPU, memory, and disk space, network adapters, etc.), and then presents a configuration environment for being divided and arbitrarily combined into one or more virtual computers. Virtualization technology breaks the barrier of inseparability between the internal physical structures of the computers, and enables users to apply the hardware resources of the computers in a better configuration mode than the original configuration mode. The virtual form of these resources is not limited by the existing installation mode, region or physical configuration. Virtualization technology is a broad term that can be subdivided into:

platform Virtualization (Platform Virtualization): virtualization for computers and operating systems.

Resource Virtualization (Resource Virtualization): virtualization for specific system resources such as memory, storage, network resources, etc.

Application Virtualization (Application Virtualization): including emulation, simulation, interpretation techniques, etc., such as a Java Virtual Machine (JVM).

A virtualization technology is adopted to virtualize a plurality of virtual encryption machines of different types to form an encryption machine resource pool, and a user can apply for the virtual encryption machine in the encryption machine resource pool from a cloud platform.

In addition, before explaining the virtual cryptographic engine management method provided by the present application, the concept of the terms involved is explained as follows:

the cloud encryption machine is a Hardware encryption machine (HSM) based on national Security bureau authentication, a virtual encryption machine of a corresponding type is virtualized by using a virtualization technology, and the virtualized virtual encryption machine can perform data Security services on the cloud, such as flexible, high-availability and high-performance data encryption and decryption, key management and the like.

The cloud server (CVM) is an extensible computing service and supports user-defined resources: CPU, memory, hard disk, network, security, etc., and may vary according to business needs.

A Private Cloud network (VPC) is a dedicated network space on a Cloud, provides network services for resources on a Cloud platform or a Cloud system, and completely logically isolates different Private Cloud networks. The private cloud network is used as a private network space of a user on the cloud, and the user can manage the private cloud network in a software defined network mode so as to realize configuration management of functions such as Internet Protocol (IP) addresses, subnets, routing tables, network Access Control Lists (ACLs), stream logs and the like. The private cloud network also supports various modes for connecting the Internet, such as an elastic IP (Internet protocol), an NAT (network Address translation) gateway and the like, and provides various charging modes and bandwidth packet help users to save cost. The data center of the local user on the cloud can be connected through Virtual Private Network (VPN) connection or private line access, and the hybrid cloud is flexibly constructed.

A Distributed Firewall (DFW), which is a virtual Firewall that provides a stateful packet filtering function in the form of a security group, is used for setting network access control of one or more cloud resources, and is an important network security isolation means; and meanwhile, the method is an effective means for completely isolating cloud resources among users. The distributed firewall takes the security group as a logical unit, and can provide users with cloud resource instances with the same network security isolation requirements in the same region to the same security group. The user can perform security filtering on the ingress and egress traffic of the cloud resource instance through the security group policy. Cloud resource instances include, but are not limited to: cloud server, elastic network card example, cloud encryption machine, etc.

The Virtual Security Module (VSM) type supported by the cloud platform in the present application is:

financial data Encryptor (EVSM): the cloud encryption instance meets the requirements of GM/T0045 plus 2016 financial data encryption machine technical specifications, can be used in the field of financial payment, ensures the security of financial data, conforms to the business characteristics of financial magnetic stripe cards and IC cards, and mainly realizes the password management functions of PIN encryption, PIN conversion encryption, MAC generation and verification, data encryption and decryption, signature verification, key management and the like.

General server encryptor (GVSM): the method meets the requirements of GM/T0030 plus 2014 server encryption machine technical specifications, provides international and domestic universal password service interfaces, and can independently or parallelly provide cloud encryption examples of password service and key management service for a plurality of application entities.

Signature verification server encryptor (SVSM): the method meets the requirements of GM/T0029-2014 signature verification server technical specification, provides the operation functions of digital signature, signature verification and the like based on a PKI system and a digital certificate, and can ensure the authenticity, integrity and non-repudiation of key service information.

The virtual encryption machine management method provided by the application can be applied to the application environment shown in fig. 1. The user terminal 102 communicates with the cloud platform 104 through a private network. The cloud platform 104 receives a service request sent by the user terminal 102 through a private network; the service request carries a first target network address, wherein the first target network address is a network address which is distributed when the virtual encryption machine is deployed and is used for external communication of the virtual encryption machine under a private network; determining a security group corresponding to the virtual encryption machine; the security group is configured according to the network isolation requirement of the virtual encryption machine when the virtual encryption machine is deployed; filtering the service request through the determined safety group; forwarding the filtered service request according to a second target network address so as to send the filtered service request to the virtual encryption machine; the second target network address is a network address which is allocated when the hardware encryption machine virtualizes the virtual encryption machine and is a network address under a private network in which the virtual encryption machine internally communicates.

The user terminal 102 may be a terminal on the user side, such as a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, and the like; in addition, the user terminal 102 can also be a service device on the user side, such as a service server.

The cloud platform 104 may be a cloud service platform composed of a server, a Network device, and an encryption engine, and may provide basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a Network service, cloud communication, a middleware service, a domain name service, a security service, a Content Delivery Network (CDN), and a big data and artificial intelligence platform. The server can be a cloud server, can support the use of user-defined resources (such as a user-defined CPU, a memory, a hard disk, a network, safety and the like), and can change according to requirements. The network device may be a device in a private network, such as a VPC secure access gateway, a VPC gateway (i.e., a private network gateway), a private network gateway master, an underlying physical gateway, and so on. The encryption machine can be a virtual encryption machine or a hardware encryption machine, the hardware encryption machine can virtualize a plurality of virtual encryption machines, and the virtual encryption machine runs in the hardware encryption machine when performing business service. The hardware encryption engine may be an encryption engine cluster comprised of a plurality of different types of hardware encryption engines.

In one embodiment, as shown in fig. 2, a virtual cryptographic machine management method is provided, which may be performed by the cloud platform 104, or by the terminal 102 in cooperation with the cloud platform 104. Taking the application of the method to the cloud platform 104 in fig. 1 as an example, the method includes the following steps:

s202, receiving a service request sent by a user side through a private network.

Wherein the service request carries a first target network address. The first target network address may be an IP address, a network address under a private network that is assigned when the virtual crypto-machine is deployed and used for out-of-line communication for the virtual crypto-machine. For example, the first target network address may be an IP address applied for a virtual cryptographic machine in a private network, which may be referred to as a VIP address, which may be exposed to a user. The service request includes a first destination network address as a destination address and a source address, where the source address is a network address of the user terminal.

The business request may be a data request packet for requesting a business service from the cloud platform. In the service request, service data may be carried, and the service data may refer to data for receiving a cloud platform service. If the service request carries data to be encrypted, a virtual encryption machine in the cloud platform can encrypt the data to be encrypted conveniently; and if the service request carries the digital signature, the virtual encryption machine in the cloud platform verifies the digital signature.

The private network is a private cloud network (i.e., VPC network), and in practical applications, the private network may be a virtual private network.

And S204, acquiring a security group corresponding to the virtual encryption machine according to the first target network address.

The security group is configured according to the network isolation requirement of the virtual encryption machine when the virtual encryption machine is deployed, and is a component unit of the distributed firewall. The security group is a logical group, virtual encryption machines with the same network security isolation requirements in the same use area can be added into the same security group, and the ingress and egress traffic of the virtual encryption machines can be subjected to security filtering through the policy of the security group. The distributed firewall is composed of a plurality of security groups, is provided with a data packet filtering function, is used for setting network access control of one or more virtual encryption machines, and is an effective means for completely isolating the virtual encryption machines among users and a network security isolation means.

In one embodiment, the cloud platform determines a virtual encryption machine to be accessed according to the service request, and acquires a corresponding security group according to the network isolation requirement of the virtual encryption machine. When the virtual encryption machine is deployed, a plurality of security groups can be configured, and when a user side accesses the virtual encryption machine through a service request, the service request can be filtered through one or more configured security groups.

In one embodiment, the configuring of the security group comprises: the cloud platform receives a security group configuration request; selecting at least one security group to be configured according to the security group configuration request; and establishing an association relationship between the virtual encryption machine and the security group, namely adding the virtual encryption machine to the protection range of the security group so as to filter data packets accessing the virtual encryption machine.

In one embodiment, when the basic parameters and the network parameters of the virtual encryption machine are selected in the encryption machine configuration page, the user side returns to the console page. At this time, the information of the virtual encryption machine and the configuration entry of the security group are displayed on the console page. The information of the virtual cryptographic machine includes, but is not limited to, the identification or name of the virtual cryptographic machine, the status, the intranet IP address, the private network, the type, the available region, the expiration time, and the model number of the hardware cryptographic machine.

In one embodiment, when a trigger instruction only for a configuration entry on a console page is detected, a user enters a security group configuration page in which a plurality of security groups are displayed; when a security group selection instruction sent by a user side is received, the cloud platform selects an appointed security group according to the security group selection instruction, and then issues the selected security group, for example, to a service of a corresponding server.

In one embodiment, the cloud platform may add virtual crypto machines that have been deployed by the user and have the same network security isolation requirements to the same issued security group.

Wherein, the step of adding the virtual encryption machines with the same network security isolation requirement to the same security group refers to: and bringing the virtual encryption machines with the same network security isolation requirement into the protection range of the same security group so as to use the security group to perform security filtering on volume data packets entering and exiting the virtual encryption machine.

As an example, for configuration and distribution of security groups, the process may refer to fig. 3, after a user selects a virtual encryption machine through a user terminal, click to configure the security groups (as shown in fig. 4), the cloud platform obtains all security groups and sends the selected security groups to the user terminal, so that the user terminal displays all security groups through a security group configuration page, and the user may select a required security group (as shown in fig. 5) from all displayed security groups; after the user clicks the confirmation button, an issuing instruction is generated, and the cloud platform issues the selected security group. After the security group is issued, the security group controls the VSM traffic under the VPC network by using its inbound and outbound rules, which can be referred to in fig. 6. The inbound and outbound rules may refer to security policies corresponding to the security groups, that is, what manner of filtering the service request is performed, and requests that are invalid or have potential safety hazards are filtered out.

As shown in fig. 6, the security group may perform security filtering on the data packet from the subnet b, and when the data packet passes the security filtering, the data packet can be sent to the virtual encryption machine. In addition, the security group can also perform security filtering on the data packet sent by the virtual encryption machine, and when the data packet passes the security filtering, the data packet can be sent to the subnet b.

S206, filtering the service request through the security group.

The filtering of the service requests refers to filtering the service requests which do not accord with the access conditions, and only keeping the service requests which accord with the access conditions.

In one embodiment, S206 may specifically include: in the service request, the cloud platform filters the service request which does not accord with the preset service type through the security group. For example, for a financial transaction type, the cloud platform filters the transaction requests of the non-financial transaction type so that the transaction requests of the non-financial transaction type can be blocked from accessing the virtual crypto machine by the security group.

In one embodiment, S206 may specifically include: in the service request, the cloud platform filters the service request of which the source address does not belong to the set use area when the service request is deployed through the security group. For example, when a virtual encryption machine is deployed, the use area of the virtual encryption machine is set to be an X city, and then, if the cloud platform receives a service request sent by a user end of a Y city, the service request can be filtered out by the security group, so that the service request from the Y city can be prevented from accessing the virtual encryption machine.

In one embodiment, S206 may specifically include: and the cloud platform filters the service requests through the security group so as to filter the service requests with risks. For example, the service request includes a trojan horse or a virus program with a potential safety hazard, and the cloud platform filters the service request through the security group, so that the service request with the potential safety hazard can be prevented from accessing the virtual encryption machine.

S208, a second target network address is obtained according to the first target network address, and the filtered service request is forwarded according to the second target network address so as to be sent to the virtual encryption machine.

The second target network address is a network address which is allocated when the hardware encryption machine virtualizes the virtual encryption machine and is a network address under a private network of the internal communication of the virtual encryption machine. When a virtual encryption machine is virtualized out, a hardware encryption machine in the cloud platform may bind an RSIP address to the virtual encryption machine to be used as an internal communication address of the virtual encryption machine. The first target network address and the second target network address are a pair of network addresses, the first target network address is used for external communication by the virtual encryption machine, and the second target network address is used for internal communication by the virtual encryption machine, namely, the user end can send a service request to the virtual encryption machine through the exposed first target network address, and when the service request reaches the private network gateway, the service request is forwarded through the second target network address of the internal communication, so that the access to the virtual encryption machine is realized.

In one embodiment, in the filtered service request, the cloud platform replaces the destination address with a second destination network address from the original first destination network address, so that the filtered service request is forwarded by using the second destination network address, and the filtered service request is sent to the virtual encryption machine, thereby realizing access to the virtual encryption machine.

For the user end, accessing the first target network address means accessing the virtual encryption machine, and the real virtual encryption machine communicates with the first target network address through the second target network address. For example, as shown in fig. 7, a user accesses the virtual encryption machine through an externally exposed VIP address, and when receiving a service request of the user, a VPC gateway in the cloud platform sends the service request to an RSIP address of the virtual encryption machine through a set VPC-side route forwarding policy and an UnderLay route forwarding policy, so as to access the virtual encryption machine, thereby obtaining a service provided by the virtual encryption machine.

In order to more clearly and intuitively understand the virtual encryption machine management method, the description is made with reference to a specific scenario, where a user side establishes a communication connection with a cloud platform through a VPN, and with reference to fig. 1, 7, and 8, the virtual encryption machine management method includes:

s802, the user side sends a service request through the virtual private network.

As shown in fig. 7, the VIP address is 192.168.1.1, and the number of bits of the subnet mask is 24.

And S804, when the VPC security access gateway receives the service request, forwarding the service request to a cloud server (CVM).

And S806, when receiving the service request, the cloud server sends the service request to the VPC gateway through the Subneta network.

And S808, after receiving the service request carrying the VIP address, the VPC gateway performs security filtering on the received service request through the security group.

And S810, the VPC gateway forwards the filtered service request to a virtual encryption machine through a private network gateway (VPC-GW) master machine and an underLay physical gateway by utilizing the RSIP address.

Before forwarding the filtered service request, the VIP address in the service request is replaced with the RSIP address, and then the filtered service request is forwarded by using the RSIP address. As shown in fig. 7, the RSIP address is 10.1.1.1, and the number of bits of the subnet mask is 24.

In the above embodiment, the virtual encryption machine is deployed, and the first target network address for external communication and the second target network address for internal communication are allocated to the virtual encryption machine in the private network, so that the user side sends the service request by using the first target network address, and forwards the service request to the virtual encryption machine through the second target network address, thereby preventing the user side from directly accessing the encryption machine, and ensuring the security of the virtual encryption machine. In addition, before the service requests are sent to the virtual encryption machine, the service requests are filtered by utilizing the safety group, so that the invasion of malicious requests can be avoided, the flooding of irrelevant or invalid requests can be avoided, the network throughput capacity of the virtual encryption machine is ensured, and the performance of the virtual encryption machine is favorably improved.

In one embodiment, as shown in fig. 9, the method may further include:

and S902, acquiring the running information of the virtual encryption machine.

The running information may be information generated by the virtual encryption machine in the running process, and whether the virtual encryption machine is abnormal or not may be judged according to the running information.

And S904, judging whether the virtual encryption machine is abnormal or not according to the running information.

S906a, if at least two deployed virtual encryption machines are provided and it is determined according to the running information that the virtual encryption machines in the use state are abnormal, selecting a target virtual encryption machine which is not abnormal from the deployed virtual encryption machines.

Wherein the communication connection is a connection established based on a private network.

S908a, migrating the communication connection with the virtual encryption machine in use to establish a communication connection with the target virtual encryption machine.

S906b, if at least one deployed virtual encryption machine is adopted and the virtual encryption machine is determined to be abnormal according to the running information, selecting a target virtual encryption machine which is not abnormal from the encryption machine resource pool.

The virtual encryption machine to be accessed currently is a deployed virtual encryption machine.

S908b, migrating the communication connection with the virtual encryption machine to establish a communication connection with the target virtual encryption machine.

In one embodiment, the cloud platform judges whether the virtual encryption machine is abnormal according to the operation information, if so, the communication connection between the private network and the virtual encryption machine is migrated, so that the private network gateway in the cloud platform is in communication connection with the target virtual encryption machine which is not abnormal. After the migration, the first target network address of the migrated target virtual encryption machine is informed to the user side so that the user side can send the service request by using the first target network of the target virtual encryption machine, and then the service request is forwarded based on the second target network of the target virtual encryption machine, so that the access to the target virtual encryption machine is realized.

In one implementation, the migrating the communication connection between the private network and the virtual encryption machine may specifically include: and a private network gateway in the cloud platform establishes communication connection with a target virtual encryption machine which is not abnormal based on a private network, and disconnects the communication connection with the virtual encryption machine.

In an embodiment, if it is determined that the virtual encryption machine is abnormal according to the operation information, the cloud platform may send a prompt message to the user side and/or the operation side, so that the user side and/or the operation side can prompt the user side and/or the operation side. The presentation form of the prompt can be a text display, and/or a voice broadcast, and/or a flashing virtual encryption machine identifier.

The encryption machine resource pool is formed by different types of virtual encryption machines, such as a plurality of virtual encryption machines of types of EVSM, GVSSM, SVSM and the like. The different types of virtual encryption machines can be virtualized by the same hardware encryption machine or by different types of hardware encryption machines.

In the embodiment, when the virtual encryption machine in the use state is abnormal, the virtual encryption machine can be timely migrated to be in communication connection with the target virtual encryption machine which is not abnormal, so that the business service of the user can be recovered fastest at the minimum cost. In addition, when an abnormality occurs, a prompt can be given in real time so that the abnormality can be checked in time.

In one embodiment, as shown in fig. 10a, the method may further include:

s1002, an encryption device deployment request is received.

In one embodiment, the cloud platform receives an encryption machine deployment request carrying configuration parameters, which is triggered by a user side from an encryption machine configuration page. The configuration parameters comprise the type of the encryption machine, basic parameters of the virtual encryption machine and network parameters.

The encryption machine configuration page may be a page for selecting the basic parameters and the network parameters. The basic parameters include the use area (i.e. available region) and the deployment number, and other default parameters; such as private network parameters and subnet parameters, for example, as shown in fig. 11, the private network parameters may be vpc-kohin2n | test _ chsm _ vpc, and the subnet parameters may be subnet-n0ball4| test _ chsm _ subnet.

Other default parameters include the operation performance of the virtual encryption machine, the encryption algorithm, the manufacturer identification and the model of the hardware encryption machine corresponding to the virtual encryption machine, and the like. The operational performance includes, but is not limited to: data communication protocols (e.g., TCP/IP), maximum number of concurrent connections (e.g., 64), SM1 cryptographic performance (e.g., 4000 times/second), SM2 signature performance (e.g., 2300 times/second), SM2 signature verification performance (e.g., 1600 times/second), RSA2048 public key performance (e.g., 2400 times/second), and RSA2048 private key performance (e.g., 200 times/second). Encryption algorithms include, but are not limited to: symmetric algorithms (e.g., SM1/SM4/DES/3DES/AES), asymmetric algorithms (e.g., SM2, RSA1024, RSA 2048), and digest algorithms (e.g., SM3, SH1/SHA256/SHA384), as shown in FIG. 11.

In one embodiment, a user side logs in a management webpage of an encryption machine provider, finds a cloud encryption machine product in the management webpage, enters a console page when a trigger instruction for the cloud encryption machine product is received, selects a use area of an encryption machine on the console page, and then enters an encryption machine configuration page when a new instruction is detected, so that a corresponding configuration parameter is selected on the encryption machine configuration page. Or when a trigger instruction for the cloud encryption machine product is received, directly entering an encryption machine configuration page.

The management webpage can be a page corresponding to an official website of the encryption machine provider.

In an embodiment, after the step of selecting the corresponding configuration parameter by the encryption machine configuration page, the method may further include: after the deployment quantity and the use area are selected, the cloud platform determines the amount to be transferred according to at least one data of the quantity, the region and the type of the virtual encryption machine; when a confirmation button (such as the instant on button in fig. 11) is activated at the encryption configuration page, the amount of the value resource is transferred from the user account to the designated account.

Wherein, the numerical resource may refer to: the equivalent resources to be paid for when the virtual encryption machine is obtained for business service. The value resource can be funds for paying the virtual encryption machine, and the funds can be electronic red packet, electronic shopping coupon, electronic currency and the like.

Specifically, the step of determining the amount to be transferred according to at least one of the number, the type and the area may specifically include: the cloud platform determines the amount to be transferred according to the deployment number, or determines the amount to be transferred according to the type of the encryption machine, or determines the amount to be transferred according to a region used by the virtual encryption machine, or determines the amount to be transferred according to the deployment number and the type of the encryption machine, or determines the amount to be transferred according to the deployment number and the used region, or determines the amount to be transferred according to the type of the encryption machine and the used region, or determines the amount to be transferred according to the deployment number, the type of the encryption machine and the used region.

S1004, the encryptor type, the basic parameter, and the network parameter are extracted from the encryptor deployment request.

S1006, selecting a virtual encryption machine from the encryption machine resource pool according to the type of the encryption machine.

In one embodiment, when the deployment number is one, the cloud platform selects the virtual encryption machine from the encryption machine resource pool according to the encryption machine type carried in the encryption machine deployment request.

In one embodiment, when the deployment number is at least two, the cloud platform selects virtual encryption machines virtualized by different hardware encryption machines from the encryption machine resource pool according to the encryption machine types carried in the encryption machine deployment requests. Therefore, the virtual encryption machines deployed by the user are distributed discretely, so that in the running process of the encryption machines, when one hardware encryption machine is abnormal, only the virtual encryption machine formed by the hardware encryption machine is influenced, and the virtual encryption machine formed by other hardware encryption machines is normally run, so that the execution of the whole service is not influenced.

And S1008, configuring basic parameters and network parameters for the selected virtual encryption machine according to the encryption machine deployment request to obtain the deployed virtual encryption machine.

The encryption machine resource pool is formed by different types of virtual encryption machines. The basic parameters are used for determining the deployment number and the use area of the virtual encryption machine; the network parameter is used for determining a private network adopted when the user side accesses the virtual encryption machine.

In one embodiment, the cloud platform configures the use area, the deployment number and the like for the selected virtual encryption machine according to the basic parameters carried by the encryption machine deployment request. And the cloud platform selects a corresponding type of private network, such as a virtual private network, for the selected virtual encryption machine according to the network parameters carried by the encryption machine deployment request, so as to obtain the deployed virtual encryption machine.

In one embodiment, after S1008, the method may further comprise: the cloud platform reads the index information of the virtual encryption machine; acquiring an encryption machine identifier according to the index information; and determining a first target network address according to the encryption machine identifier, and establishing an association relation between the first target network address and the virtual encryption machine.

Wherein the index information is information for indexing the virtual cryptographic machine. After the virtual encryption machine is deployed (i.e., purchased and configured with the base parameters and the network parameters), the cloud platform also allocates a first target network address for external communication to the virtual encryption machine and configures a route forwarding policy. The encryption machine identification may refer to a unique identifier of the virtual encryption machine on the cloud encryption system.

In one embodiment, before allocating the first target network address, the cloud platform acquires a private network parameter and a subnet parameter corresponding to the private network, and binds the encryption machine identifier with the private network parameter and the subnet parameter, so that it can be determined that the deployed virtual encryption machine is applied to the private network corresponding to the private network parameter and the subnet parameter. Then, the cloud platform allocates a first target network address under the private network corresponding to the private network parameter to the virtual encryption machine.

In one embodiment, the method further comprises: the cloud platform acquires a first port configuration request, and selects a first public identifier according to the first port configuration request from candidate identifiers corresponding to service ports of the virtual encryption machine, namely, the service ports of the virtual encryption machine are exposed to the user side through a first target network address, wherein the first public identifier is used for indicating that the user side can access the service ports through the first target network address and the service port number. S202 may specifically include: the cloud platform receives a service request sent by a user side through a private network based on a service port of a virtual encryption machine. The service request further includes a port number, and the port number is a service port number or a management port number.

In one embodiment, the method further comprises: the cloud platform acquires a second port configuration request; selecting a second public identifier according to a second port configuration request from candidate identifiers corresponding to a control port of the virtual encryption machine; the second public identification is used for indicating that the user side accesses the control port through the first target network address and the control port number; the management and control port is used for receiving a management and control request sent by a user side, and the management and control request is used for the user side to manage and control the virtual encryption machine. Wherein, the process of allocating the first target network address also belongs to the deployment process of the virtual encryption machine. The step of configuring the second public identifier to the management and control port of the virtual encryption machine is that the cloud platform exposes the management and control port of the virtual encryption machine to the user side through the first target network address.

In one embodiment, after S1008, the method may further comprise: the cloud platform receives a security group configuration request; selecting at least one group of security groups to be configured according to the security group configuration request; a virtual cryptographic machine is added to the secure group. The configuration process of the security group also belongs to the deployment process of the virtual encryption machine.

In one embodiment, the cloud platform adds other virtual crypto machines to the security group that have been deployed with the same network isolation requirements.

In one embodiment, the cloud platform determines a usage area of the virtual encryption machine, and when the virtual encryption machine is deployed at other user terminals, the virtual encryption machine that is deployed at other user terminals in the usage area and has the same network security isolation requirement may be added to the security group.

In one embodiment, before receiving a service request sent by a user side through a private network, a cloud platform receives a policy addition request sent by the user side for adding a route forwarding policy; adding a first route forwarding strategy and a second route forwarding strategy in a routing table according to the strategy adding request; the first routing forwarding strategy is used for forwarding the service request sent to the first target network address to a private network gateway master in the network equipment; and the second routing forwarding strategy is used for forwarding the service request from the private network gateway host to the virtual encryption machine according to the second target network address.

In order to more clearly understand the deployment of the encryption machine (including the basic parameters, network parameters, target network address and security group configuring the virtual encryption machine), the EVSM is taken as an example for illustration, as shown in fig. 10b, the specific contents are as follows:

s1012, the user logs in the official website of the encryption device and searches for the encryption device product.

After logging in an official website of the encryption machine, finding an encryption machine product in a corresponding page of the official website, clicking or touching the encryption machine product, thereby entering a console page, selecting a use area (namely an available area) of the encryption machine on the console page, and then entering an encryption machine configuration page when a new command is detected. As shown in fig. 11, if the use area of the encryption device is selected as the celebration on the console page, the use area is displayed as the celebration on the encryption device configuration page; in addition, the use area can be reselected in the encryption equipment configuration page.

And S1014, the user terminal selects the virtual encryption machine with the corresponding type according to the actual service requirement.

Wherein, the virtual encryption machine of different types includes: a financial data Encryptor (EVSM), a general-purpose server encryptor (GVSM), and a Signature Verification Server (SVSM).

As shown in fig. 11, in the encryption device configuration page, the user may select the type of the encryption device according to the actual service requirement, where the selected type of the encryption device is the financial data encryption device EVSM; in addition, the user can also select a private cloud network, the private network parameter of the private cloud network is vpc-kohin2n | test _ chsm _ vpc, and the subnet parameter of the corresponding subnet is subnet-n0ball4| test _ chsm _ subnet. The private cloud network is a dedicated on-cloud network space, provides network service for on-cloud resources (such as virtual encryption machines), and is completely logically isolated among different private cloud networks.

In the encryption machine configuration page, a user may select the deployment number of the virtual encryption machines, and after determining the deployment number, the cost may be determined according to the deployment number, or the cost may be determined according to the deployment number and any one of the available region, the encryption machine type, and the usage duration.

And S1016, initializing the virtual encryption machine by the cloud platform.

The user may apply for an IP address (i.e., the first destination network address described above) for the virtual crypto machine in the VPC network, which may be referred to as a VIP address, which may be exposed to the user. The virtual encryption device may be associated with an intranet IP address (also referred to as an RSIP address, i.e., the second destination network address) at the time of initialization. The user may then add a VPC route forwarding policy, add an underlying (UnderLay) route forwarding policy, and issue a security group for the virtual crypto machine. The security group is a network security isolation means and is also an effective means for completely isolating cloud resources among users, and an access rule is set in the security group, namely, which data can enter and exit the virtual encryption machine and which source address data can enter and exit the virtual encryption machine, so that data which is considered invalid or irrelevant by a business side is filtered, and the access security of the virtual encryption machine is ensured.

And S1018, providing business services for the user through the virtual encryption machine by the cloud platform.

For a user, accessing the VIP is accessing the virtual encryption machine, and the real virtual encryption machine communicates with the VIP address through the internal RSIP address when the virtual encryption machine is initialized, as shown in fig. 7, the user accesses the virtual encryption machine through the VIP address exposed to the outside, and the VPC gateway in the cloud platform sends the service request to the RSIP address of the virtual encryption machine through the set VPC-side route forwarding policy (i.e. the first route forwarding policy) and the UnderLay route forwarding policy (i.e. the second route forwarding policy) when receiving the service request of the user, thereby implementing the service provision by using the virtual encryption machine.

In the embodiment, when the virtual encryption machine needs to be deployed, the corresponding virtual encryption machine can be obtained according to the preset service through the encryption machine configuration page, any hardware evaluation is not needed, and the operation is simple. In addition, basic parameters and network parameters of the virtual encryption machine are selected through the encryption machine configuration page, parameter configuration is carried out through the cloud platform, then a security group is set for the virtual encryption machine after the parameters are configured, the whole deployment process of the virtual encryption machine can be completed, the virtual encryption machine can be used without any debugging, and the deployment efficiency of the encryption machine is effectively improved. The security group is set for the virtual encryption machine, so that the security of service data can be ensured, meanwhile, the flooding of irrelevant or invalid broadcast/multicast data packets can be avoided, and the network throughput capacity of the virtual encryption machine is ensured.

As an example, the above scheme for deploying encryptors is set forth from a system architecture and a tenant side, an operator side and a service platform under the system architecture. The system architecture is as shown in fig. 12, and the system architecture includes a tenant end, an operator end, and a cloud platform, and the cloud platform includes a service flow end and a hardware encryption machine. The service flow end comprises a cloud server (CVM), network equipment under a VPC network and a virtual encryption machine virtualized by a hardware encryption machine.

The architecture of the user side (namely the tenant side) can flexibly support multi-region and multi-machine type user interaction experience, and a user can easily check and manage a large number of virtual encryption machines; in addition, the virtual encryption machine can also be accessed to obtain corresponding business services. The architecture of the tenant is shown in fig. 13. The architecture of the tenant end comprises a tenant end console, a cloud application interface, tenant end console background service, a VPC module, a DFW module, an HSM module, a DB (database) module, a charging module and a purchasing module.

In addition, the tenant provides the capability of quickly deploying the user-side encryption engine, after the user clicks the created resource, the tenant can quickly deploy the virtual encryption engine of the user in place, and the deployment process is as shown in fig. 14, and the specific contents are as follows:

(1) and determining the deployment cost according to the deployment quantity and the use duration.

Price inquiry confirmation refers to a step of price confirmation performed after a user selects the type, the deployment quantity and the use area to be deployed of the encryption machine to be purchased, wherein the step is a pre-step of allocating a virtual encryption machine to the user, and the user needs to actively perform confirmation clicking on an encryption machine configuration page (such as a page shown in fig. 11); the virtual encryption machines in the cloud platform are simple to deploy, and the cost of each virtual encryption machine is more favorable compared with that of the traditional hardware encryption machine, so that the operation and maintenance cost is saved.

(2) Checking whether the number of encryptors in the pool of encryptor resources is sufficient

The cloud platform can virtualize various types of virtual encryption machines at one time to form an encryption machine resource pool by using an encryption machine virtualization technology. When a user needs to deploy, the cloud platform judges whether the number of the encryption machines in the encryption machine resource pool is larger than or equal to the number of the deployment, if so, the virtual encryption machines are directly and quickly allocated from the resource pool, waiting is not needed, the encryption machine resource pool is conveniently and flexibly expanded, and compared with the time cost of taking days as a unit for purchasing initialization of the hardware encryption machines, the resource allocation time of the cloud platform can realize second-level allocation, and is convenient and efficient.

Meanwhile, when the virtual encryption machines are deployed, the cloud platform automatically allocates the virtual encryption machines to the users according to the distribution condition of each virtual encryption machine in the encryption machine resource pool, so that the virtual encryption machines of the users can be distributed in a discretization mode (namely the virtual encryption machines virtualized by different hardware encryption machines) when the users purchase a plurality of virtual encryption machines, and the other virtual encryption machines of the users can still provide business services when one virtual encryption machine is down as far as possible.

When the encryption machine resource pool is initialized each time, the cloud platform can automatically allocate intranet IP addresses bound with the virtual encryption machines one by one, and the IP addresses are used as communication addresses of the virtual encryption machines to external services.

Each virtual encryption machine is provided with a unique service port and a unique control port, the service port and the control port are exposed outwards only through an intranet IP address, and other irrelevant ports are not exposed outwards at all, so that the safety of the encryption machine is ensured as far as possible fundamentally, and the performance of the encryption machine is prevented from being reduced due to invasion or message flooding caused by too many invalid messages.

(3) Changing the state of a virtual crypto machine in a database

The cloud platform changes the allocated virtual crypto-machine to a sold state (i.e., an allocated state). Index records are made for sold virtual encryption machines, account checking is conveniently carried out on sold states, unsettled states, returned states and failed states in the cloud platform, and the virtual encryption machines distributed for each purchase request order can be rapidly screened.

(4) Reading index information of virtual encryption machine in sold state

And retrieving index information of the virtual encryption machine in the sold state at present, acquiring the unique identifier of the virtual encryption machine on the cloud platform, and preparing for applying for the VIP address.

(5) Applying for VIP addresses for virtual encryption machines in VPC networks

In view of the particularity (sensitivity and confidentiality) of the virtual encryption machine, the cloud platform acquires a VIP address (namely, the first target network address) in the VPC network, establishes an association relationship between the VIP address and the virtual encryption machine, applies for the VIP address through the VPC network, and exposes the VIP address to the user. For the user, accessing the VIP address means accessing the virtual encryption machine, and the real virtual encryption machine communicates with the VIP address through an intranet IP address (abbreviated as RSIP, i.e., the second target network address). In addition, a user can set a safer virtual encryption machine management strategy which is more suitable for a service scene through the flexible combination of the VPC network and the DFW.

(6) Adding a VPC side route forwarding strategy (namely a first route forwarding strategy) for a virtual encryption machine

Generating a first route forwarding strategy, adding the first route forwarding strategy from the VIP address to a VPC-GW master machine for the virtual encryption machine, and opening a route strategy from the VIP address to an underLay network; this step will set up the VIP address and its port which can access the underLay, and only the underLay network layer which can forward the necessary service flow, to provide the foundation for VPC network to access the underLay network, and at the same time, effectively avoid the flooding of irrelevant or invalid network broadcast/multicast message in VPC network, and ensure the throughput performance of VPC network.

(7) Adding an underlying route forwarding policy (i.e., a second route forwarding policy) to the virtual encryption machine

And generating a second routing forwarding strategy, wherein the second routing forwarding strategy is used for realizing communication between the VIP address and the RSIP address built in the VSM, and the VIP address and the port of the virtual encryption machine can be accessed in a refined and limited manner, so that the virtual encryption machine is prevented from receiving invalid network broadcast/multicast messages, and the throughput performance of the VPC network is further ensured.

(8) Selecting and issuing security groups

After the virtual encryption machine is distributed and the VPC network is opened, a security group can be selected and issued according to the service characteristics to filter more invalid or irrelevant network messages, so that the throughput performance of the virtual encryption machine on the service capability is further improved, and the access security of the virtual encryption machine is ensured. After the security group is issued, the security group controls the VSM traffic under the VPC network by using its inbound and outbound rules, which can be referred to in fig. 6.

The architecture of the operator adopts a global architecture design mode, as shown in fig. 15, the architecture of the operator includes an operator Console, a Cloud application interface, an operator tool Service (Cloud HSM-Tools-Service), an operator Console background Service (Cloud HSM-Console-Server), a Cloud HSM-Monitor client, a VPC module, a DFW module, an HSM module, and a DB module. The operator tool service is the core of the architecture of the operator.

In the architecture of the operation end, an operation end console based on Web page interaction can be provided for the outside, so that operation and maintenance personnel can conveniently check and manage resources. In addition, under the extreme abnormal condition, if the virtual encryption machine of the user fails, the virtual encryption machine of the user is migrated, and the service of the user is ensured to be recovered at the fastest speed with the minimum cost.

Meanwhile, the Cloud HSM-Monitor client in the operation end architecture can accurately Monitor the operation state of each module of the current encryption machine system in real time, acquire the operation information of the virtual encryption machine and send an alarm in time when an abnormality occurs.

For the architecture of the traffic flow, as shown in fig. 16, the architecture includes CVM, VPC network, EVSM, GVSM, and SVSM. The virtual encryption machine is accessed through the CVM under the uniform VPC network, and the processes of purchasing the virtual encryption machine by a tenant terminal and the like are completely decoupled, so that the service flow is separated from the control flow, and the leakage risk of sensitive data is further avoided. In addition, the cloud CVM may be remotely connected in the manner of fig. 17, and the encryptor system may be logged in through the login page of fig. 18.

Through the scheme of the embodiment, the user can rapidly deploy the virtual encryption machine according to the service requirement, the deployment quantity is flexibly increased and reduced, the peak pressure of the service is easily met, the resources and the cost are saved, the user can realize reliable and efficient data encryption and key management based on a VPC (virtual private network) security network, and the seamless connection with cloud resources is realized. Furthermore, compared to a traditional hardware encryption machine deployment scheme, the following advantages can be provided, as shown in table 1:

TABLE 1

It should be understood that although the various steps in the flowcharts of fig. 2, 8-10 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 2, 8-10 may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed in turn or alternately with other steps or at least some of the other steps or stages.

In an embodiment, as shown in fig. 19, a virtual cryptographic machine management system is provided, where the system is a cloud platform, and specifically includes: a server 1902, a network device 1904, and a hardware encryptor 1906, wherein:

a server 1902, configured to, when receiving an encryption machine deployment request, select a virtual encryption machine from an encryption machine resource pool, obtain a first target network address for external communication in a private network according to an encryption machine identifier of the virtual encryption machine, and establish an association relationship between the first target network address and the virtual encryption machine; when the hardware encryption machine 1906 virtualizes a virtual encryption machine, acquiring a second target network address for intra-pair communication in the private network according to the encryption machine identifier, and establishing an association relationship between the second target network address and the virtual encryption machine; configuring a security group according to the network isolation requirement of the virtual encryption machine;

a network device 1904, configured to receive a service request sent by a user through a private network; the service request carries a first target network address; determining a security group corresponding to the virtual encryption machine; the security group is configured according to the network isolation requirement of the virtual encryption machine when the virtual encryption machine is deployed; filtering the service request through a security group; acquiring a second target network address according to the first target network address, and forwarding the filtered service request according to the second target network address so as to send the filtered service request to the virtual encryption machine;

the hardware encryption machine 1906 is used for virtualizing at least two virtual encryption machines.

In one embodiment, the network device 1904 is further configured to filter, in the service request, the service request that does not conform to the preset service type through the security group; or, in the service request, filtering the service request of which the source address does not belong to the set use area when the deployment is carried out through the security group; alternatively, the service requests are filtered by the security group to filter out service requests that are at risk.

In one embodiment, the server 1902 is further configured to receive an encryptor deployment request; the deployment request of the encryption machine carries basic parameters and network parameters; selecting a virtual encryption machine from an encryption machine resource pool according to an encryption machine deployment request, and configuring basic parameters and network parameters for the selected virtual encryption machine to obtain a deployed virtual encryption machine; the encryption machine resource pool is formed by different types of virtual encryption machines; the basic parameters are used for determining the deployment number and the use area of the virtual encryption machine; the network parameters are used for determining a private network adopted when the user side accesses the virtual encryption machine.

In one embodiment, a hardware encryptor 1906 to run a virtual encryptor;

a server 1902, configured to obtain operation information generated when the virtual cryptographic machine operates, and send a migration instruction to the private network gateway when it is determined that the virtual cryptographic machine is abnormal according to the operation information;

the network device 1904 is further configured to migrate the communication connection between the private network and the virtual encryption machine to the target virtual encryption machine without exception according to the migration instruction.

In an embodiment, the network device 1904 is further configured to select, if at least two deployed virtual encryption machines are provided and it is determined that a virtual encryption machine in a use state in the deployed virtual encryption machines is abnormal according to the running information, a target virtual encryption machine that is not abnormal in the deployed virtual encryption machines; migrating the communication connection between the virtual encryption machine and the target virtual encryption machine to establish communication connection with the target virtual encryption machine; the communication connection is a connection established based on a private network.

In an embodiment, the network device 1904 is further configured to, if at least one deployed virtual cryptographic machine is available and it is determined that the virtual cryptographic machine is abnormal according to the running information, select a target virtual cryptographic machine that is not abnormal from the cryptographic machine resource pool; and migrating the communication connection between the target virtual encryption machine and the virtual encryption machine to establish the communication connection with the target virtual encryption machine.

In one embodiment, the server 1902 is further configured to read index information of the virtual cryptographic machine; acquiring an encryption machine identifier according to the index information; and determining a first target network address according to the encryption machine identifier, and establishing an association relation between the first target network address and the virtual encryption machine.

In one embodiment, the server 1902 is further configured to obtain a first port configuration request; selecting a first public identifier from candidate identifiers corresponding to a service port of the virtual encryption machine according to the first port configuration request, wherein the first public identifier is used for representing that a user side accesses the service port through a first target network address and a service port number;

the network device 1904 is further configured to receive a service request sent by the user end through the private network based on the service port of the virtual encryption machine.

In one embodiment, the server 1902 is further configured to obtain a second port configuration request; selecting a second public identifier according to a second port configuration request from candidate identifiers corresponding to a control port of the virtual encryption machine; the second public identification is used for indicating that the user side accesses the control port through the first target network address and the control port number; the management and control port is used for receiving a management and control request sent by a user side, and the management and control request is used for the user side to manage and control the virtual encryption machine.

In one embodiment, the server 1902 is further configured to receive a security group configuration request; selecting at least one security group to be configured according to the security group configuration request; and establishing an association relation between the virtual encryption machine and the security group.

In one embodiment, the network device 1904 is further configured to receive a policy addition request sent by the user end for adding a route forwarding policy; adding a first route forwarding strategy and a second route forwarding strategy in a routing table according to the strategy adding request; the first routing forwarding strategy is used for forwarding the service request sent to the first target network address to the private network gateway master; and the second routing forwarding strategy is used for forwarding the service request from the private network gateway host to the virtual encryption machine according to the second target network address.

For specific limitations of the virtual cryptographic engine management apparatus, reference may be made to the above limitations of the virtual cryptographic engine management method, which is not described herein again. The various modules in the above-described apparatus for deploying an encryptor may be implemented in whole or in part by software, hardware and combinations thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.

In one embodiment, a computer device is provided, which may be a cloud platform or a dedicated network gateway or other device in the cloud platform, and its internal structure diagram may be as shown in fig. 20. The computer device includes a processor, a memory, and a communication interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The computer program is executed by a processor to implement a virtual cryptographic engine management method.

Those skilled in the art will appreciate that the architecture shown in fig. 20 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.

In one embodiment, a computer device is further provided, which includes a memory and a processor, the memory stores a computer program, and the processor implements the steps of the above method embodiments when executing the computer program.

In an embodiment, a computer-readable storage medium is provided, in which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.

In one embodiment, a computer program product or computer program is provided that includes computer instructions stored in a computer-readable storage medium. The computer instructions are read by a processor of a computer device from a computer-readable storage medium, and the computer instructions are executed by the processor to cause the computer device to perform the steps in the above-mentioned method embodiments.

It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory. Non-volatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others.

The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.

The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims

1. A virtual cryptographic machine management method, the method comprising:

filtering the service request through the security group;

2. The method of claim 1, further comprising:

receiving an encryption machine deployment request; the encryption machine deployment request carries basic parameters and network parameters;

selecting a virtual encryption machine from an encryption machine resource pool according to the encryption machine deployment request, and configuring the basic parameters and the network parameters for the selected virtual encryption machine to obtain a deployed virtual encryption machine;

the encryption machine resource pool is formed by different types of virtual encryption machines; the basic parameters are used for determining the deployment number and the use area of the virtual encryption machine; the network parameter is used for determining a private network adopted when the user side accesses the virtual encryption machine.

3. The method of claim 1, further comprising:

acquiring the running information of the virtual encryption machine;

and if the virtual encryption machine is determined to be abnormal according to the operation information, migrating the communication connection between the private network and the virtual encryption machine to a target virtual encryption machine which is not abnormal.

4. The method according to claim 3, wherein if it is determined that the virtual cryptographic machine is abnormal according to the operation information, migrating the communication connection between the private network and the virtual cryptographic machine to a target virtual cryptographic machine that is not abnormal, comprises:

if at least two deployed virtual encryption machines are provided and the virtual encryption machine in the use state in the deployed virtual encryption machines is determined to be abnormal according to the running information, then

Selecting a target virtual encryption machine which is not abnormal from the deployed virtual encryption machines;

migrating the communication connection between the target virtual encryption machine and the virtual encryption machine to establish communication connection with the target virtual encryption machine; the communication connection is a connection established based on the private network.

5. The method according to claim 3, wherein if it is determined that the virtual cryptographic machine is abnormal according to the operation information, migrating the communication connection between the private network and the virtual cryptographic machine to a target virtual cryptographic machine that is not abnormal, comprises:

if at least one deployed virtual encryption machine is used and the virtual encryption machine is determined to be abnormal according to the running information, determining that the virtual encryption machine is abnormal

Selecting a target virtual encryption machine which is not abnormal from an encryption machine resource pool;

and migrating the communication connection between the target virtual encryption machine and the virtual encryption machine so as to establish communication connection with the target virtual encryption machine.

6. The method of claim 2, wherein after configuring the base parameters and the network parameters for the selected virtual encryptors, the method further comprises:

reading index information of the virtual encryption machine;

acquiring an encryption machine identifier according to the index information;

and determining a first target network address according to the encryption machine identifier, and establishing an association relation between the first target network address and the virtual encryption machine.

7. The method of claim 6, wherein after establishing the association between the first target network address and the virtual cryptographic machine, the method further comprises:

acquiring a first port configuration request;

selecting a first public identifier from candidate identifiers corresponding to the service port of the virtual encryption machine according to the first port configuration request, wherein the first public identifier is used for representing that the user side accesses the service port through the first target network address and the service port number;

the receiving of the service request sent by the user end through the private network includes:

and receiving a service request sent by the user side through a private network based on the service port of the virtual encryption machine.

8. The method of claim 7, wherein after establishing the association between the first target network address and the virtual cryptographic machine, the method further comprises:

acquiring a second port configuration request;

selecting a second public identifier according to the second port configuration request from candidate identifiers corresponding to the control port of the virtual encryption machine;

the second public identification is used for indicating that the user side accesses the control port through the first target network address and a control port number; the management and control port is used for receiving a management and control request sent by the user side, and the management and control request is used for the user side to manage and control the virtual encryption machine.

9. The method of claim 2, wherein after configuring the base parameters and the network parameters for the selected virtual encryptors, the method further comprises:

receiving a security group configuration request;

selecting at least one security group to be configured according to the security group configuration request;

and establishing an association relation between the virtual encryption machine and the security group.

10. The method of claim 1, wherein before the receiving the service request sent by the user terminal through the private network, the method further comprises:

receiving a strategy adding request which is sent by the user side and used for adding a route forwarding strategy;

adding a first route forwarding strategy and a second route forwarding strategy in a routing table according to the strategy adding request;

the first routing forwarding strategy is used for forwarding the service request sent to the first target network address to a private network gateway master; and the second routing forwarding strategy is used for forwarding the service request from the private network gateway host to the virtual encryption machine according to the second target network address.

11. The method of claim 1, wherein the filtering the service request through the selected security group comprises:

in the service request, filtering the service request which does not accord with the preset service type through the security group; or,

in the service request, filtering the service request of which the source address does not belong to the use area set during deployment by the security group; or,

and filtering the service request through the security group to filter the service request with risk.

12. A virtual crypto-engine management system, the system comprising:

13. The system of claim 12, wherein the hardware cryptographic machine is configured to run the virtual cryptographic machine;

the server is used for acquiring operation information generated when the virtual encryption machine operates, and sending a migration instruction to the special network gateway when the virtual encryption machine is determined to be abnormal according to the operation information;

and the network equipment is used for migrating the communication connection between the private network and the virtual encryption machine to a target virtual encryption machine which is not abnormal according to the migration instruction.

14. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor realizes the steps of the method of any one of claims 1 to 11 when executing the computer program.

15. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 11.