CN113225312B - Same-city double-living identity authentication system and method - Google Patents
Same-city double-living identity authentication system and method Download PDFInfo
- Publication number
- CN113225312B CN113225312B CN202110316827.3A CN202110316827A CN113225312B CN 113225312 B CN113225312 B CN 113225312B CN 202110316827 A CN202110316827 A CN 202110316827A CN 113225312 B CN113225312 B CN 113225312B
- Authority
- CN
- China
- Prior art keywords
- unit
- communication channel
- global load
- service
- port communication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0654—Management of faults, events, alarms or notifications using network fault recovery
- H04L41/0663—Performing the actions predefined by failover planning, e.g. switching to standby network elements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a same city double living identity authentication system and method, wherein the system comprises a comprehensive network access module, an A site application service module and a B site application service module; the site A application service module comprises a first global load unit and a first network security authentication service unit, wherein the first global load unit is connected with the comprehensive network access module, and the first network security authentication service unit is connected with the first global load unit; the site application service module comprises a second global load unit and a second network security authentication service unit, wherein the second global load unit is connected with the comprehensive network access module, the second global load unit is connected with the first global load unit, and the second network security authentication service unit is connected with the second global load unit. The invention can meet the requirement of the double-site deployment of the network security authentication service unit, ensure the normal development of the service operation of the application system by deploying the global load unit, and greatly improve the security performance of the system.
Description
Technical Field
The invention relates to the technical field of information authentication, in particular to a same city double-living identity authentication system and method.
Background
As known, in recent years, the dual-activity technology has been applied to numerous large and medium-sized enterprises, and the core implementation principle is that the same information machine room is built in two regions with a certain distance and the same application system is deployed, so as to cope with the situation that the information system cannot normally operate and the service of the information system is interrupted due to factors such as earthquake, fire or power failure. Even if one site breaks down due to earthquake, fire and other conditions, the other site can still ensure the normal operation of the information system service, so that the service is not affected.
Based on the operation of the same city dual-activity mode, a 4A platform (i.e. a network security authentication service platform) is often deployed on the site A and the site B respectively, and after the 4A authentication service of the site A is requested to log in and authentication login is successful, the 4A authentication service of the site A records login information and successfully establishes a user session. However, when the user needs to send another request again (for example, request to obtain role information) during the operation, it is possible that the request is sent to the 4A platform of the B site, and since the B site has no login authentication information of the user (the information is already retained in the a site), the B site will consider that the user has not completed login or the login information is invalid, and at this time, the 4A platform of the B site may require the user to log in again according to the principle of security authentication. Therefore, in the dual-active mode, the application system integrated 4A platform frequently needs to log in again, so that the business operation of the application system cannot be normally carried out. At present, in order to avoid the problems, many enterprises often adopt a mode of deploying a 4A platform at a single site, but hidden dangers still exist: once the 4A platform is disabled for various reasons, the associated application system cannot log in, and immeasurable loss is caused.
Disclosure of Invention
The invention aims to overcome the defects of the prior art, and provides a co-city dual-living identity authentication system and a method, which can meet the requirement of dual-site deployment of a network security authentication service unit, ensure normal development of service operation of an application system by deploying a global load unit and greatly improve the security performance of the system.
In order to solve the problems, the invention provides a same-city double-living identity authentication system, which comprises a comprehensive network access module, an A site application service module and a B site application service module;
the site A application service module comprises a first global load unit and a first network security authentication service unit, wherein the first global load unit is connected with the comprehensive network access module, and the first network security authentication service unit is connected with the first global load unit;
the site application service module comprises a second global load unit and a second network security authentication service unit, wherein the second global load unit is connected with the comprehensive network access module, the second global load unit is connected with the first global load unit, and the second network security authentication service unit is connected with the second global load unit.
Optionally, the station a application service module further includes a first business docking unit and a first storage unit;
the first service docking unit is connected with the first global load unit, and the first storage unit is connected with the first service docking unit.
Optionally, the B-site application service module further includes a second service docking unit and a second storage unit;
the second service docking unit is connected with the second global load unit, and the second service docking unit is connected with the first storage unit; the second storage unit is connected with the first service docking unit, and the second storage unit is connected with the second service docking unit.
In addition, the embodiment of the invention also provides a same-city double-living identity authentication method, which adopts the same-city double-living identity authentication system, and comprises the following steps:
acquiring the latest access data of a user through a comprehensive network access module;
building a first port communication channel between a first global load unit and a first network security authentication service unit, and building a second port communication channel between a second global load unit and a second network security authentication service unit;
based on a port detection algorithm, verifying the operation conditions of the first port communication channel and the second port communication channel;
and according to the operation conditions of the first port communication channel and the second port communication channel, invoking a proper control strategy to complete the analysis authentication of the latest access data and the establishment of the user session.
Optionally, the verifying, based on the port detection algorithm, the operation condition of the first port communication channel and the second port communication channel includes:
transmitting a connection test instruction to a first port used by the first network security authentication service unit by using the first global load unit, and determining the operation condition of the first port communication channel according to the feedback state of the first port;
and sending a connection test instruction to a second port used by the second network security authentication service unit by using the second global load unit, and determining the operation condition of the second port communication channel according to the feedback state of the second port.
Optionally, the step of calling a proper control policy to complete the analytical authentication of the latest access data and the establishment of the user session according to the operation conditions of the first port communication channel and the second port communication channel includes:
according to the first port communication channel being in a normal running state, enabling an A group control strategy to finish analysis authentication and user session establishment of the latest access data;
according to the abnormal operation state of the first port communication channel and the normal operation state of the second port communication channel, enabling a group B control strategy to complete analysis authentication and user session establishment of the latest access data;
and generating a system access fault report according to the abnormal operation state of the first port communication channel and the second port communication channel, and outputting the system access fault report to the comprehensive network access module.
Optionally, the enabling the group a control policy to complete the analytical authentication of the latest access data and the establishment of the user session includes:
analyzing the latest access data by utilizing the first network security authentication service unit to acquire identity authentication information;
and identifying the identity authentication information by using the first global load unit, and matching an application system from the first service docking unit to complete the establishment of the normal session relationship of the user.
Optionally, the enabling the B-group control policy to complete the analytical authentication of the latest access data and the establishment of the user session includes:
analyzing the latest access data by using the second network security authentication service unit to acquire identity authentication information;
and identifying the identity authentication information by using the second global load unit, and matching an application system from the second service docking unit to complete the establishment of the normal session relationship of the user.
In the embodiment of the invention, the requirement of double-site deployment of the network security authentication service unit can be met, so that the potential safety hazard in the single-point deployment mode is eliminated; by arranging the global load unit, all access information of the user can be regulated to execute authentication service by a specific site, so that the condition that the user fails in authentication due to random access before establishing a session with a specified application system is avoided, normal development of service operation of the specified application system is ensured, and the system security performance is greatly improved.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings which are required in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a topology of a co-city dual-living identity authentication system in an embodiment of the present invention;
fig. 2 is a flow chart of a co-city dual-living identity authentication method according to an embodiment of the invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, fig. 1 is a schematic topology diagram of a co-city dual-living identity authentication system according to an embodiment of the invention.
As shown in fig. 1, a co-city dual-living identity authentication system comprises a comprehensive network access module, an a site application service module and a B site application service module; the comprehensive network access module is used for acquiring the latest access data of a user, and the A site application service module and the B site application service module are in a main-standby replaceable relation and have the functions of carrying out identity authentication on the latest access data and establishing a user session relation.
Specifically, the station a application service module includes a first global load unit and a first network security authentication service unit, where the first global load unit is connected to the integrated network access module, and the first network security authentication service unit is connected to the first global load unit. In the implementation process, the access route of the user is designated through the first global load unit, after the first network security authentication service unit is determined to be started, the identity authentication of the latest access data is executed by the first network security authentication service unit, and finally, the user session relationship is established by utilizing the first global load unit.
In addition, the station A application service module further comprises a first business docking unit and a first storage unit, wherein the first business docking unit is connected with the first global load unit, and the first storage unit is connected with the first business docking unit. The first service docking unit is used for implementing service requirements of users, and the first storage unit is used for storing operation data of the application system.
Specifically, the B site application service module includes a second global load unit and a second network security authentication service unit, where the second global load unit is connected with the integrated network access module, the second global load unit is connected with the first global load unit, and the second network security authentication service unit is connected with the second global load unit. The working principle of each unit is similar to that of the station a application service module, and will not be described herein.
In addition, the B site application service module further comprises a second business docking unit and a second storage unit; the second service docking unit is connected with the second global load unit, and the second service docking unit is connected with the first storage unit; the second storage unit is connected with the first service docking unit, and the second storage unit is connected with the second service docking unit. The working principle of each unit is similar to that of the station a application service module, and will not be described herein.
Referring to fig. 2, fig. 2 is a schematic flow chart of a co-city dual-living identity authentication method according to an embodiment of the present invention, and a working process of the system topology structure proposed in fig. 1 may be described.
As shown in fig. 2, a method for identity authentication of two living people in the same city, the method comprises the following steps:
s101, acquiring the latest access data of a user through a comprehensive network access module;
s102, a first port communication channel is built between a first global load unit and a first network security authentication service unit, and a second port communication channel is built between a second global load unit and a second network security authentication service unit;
s103, verifying the operation conditions of the first port communication channel and the second port communication channel based on a port detection algorithm;
the implementation process of the invention comprises the following steps:
(1) Transmitting a connection test instruction to a first port used by the first network security authentication service unit by using the first global load unit, and determining the operation condition of the first port communication channel according to the feedback state of the first port;
specifically, the first global load unit is set to send a Telnet command/Ping command to the first port, and if the first network security authentication service unit does not respond to the Telnet command/Ping command within a specific time period, the first port is determined to be in an unclosed state, namely the first port communication channel is in an abnormal operation state; and if the first network security authentication service unit responds to the Telnet instruction/Ping command within a specific time period and is communicated with the first port, the first port communication channel is in a normal running state.
(2) And sending a connection test instruction to a second port used by the second network security authentication service unit by using the second global load unit, and determining the operation condition of the second port communication channel according to the feedback state of the second port.
Specifically, the second global load unit is set to send a Telnet command/Ping command to the second port, and if the second network security authentication service unit does not respond to the Telnet command/Ping command within a specific time period, the second port is determined to be in an unclosed state, namely the second port communication channel is in an abnormal operation state; and if the second network security authentication service unit responds to the Telnet instruction/Ping command within a specific time period and is communicated with the second port, the second port communication channel is in a normal running state.
It should be noted that the checking processes of step (1) and step (2) are performed synchronously, so as to ensure that the latest access data can be responded in time.
S104, according to the operation conditions of the first port communication channel and the second port communication channel, a proper control strategy is called to complete analysis authentication and user session establishment of the latest access data.
In the embodiment of the invention, for the analysis authentication of the latest access data, a unified security management platform (namely a 4A platform) solution is mainly adopted, and the method comprises the steps of executing network security verification output of four major parts of unified authentication management, unified authorization management, unified account management and unified audit management, wherein the network security verification output comprises the first network security authentication service unit and the second network security authentication service unit which are independently operated. The specific implementation process comprises the following steps:
(1) According to the first port communication channel being in a normal running state, enabling an A group control strategy to finish analysis authentication and user session establishment of the latest access data;
specifically, the latest access data is analyzed by the first network security authentication service unit to obtain identity authentication information; and secondly, identifying the identity authentication information by using the first global load unit, and matching an application system from the first service docking unit to complete the establishment of the normal session relationship of the user, wherein the authentication information corresponding to the accessed application system can be ensured to be consistent with the first network security authentication service unit.
It should be noted that, in the embodiment of the present invention, the priority level of the first port communication channel is higher than that of the second port communication channel, that is, when the first port communication channel and the second port communication channel are both in a normal running state, only the first port communication channel is limited to be selected to complete the transmission of the latest access data, so as to prevent the occurrence of authentication failure caused by randomness in session authentication during access of a user.
(2) According to the abnormal operation state of the first port communication channel and the normal operation state of the second port communication channel, enabling a group B control strategy to complete analysis authentication and user session establishment of the latest access data;
specifically, the latest access data is analyzed by the second network security authentication service unit to obtain identity authentication information; and secondly, identifying the identity authentication information by using the second global load unit, and matching an application system from the second service docking unit to complete the establishment of the normal session relationship of the user, so that the authentication information corresponding to the accessed application system can be ensured to be consistent with the second network security authentication service unit.
(3) And generating a system access fault report according to the abnormal operation state of the first port communication channel and the second port communication channel, and outputting the system access fault report to the comprehensive network access module.
In the embodiment of the invention, the requirement of double-site deployment of the network security authentication service unit can be met, so that the potential safety hazard in the single-point deployment mode is eliminated; by arranging the global load unit, all access information of the user can be regulated to execute authentication service by a specific site, so that the condition that the user fails in authentication due to random access before establishing a session with a specified application system is avoided, normal development of service operation of the specified application system is ensured, and the system security performance is greatly improved.
Those of ordinary skill in the art will appreciate that all or a portion of the steps in the various methods of the above embodiments may be implemented by a program for instructing related hardware, the program may be stored in a computer readable storage medium, and the storage medium may include: read Only Memory (ROM), random access Memory (RAM, random Access Memory), magnetic or optical disk, and the like.
The embodiment of the invention provides a system and a method for identity authentication with two living entities in the same city, and the principle and implementation of the invention are described by adopting specific examples, and the description of the above embodiment is only used for helping to understand the method and core ideas of the invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.
Claims (1)
1. The identity authentication method is characterized in that the identity authentication method is realized through the identity authentication system;
the same-city double-living identity authentication system comprises a comprehensive network access module, an A site application service module and a B site application service module;
the site A application service module comprises a first global load unit and a first network security authentication service unit, wherein the first global load unit is connected with the comprehensive network access module, and the first network security authentication service unit is connected with the first global load unit;
the site application service module comprises a second global load unit and a second network security authentication service unit, wherein the second global load unit is connected with the comprehensive network access module, the second global load unit is connected with the first global load unit, and the second network security authentication service unit is connected with the second global load unit;
the station A application service module further comprises a first business docking unit and a first storage unit;
the first service docking unit is connected with the first global load unit, and the first storage unit is connected with the first service docking unit;
the B site application service module further comprises a second business docking unit and a second storage unit;
the second service docking unit is connected with the second global load unit, and the second service docking unit is connected with the first storage unit; the second storage unit is connected with the first service docking unit, and the second storage unit is connected with the second service docking unit;
the identity authentication method for the double living identities in the same city comprises the following steps:
acquiring the latest access data of a user through a comprehensive network access module;
building a first port communication channel between a first global load unit and a first network security authentication service unit, and building a second port communication channel between a second global load unit and a second network security authentication service unit;
verifying the operation conditions of the first port communication channel and the second port communication channel based on a port detection algorithm, wherein a connection test instruction is sent to a first port used by the first network security authentication service unit by using the first global load unit, and the operation condition of the first port communication channel is determined according to the feedback state of the first port; transmitting a connection test instruction to a second port used by the second network security authentication service unit by using the second global load unit, and determining the operation condition of the second port communication channel according to the feedback state of the second port;
according to the operation conditions of the first port communication channel and the second port communication channel, a proper control strategy is called to finish the analysis authentication of the latest access data and the establishment of a user session;
according to the first port communication channel being in a normal running state, enabling an A group control strategy to complete analysis authentication of the latest access data and establishment of a user session, wherein the latest access data is analyzed by the first network security authentication service unit to obtain identity authentication information; identifying the identity authentication information by using the first global load unit, and matching an application system from the first service docking unit to complete the establishment of a normal session relationship of the user; when the first port communication channel and the second port communication channel are in a normal operation state, the priority level of the first port communication channel is higher than that of the second port communication channel;
according to the first port communication channel being in an abnormal operation state and the second port communication channel being in a normal operation state, enabling a group B control strategy to complete analysis authentication and user session establishment of the latest access data, wherein the latest access data is analyzed by the second network security authentication service unit to obtain identity authentication information; identifying the identity authentication information by using the second global load unit, and matching an application system from the second service docking unit to complete the establishment of the normal session relationship of the user;
and generating a system access fault report according to the abnormal operation state of the first port communication channel and the second port communication channel, and outputting the system access fault report to the comprehensive network access module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110316827.3A CN113225312B (en) | 2021-03-18 | 2021-03-18 | Same-city double-living identity authentication system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110316827.3A CN113225312B (en) | 2021-03-18 | 2021-03-18 | Same-city double-living identity authentication system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113225312A CN113225312A (en) | 2021-08-06 |
| CN113225312B true CN113225312B (en) | 2023-09-05 |
Family
ID=77084098
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110316827.3A Active CN113225312B (en) | 2021-03-18 | 2021-03-18 | Same-city double-living identity authentication system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113225312B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102045185A (en) * | 2009-10-21 | 2011-05-04 | 中兴通讯股份有限公司 | User information backup method and device |
| CN102447583A (en) * | 2012-01-04 | 2012-05-09 | 中兴通讯股份有限公司 | Hot standby method and device for network address conversion equipment |
| CN110719282A (en) * | 2019-10-10 | 2020-01-21 | 国网山东省电力公司信息通信公司 | Authentication dual-active system based on unified authority |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104219072B (en) * | 2013-05-31 | 2018-11-06 | 华为技术有限公司 | A kind of restoration methods and device of safety governor SC |
| US11106554B2 (en) * | 2019-04-30 | 2021-08-31 | JFrog, Ltd. | Active-active environment control |
-
2021
- 2021-03-18 CN CN202110316827.3A patent/CN113225312B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102045185A (en) * | 2009-10-21 | 2011-05-04 | 中兴通讯股份有限公司 | User information backup method and device |
| CN102447583A (en) * | 2012-01-04 | 2012-05-09 | 中兴通讯股份有限公司 | Hot standby method and device for network address conversion equipment |
| CN110719282A (en) * | 2019-10-10 | 2020-01-21 | 国网山东省电力公司信息通信公司 | Authentication dual-active system based on unified authority |
Non-Patent Citations (1)
| Title |
|---|
| 广西电网企业级应用同城双活解决方案探讨;谢朋宇;《广西电力》;20180504;正文图6 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113225312A (en) | 2021-08-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106911648B (en) | Environment isolation method and equipment | |
| CN106487486B (en) | Service processing method and data center system | |
| US20070033284A1 (en) | System server for data processing with multiple clients and a data processing method | |
| CN108984349B (en) | Method and device for electing master node, medium and computing equipment | |
| WO2021103499A1 (en) | Multi-active data center-based traffic switching method and device | |
| CN107800783B (en) | Method and device for remotely monitoring server | |
| CN112995233A (en) | RSSP-II protocol secure connection establishment method and system | |
| CN116132519A (en) | Device management method, device and readable storage medium | |
| CN110275793B (en) | Detection method and equipment for MongoDB data fragment cluster | |
| CN103164324A (en) | Microblog test method and device | |
| CN113225312B (en) | Same-city double-living identity authentication system and method | |
| CN112565368B (en) | Block chain based offshore equipment ad hoc network system, method and medium | |
| RU2630585C2 (en) | Method of safety data transmission and communication system for its implementation | |
| CN116302716A (en) | Cluster deployment method and device, electronic equipment and computer readable medium | |
| CN116112559A (en) | Remote server management control method, system and storage medium | |
| CN115086311A (en) | Management system of enterprise cross-system service based on cloud service bus | |
| CN114298694A (en) | Block chain service platform management method and device, computer equipment and storage medium | |
| CN112069255A (en) | Method and device for synchronizing internal and external network database data | |
| CN115001804B (en) | Bypass access control system, method and storage medium applied to field station | |
| CN116781608B (en) | Data transmission system, method, electronic device and readable storage medium | |
| CN114050911B (en) | Remote login method and system for container | |
| CN113849364B (en) | Edge application management method, device, equipment and readable storage medium | |
| CN114944948B (en) | Cross-domain user permission following-based method and system | |
| CN107124328A (en) | Start the method and apparatus of arbitration machine in a kind of Net Strobe System | |
| CN113704101B (en) | Distributed system compatibility testing method based on gateway asynchronous replication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |