CN114125827B - Terminal management method, device and centralized management system - Google Patents
Terminal management method, device and centralized management system Download PDFInfo
- Publication number
- CN114125827B CN114125827B CN202111406400.9A CN202111406400A CN114125827B CN 114125827 B CN114125827 B CN 114125827B CN 202111406400 A CN202111406400 A CN 202111406400A CN 114125827 B CN114125827 B CN 114125827B
- Authority
- CN
- China
- Prior art keywords
- target
- console
- path
- terminal
- access point
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000007726 management method Methods 0.000 title claims abstract description 118
- 230000006854 communication Effects 0.000 claims abstract description 88
- 238000004891 communication Methods 0.000 claims abstract description 87
- 238000013507 mapping Methods 0.000 claims abstract description 23
- 230000004044 response Effects 0.000 claims description 37
- 238000000034 method Methods 0.000 claims description 25
- 238000004590 computer program Methods 0.000 claims description 10
- 238000012790 confirmation Methods 0.000 claims description 8
- 230000001360 synchronised effect Effects 0.000 claims description 8
- 230000000977 initiatory effect Effects 0.000 claims description 3
- 230000009286 beneficial effect Effects 0.000 abstract description 7
- 238000010586 diagram Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 7
- 230000006870 function Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000011664 signaling Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000003032 molecular docking Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
- 230000002269 spontaneous effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000004083 survival effect Effects 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/068—Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Telephonic Communication Services (AREA)
Abstract
A terminal management method, a device and a centralized management system relate to the technical field of communication, and the terminal management method comprises the following steps: when a target terminal accesses the centralized management system, acquiring an access credential of a target access point; then, after the access authentication is successful according to the access credentials, determining a return path from the first console to the target access point and a target path from the target terminal to the target access point according to a preset path label mapping relation; then splicing the target path and the return path to obtain the full path information from the target terminal to the first console; and finally, establishing a communication session between the full-path information and the first control console so that the first control console manages the target terminal through the communication session, and can realize terminal management control without gateway equipment, thereby being beneficial to avoiding exposing the actual positions and the IP of the terminal and the management terminal and ensuring the communication safety.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a terminal management method, a device, and a centralized management system.
Background
Under the large Internet environment, the production office efficiency of enterprises is greatly improved by means of centralized management of terminals and devices. The terminal and device management modes gradually evolve from initial point-to-point to now distributed, centralized. In the existing terminal management method, the intelligent gateway is connected with equipment and equipment management respectively to realize the direct control of the management terminal on the equipment. However, in practice it is found that the intelligent gateway exposes the actual location and IP of the management end, with the risk of being attacked leading to unavailability.
Disclosure of Invention
The embodiment of the application aims to provide a terminal management method, a terminal management device and a centralized management system, which can realize terminal management control without gateway equipment, thereby being beneficial to avoiding exposing the actual positions and IP of a terminal and a management end and ensuring communication safety.
An embodiment of the present application provides a terminal management method, including:
when a target terminal accesses the centralized management system, acquiring an access credential of a target access point;
after the access authentication is successful according to the access credentials, determining a return path from a first control console to the target access point and a target path from the target terminal to the target access point according to a preset path label mapping relation;
Splicing the target path and the return path to obtain full path information from the target terminal to the first console;
and establishing a communication session between the full path information and the first control console so that the first control console manages the target terminal through the communication session.
In the implementation process, when the target terminal is accessed to the centralized management system, an access credential of the target access point is acquired; then, after the access authentication is successful according to the access credentials, determining a return path from the first console to the target access point and a target path from the target terminal to the target access point according to a preset path label mapping relation; then splicing the target path and the return path to obtain the full path information from the target terminal to the first console; and finally, establishing a communication session between the full-path information and the first control console so that the first control console manages the target terminal through the communication session, and can realize terminal management control without gateway equipment, thereby being beneficial to avoiding exposing the actual positions and the IP of the terminal and the management terminal and ensuring the communication safety.
Further, the obtaining the access credential of the target access point includes:
Obtaining public key information of the target terminal, and determining a target access point of the target terminal accessed to the centralized management system;
and notifying a first console to distribute the access certificate of the target access point to the target terminal according to the public key information.
In the implementation process, access credentials are acquired through public key information, and a public key and a private key are used as unique identity identifiers of a terminal and equipment to participate in negotiation authentication of bottom-layer communication, so that configuration encryption is realized.
Further, the determining, according to a preset path label mapping relationship, a return path from the first console to the target access point and a target path from the target terminal to the target access point includes:
sending a console path request command to the target access point;
receiving response information fed back by the target access point aiming at the control console path request command;
determining a response node from the target access point according to the response information;
acquiring a return path which is automatically addressed and determined by the response node according to the control console path request command, the public key information and a preset path label mapping relation, wherein the return path is a communication path from the first control console to the response node;
And determining a target path from the target terminal to the response node.
Further, the establishing a communication session with the first console according to the full path information includes:
initiating a session establishment request to the first console according to the full path information;
when the first control console detects that the target terminal is a legal terminal according to the session establishment request, receiving session establishment confirmation information sent by the first control console;
and establishing a communication session between the first control console and the session establishment confirmation information.
Further, the method further comprises:
when the first control console fails, receiving control path information to be replaced, which is sent by a second control console; the second control console synchronizes the equipment information on the first control console at fixed time, wherein the equipment information comprises the equipment information of the target terminal;
and replacing the full path information with the control path information, and establishing a new communication session with the second control console according to the control path information so that the second control console manages the target terminal through the new communication session.
A second aspect of an embodiment of the present application provides a centralized management system, including a first console, a target terminal, and a target access point, where,
the target terminal is used for accessing the centralized management system from the target access point and acquiring an access certificate of the target access point; after the access authentication is successful according to the access credentials, determining a return path from the first console to the target access point and a target path from the target terminal to the target access point according to a preset path label mapping relation;
the target terminal is used for splicing the target path and the return path to obtain full path information from the target terminal to the first console; and establishing a communication session with the first console according to the full path information;
the first console is configured to establish the communication session with the target terminal, and manage the target terminal through the communication session.
In the implementation process, the target terminal is used for accessing the centralized management system from the target access point and acquiring the access certificate of the target access point; after the access authentication is successful according to the access credentials, determining a return path from the first console to the target access point and a target path from the target terminal to the target access point according to a preset path label mapping relation; then splicing the target path and the return path to obtain the full path information from the target terminal to the first console; and establishing a communication session with the first console according to the full path information; the first control console is used for establishing a communication session with the target terminal, managing the target terminal through the communication session, realizing the management control of the terminal, and avoiding gateway equipment, thereby being beneficial to avoiding exposing the actual positions and the IP of the terminal and the management end and ensuring the communication safety.
Further, the centralized management system further comprises a second console and a console access point, wherein,
the second console is used for accessing the centralized management system through the console access point, acquiring access credentials of the console access point, searching communication path information from the second console to the first console after successful access authentication according to the access credentials, and establishing a synchronous session with the first console through the communication path information; and synchronizing device information on the first console at regular time through the synchronization session; wherein the device information includes device information of the target terminal.
A third aspect of an embodiment of the present application provides a terminal management apparatus, including:
the acquisition unit is used for acquiring an access certificate of the target access point when the target terminal is accessed to the centralized management system;
the path determining unit is used for determining a return path from the first control console to the target access point and a target path from the target terminal to the target access point according to a preset path label mapping relation after the access authentication is successful according to the access certificate;
The path splicing unit is used for splicing the target path and the return path to obtain full path information from the target terminal to the first console;
and the session establishment unit is used for establishing a communication session between the full-path information and the first control console so that the first control console manages the target terminal through the communication session.
In the implementation process, when the target terminal is accessed to the centralized management system, the acquisition unit acquires an access credential of the target access point; the path determining unit determines a return path from the first control console to the target access point and a target path from the target terminal to the target access point according to a preset path label mapping relation after the access authentication is successful according to the access credentials; the path splicing unit splices the target path and the return path to obtain the full path information from the target terminal to the first console; the session establishment unit establishes a communication session between the full path information and the first control console, so that the first control console manages the target terminal through the communication session, management control of the terminal can be realized, gateway equipment is not needed, and the method is beneficial to avoiding exposing the actual positions and the IP of the terminal and the management terminal and ensuring communication safety.
A fourth aspect of the embodiment of the present application provides an electronic device, including a memory and a processor, where the memory is configured to store a computer program, and the processor is configured to execute the computer program to cause the electronic device to execute the terminal management method according to any one of the first aspect of the embodiment of the present application.
A fifth aspect of the embodiments of the present application provides a computer readable storage medium storing computer program instructions which, when read and executed by a processor, perform the terminal management method according to any one of the first aspect of the embodiments of the present application.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a system frame structure diagram related to a terminal management method according to an embodiment of the present application;
Fig. 2 is a schematic flow chart of a terminal management method according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a system architecture of a centralized management system according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a terminal management device according to an embodiment of the present application;
fig. 5 is a schematic diagram of a system deployment topology according to an embodiment of the present application.
Icon: 210-a first console; 220-target terminal; 230-target access point; 240-a second console; 250-console access point; 260-forwarding nodes; 1. 2, 3, 4, 5, 6, 7, 8-nodes.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
Referring to fig. 1, fig. 1 is a system frame structure diagram related to a terminal management method according to an embodiment of the present application. As shown in fig. 1, the terminal, the intermediate node and the console perform identity identification according to public key information, each terminal, each console and each intermediate forwarding service node are identical from the outside, and the bottom communication layer performs session negotiation and encryption by adopting public and private key pairs among the nodes.
In the embodiment of the present application, the terminal may be a computing device such as a computer or a server, which is not limited in this embodiment.
In the embodiment of the application, the terminal can also be intelligent equipment such as a smart phone, a tablet personal computer, intelligent wearable equipment and the like, and the embodiment is not limited in any way.
As shown in fig. 1, from the bottom communication between nodes to the docking with the terminal and console of the upper layer, for each communication participating node, the data processing in the communication process includes 5 layers:
(1) Identity and addressing
Each terminal or equipment node is internally provided with an identity module, and each node identity comprises an own IP address, a communication port and own public and private key authentication information; the public and private key information is initialized when the node is configured for the first time, and is generated by comprehensive calculation according to the hardware information of the equipment or the terminal. The public and private keys are used as unique identity marks of the terminal and the equipment, participate in negotiation authentication of bottom layer communication (communication with the intermediate node and the console), and are configured for encryption.
The addressing is mainly aimed at discovery of the control console, each terminal performs session negotiation and remote communication with the control console after skipping through one or more intermediate nodes, because multiple control platforms and centralized management services are deployed, each terminal node may occur at control consoles corresponding to different periods (link change and intermediate node disconnection), the terminal node dynamically maintains a path from itself to one of the control consoles as an intermediate node, and the terminal node can quickly acquire path information from itself to the control console from the intermediate node after first access, so that a communication session is established with the control console and the management service at a far end. The synchronization of multiple consoles up and down is also configured by the same addressing, each console periodically looks up paths of other available consoles from nodes interconnected therewith.
(2) Route forwarding
And the intermediate node performs mapping association with the IP address of the bottom layer through the public key, performs point-to-point decryption on the received data according to the private key of the intermediate node and the public key of the direct connection node, obtains the communication public key address marked by the data header after decryption, and judges whether the communication public key address is the self node or not, and if not, forwards the communication public key address to other adjacent nodes. The forwarded node selects the corresponding bottom communication link for forwarding mainly according to the path label (conversion mapping among the three of the IP address, the public key and the link label).
(3) Data processing layer
For a terminal or a console, the service layer is mainly divided into three types of terminal service data, control signaling of the terminal by the console and synchronous data between an upstream console and a downstream console after receiving forwarding data from an intermediate node.
The terminal service data comprises different types of terminals and equipment information; the control signaling is used for authentication of the terminal and the access point, control information and keep-alive communication between the terminal and the console; the synchronous data is used for the cooperation of the bottom database among a plurality of control consoles and the synchronization of control commands, and unified management and control of other console associated equipment can be realized under different control consoles.
(4) Session layer
The communication between the nodes can adopt a point-to-point and end-to-end double-layer encryption mechanism, a session layer is established on the basis of the communication of the bottom layer, the states of the terminal, the equipment node and the intermediate forwarding node are maintained, and the authentication and survival states between the terminal, the equipment node and a remote control console are maintained. When the intermediate node fails and the link changes, the session state changes to trigger the addressing service to the control console, and the path information to the control console is updated rapidly.
(5) Interface layer
And the interface is divided into an application layer and a management layer to distinguish whether the service belongs to the terminal or the console above the session layer, so that the management and control expansion requirements on the type multiple devices and the terminal are realized. The application layer performs unified description expansion on different types of equipment and terminals, and different API interfaces can be developed for different equipment terminals in a targeted manner for management and control. The management layer is used for controlling and storing different terminals and devices by the extension control console and the management service.
Referring to fig. 2, fig. 2 is a flowchart of a terminal management method according to an embodiment of the present application. The terminal management method comprises the following steps:
s101, when a target terminal is accessed to the centralized management system, public key information of the target terminal is obtained, and a target access point of the target terminal accessed to the centralized management system is determined.
In the embodiment of the application, the method can be applied to centralized management and control design of the desktop EDR terminal of the enterprise intranet, cloud security and situation awareness distributed probe nodes, and the like, and the embodiment of the application is not limited.
In the embodiment of the application, the method is based on the autonomous definition of the safety communication system product, and the construction and the realization of the safety multi-source centralized management and control platform system are provided, so that the safety of the centralized management and control platform can be greatly improved.
In the embodiment of the present application, the execution body of the method is the target terminal, and the embodiment of the present application is not limited.
Referring to fig. 5, fig. 5 is a schematic diagram of a system deployment topology according to an embodiment of the present application. As shown in fig. 5, a single device or console may be accessed through multiple nodes, and different devices and consoles may also be accessed through the same access point, where the access points are flexibly deployed in the reachable range of the internet through 1-to-1 and 1-to-N modes; meanwhile, the number of the console deployments is not limited to 2, and a plurality of consoles can be deployed according to different positions and areas.
After step S101, the method further includes the steps of:
s102, notifying the first console to distribute the access certificate of the target access point to the target terminal according to the public key information.
In the embodiment of the application, taking one terminal (namely a target terminal) as an example of an access centralized management system, the steps of accessing a terminal and a console, forwarding an intermediate node and addressing a path are elaborated. The public key information of the target terminal is acquired first, and then the first console is informed to allocate access credentials of the target access points (i.e., node 6 and node 7 shown in fig. 5) to the target terminal according to the public key information of the target terminal.
In the embodiment of the present application, the access credential includes public key information of the first console, public key information of the target access point, IP address and communication port information corresponding to the target terminal, and the like, which is not limited to the embodiment of the present application.
In the embodiment of the application, after the access credential is acquired, the target terminal loads the access credential to start access authentication with the target access point.
In the embodiment of the present application, the steps S101 to S102 are implemented, so that the access credentials of the target access point can be obtained when the target terminal accesses the centralized management system.
After step S102, the method further includes the steps of:
s103, after the access authentication is successful according to the access credentials, a control console path request command is sent to the target access point.
S104, receiving response information fed back by the target access point aiming at the control platform path request command.
S105, determining the response node from the target access point according to the response information.
S106, acquiring a return path which is automatically addressed and determined by the response node according to the control console path request command, the public key information and the preset path label mapping relation, wherein the return path is a communication path from the first control console to the response node.
S107, determining a target path from the target terminal to the response node.
In the embodiment of the application, after the target terminal successfully performs access authentication according to the access credentials, a control console path request command is sent to the target access point.
In the embodiment of the present application, the target access point includes at least one node, as shown in fig. 5, and the topology includes node 1, node 2, node 3, node 4, node 5, node 6, node 7, and node 8, where the target access point includes node 6 and node 7, and the target terminal may send a console path request command to both node 6 and node 7, respectively, and then when receiving response information of either node 6 or node 7, execute steps S105 to S107 to determine a target path from the target terminal to the response node. For example, assuming that the reply information of the node 6 is received, the reply node is the node 6, and then the path from the target terminal itself to the node 6 may be determined as the target path.
In the embodiment of the present application, after the access authentication is successfully performed according to the access credentials, the return path from the first console to the target access point and the target path from the target terminal to the target access point can be determined according to the preset path label mapping relationship by implementing the steps S103 to S107.
After step S107, the method further includes the steps of:
s108, splicing the target path and the return path to obtain the full path information from the target terminal to the first console.
In the embodiment of the application, the target path and the return path from the first console to the response node are spliced, so that the full path information from the target terminal to the first console can be obtained.
And S109, establishing a communication session with the first control console according to the full path information so that the first control console manages the target terminal through the communication session.
In the embodiment of the application, after the target terminal obtains the full path information from the target terminal to the first console, the session establishment request can be initiated to the first console.
As an alternative embodiment, establishing a communication session with the first console according to the full path information includes:
initiating a session establishment request to a first console according to the full path information;
When the first control console detects that the target terminal is a legal terminal according to the session establishment request, receiving session establishment confirmation information sent by the first control console;
a communication session is established with the first console based on the session establishment confirmation information.
In the above embodiment, after a communication session is established between the target terminal and the first console, after receiving a session establishment request sent by the target terminal, the node 6 first decrypts the message that the session establishment request is judged not to belong to itself, if not, the message is forwarded to its upper node 4 layer by layer according to the path information, the node 4 forwards the received message to the node 1, and the node 1 finally forwards the received message to the first console. And then, the first control desk decrypts and judges that the message belongs to the first control desk after receiving the session establishment request, if so, the first control desk compares whether the target terminal is a legal terminal from a background database according to the session establishment request, and if so, a normal communication session is established.
In the embodiment of the application, after the session is established, the first control console can realize the control of the target terminal at the far end.
As shown in fig. 5, other terminals may also access the centralized management system through the terminal management method. Other terminals can access the centralized management system by taking the node 7 and the node 8 as access points.
After step S109, the method further comprises the steps of:
s110, when the first control console fails, receiving control path information to be replaced, which is sent by the second control console; wherein the second console synchronizes the device information on the first console at regular time, the device information including the device information of the target terminal.
S111, replacing the full path information with control path information, and establishing a new communication session with the second control console according to the control path information so that the second control console manages the target terminal through the new communication session.
As shown in fig. 5, for the second console, the first access performs credential issuance through the first console, similar to the target terminal access. After the second control console is successfully accessed, the paths of the first control console are automatically searched from the nodes 5 and 8, then a synchronous session is established with the first control console, and the equipment information of the target terminal stored on the first control console is synchronized regularly. If the first control console fails, all node control paths are automatically updated to the second control console, and the second control console also has the equipment information of the target terminal, so that seamless switching of control of the target terminal can be realized.
As an alternative embodiment, if the intermediate forwarding node fails, the nodes interconnected with the intermediate forwarding node also update to the corresponding console paths synchronously.
According to the embodiment of the application, the method can realize the multisource operation of the centralized control center and the platform, and the safety level and the reliability are greatly improved.
In the embodiment of the application, the method can realize unified management and terminal identity, find out path addressing, and the system networking is more flexible and convenient.
Therefore, the terminal management method described in fig. 2 can realize terminal management control without gateway equipment, thereby being beneficial to avoiding exposing the actual positions and the IP of the terminal and the management end and ensuring the communication safety.
Referring to fig. 3, fig. 3 is a schematic diagram of a system architecture of a centralized management system according to an embodiment of the present application. As shown in fig. 3, the centralized management system includes a first console 210, a target terminal 220, and a target access point 230.
The target terminal 220 is configured to access the centralized management system from the target access point 230, and obtain an access credential of the target access point 230; and after the access authentication is successful according to the access credentials, determining a return path from the first console 210 to the target access point 230 and a target path from the target terminal 220 to the target access point 230 according to a preset path label mapping relationship.
The target terminal 220 is configured to splice the target path and the return path to obtain full path information from the target terminal 220 to the first console 210; and establishing a communication session with the first console 210 based on the full path information;
the first console 210 is used for establishing a communication session with the target terminal 220 and managing the target terminal 220 through the communication session.
As an alternative embodiment, the centralized management system further comprises a second console 240 and a console access point 250.
The second console 240 is configured to access the centralized management system through the console access point 250, obtain an access credential of the console access point 250, search for communication path information from the second console 240 to the first console 210 after successful access authentication according to the access credential, and establish a synchronization session with the first console 210 through the communication path information; and periodically synchronize device information on the first console 210 through a synchronization session; wherein the device information includes device information of the target terminal 220.
In this embodiment of the present application, the centralized management system further includes a forwarding node 260, when the target terminal 220 needs to send information to the first console 210, the target terminal 220 sends the information to the target access point 230 first, then the target access point 230 sends the information to the forwarding node 260, and the forwarding node 260 forwards the information to the first console 210. Similarly, when the first console 210 needs to send information to the target terminal 220, the information is forwarded to the target terminal 220 by the forwarding node 260 and the target access point 230.
In the embodiment of the present application, when the second console 240 needs to send information to the first console 210, the information is forwarded to the first console 210 by the console access point 250 and the forwarding node 260; similarly, when the first console needs to send information to the second console 240, the information is forwarded to the second console 240 by the forwarding node 260 and the console access point 250.
For example, as shown in fig. 5, when the target terminal 220 sends information to the first console 210, when the target access point 230 includes the node 6, then the node 4 and the node 1 are forwarding nodes 260; when the target access point 230 includes the node 7, then the node 5, the node 4, and the node 1 are forwarding nodes 260. When the second console 240 sends information to the first console 210, when the console access point 250 includes node 5, then node 4, node 1 is a forwarding node 260; when console access point 250 includes node 8, then node 5, node 4, node 1 are forwarding nodes 260.
In the embodiment of the application, the centralized management system comprises a plurality of consoles, and each console can automatically inquire other consoles capable of synchronizing data so that the equipment information stored by the console can be synchronized to the other consoles, thereby realizing timely switching to other consoles synchronized with the same equipment information when the console fails and realizing seamless switching of control over the target terminal 220.
In the embodiment of the application, the centralized management system realizes terminal management by applying a centralized management multi-source deployment, identity hiding and spontaneous path addressing mode, and combines centralized management and control with safe operation and maintenance by linking management and control centers of different positions, areas and different identities through the multi-source deployment; meanwhile, the public key information is used as the unique identity of the equipment data, forwarding processing and management and control center, and the self-adaptive path addressing and tunnel forwarding technology are combined to realize the service hiding; on the other hand, by providing a unified application interface layer, access and control are provided for different equipment and terminal management and control, so that fusion management and control is possible.
Therefore, the centralized management system described in fig. 3 can be implemented to realize management control on the terminal, and gateway equipment is not needed, so that the exposure of the actual positions and the IP of the terminal and the management end is avoided, and the communication safety is ensured.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a terminal management device according to an embodiment of the present application. As shown in fig. 4, the terminal management apparatus includes:
an obtaining unit 310, configured to obtain an access credential of a target access point when the target terminal accesses the centralized management system;
The path determining unit 320 is configured to determine, after the access authentication is successful according to the access credential, a return path from the first console to the target access point and a target path from the target terminal to the target access point according to a preset path tag mapping relationship;
a path splicing unit 330, configured to splice the target path and the return path to obtain full path information from the target terminal to the first console;
a session establishment unit 340, configured to establish a communication session with the first console according to the full path information, so that the first console manages the target terminal through the communication session.
As an alternative embodiment, the acquisition unit 310 includes:
a first subunit 311, configured to obtain public key information of the target terminal when the target terminal accesses the centralized management system, and determine that the target terminal accesses a target access point of the centralized management system;
the second subunit 312 is configured to notify the first console to allocate an access credential of the target access point to the target terminal according to the public key information.
As an alternative embodiment, the path determining unit 320 includes:
a third subunit 321, configured to send a console path request command to the target access point after the access authentication is successful according to the access credential; receiving response information fed back by a target access point aiming at a control console path request command;
A fourth subunit 322, configured to determine a response node from the target access point according to the response information;
a fifth subunit 323, configured to obtain a return path that is determined by the response node by performing automatic addressing according to the console path request command, the public key information, and a preset path label mapping relationship, where the return path is a communication path from the first console to the response node; and determining a target path from the target terminal to the answering node.
As an alternative embodiment, the session establishment unit 340 includes:
a sixth subunit 341, configured to initiate a session establishment request to the first console according to the full path information;
a seventh subunit 342, configured to receive, when the first console detects that the target terminal is a legal terminal according to the session establishment request, session establishment confirmation information sent by the first console;
an eighth subunit 343 is configured to establish a communication session with the first console according to the session establishment confirmation information.
As an alternative embodiment, the terminal management device further includes:
a receiving unit 350, configured to receive control path information to be replaced sent by the second console when the first console fails; the second control console synchronizes the equipment information on the first control console at fixed time, wherein the equipment information comprises the equipment information of the target terminal;
The establishing unit 360 is configured to replace the full path information with control path information, and establish a new communication session with the second console according to the control path information, so that the second console manages the target terminal through the new communication session.
Therefore, the terminal management device described in fig. 4 can realize terminal management control without gateway equipment, thereby being beneficial to avoiding exposing the actual positions and the IP of the terminal and the management end and ensuring the communication safety.
An embodiment of the present application provides an electronic device, including a memory and a processor, where the memory is configured to store a computer program, and the processor is configured to execute the computer program to cause the electronic device to execute any one of the terminal management methods in embodiment 1 or embodiment 2 of the present application.
An embodiment of the present application provides a computer readable storage medium storing computer program instructions that, when read and executed by a processor, perform the terminal management method of any one of embodiment 1 or embodiment 2 of the present application.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, for example, of the flowcharts and block diagrams in the figures that illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and variations will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Claims (8)
1. A terminal management method, comprising:
when a target terminal accesses the centralized management system, acquiring an access credential of a target access point;
after the access authentication is successful according to the access credentials, determining a return path from a first control console to the target access point and a target path from the target terminal to the target access point according to a preset path label mapping relation;
splicing the target path and the return path to obtain full path information from the target terminal to the first console;
establishing a communication session between the full path information and the first control console so that the first control console manages the target terminal through the communication session;
the obtaining the access credential of the target access point includes:
obtaining public key information of the target terminal, and determining a target access point of the target terminal accessed to the centralized management system;
notifying a first console to distribute an access credential of the target access point to the target terminal according to the public key information;
the determining, according to a preset path label mapping relationship, a return path from a first console to the target access point and a target path from the target terminal to the target access point includes:
Sending a console path request command to the target access point;
receiving response information fed back by the target access point aiming at the control console path request command;
determining a response node from the target access point according to the response information;
acquiring a return path which is automatically addressed and determined by the response node according to the control console path request command, the public key information and a preset path label mapping relation, wherein the return path is a communication path from the first control console to the response node;
and determining a target path from the target terminal to the response node.
2. The terminal management method according to claim 1, wherein the establishing a communication session with the first console according to the full path information includes:
initiating a session establishment request to the first console according to the full path information;
when the first control console detects that the target terminal is a legal terminal according to the session establishment request, receiving session establishment confirmation information sent by the first control console;
and establishing a communication session between the first control console and the session establishment confirmation information.
3. The terminal management method according to claim 1, characterized in that the method further comprises:
when the first control console fails, receiving control path information to be replaced, which is sent by a second control console; the second control console synchronizes the equipment information on the first control console at fixed time, wherein the equipment information comprises the equipment information of the target terminal;
and replacing the full path information with the control path information, and establishing a new communication session with the second control console according to the control path information so that the second control console manages the target terminal through the new communication session.
4. A centralized management system, comprising a first console, a target terminal, and a target access point, wherein,
the target terminal is used for accessing the centralized management system from the target access point and acquiring an access certificate of the target access point; after the access authentication is successful according to the access credentials, determining a return path from the first console to the target access point and a target path from the target terminal to the target access point according to a preset path label mapping relation;
The target terminal is used for splicing the target path and the return path to obtain full path information from the target terminal to the first console; and establishing a communication session with the first console according to the full path information;
the first console is used for establishing the communication session with the target terminal and managing the target terminal through the communication session;
the target terminal is specifically configured to obtain public key information of the target terminal, and determine a target access point of the target terminal to be accessed to the centralized management system; notifying a first console to distribute an access credential of the target access point to the target terminal according to the public key information;
the target terminal is specifically configured to send a console path request command to the target access point; receiving response information fed back by the target access point aiming at the control console path request command; determining a response node from the target access point according to the response information; acquiring a return path which is automatically addressed and determined by the response node according to the control console path request command, the public key information and a preset path label mapping relation, wherein the return path is a communication path from the first control console to the response node; and determining a target path from the target terminal to the response node.
5. The centralized management system of claim 4, further comprising a second console and a console access point, wherein,
the second console is used for accessing the centralized management system through the console access point, acquiring access credentials of the console access point, searching communication path information from the second console to the first console after successful access authentication according to the access credentials, and establishing a synchronous session with the first console through the communication path information; and synchronizing device information on the first console at regular time through the synchronization session; wherein the device information includes device information of the target terminal.
6. A terminal management device, characterized in that the terminal management device comprises:
the acquisition unit is used for acquiring an access certificate of the target access point when the target terminal is accessed to the centralized management system;
the path determining unit is used for determining a return path from the first control console to the target access point and a target path from the target terminal to the target access point according to a preset path label mapping relation after the access authentication is successful according to the access certificate;
The path splicing unit is used for splicing the target path and the return path to obtain full path information from the target terminal to the first console;
a session establishment unit, configured to establish a communication session with the first console according to the full path information, so that the first console manages the target terminal through the communication session;
wherein the acquisition unit includes:
the first subunit is used for acquiring public key information of the target terminal when the target terminal is accessed to the centralized management system, and determining a target access point of the target terminal accessed to the centralized management system;
a second subunit, configured to notify the first console to allocate an access credential of the target access point to the target terminal according to the public key information;
wherein the path determination unit includes:
a third subunit, configured to send a console path request command to the target access point after the access authentication is successful according to the access credential; receiving response information fed back by a target access point aiming at a control console path request command;
a fourth subunit, configured to determine a response node from the target access point according to the response information;
a fifth subunit, configured to obtain a return path that is determined by the response node by performing automatic addressing according to the console path request command, the public key information, and a preset path label mapping relationship, where the return path is a communication path from the first console to the response node; and determining a target path from the target terminal to the answering node.
7. An electronic device comprising a memory for storing a computer program and a processor that runs the computer program to cause the electronic device to execute the terminal management method of any one of claims 1 to 3.
8. A readable storage medium, characterized in that the readable storage medium has stored therein computer program instructions, which when read and executed by a processor, perform the terminal management method of any of claims 1 to 3.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111406400.9A CN114125827B (en) | 2021-11-24 | 2021-11-24 | Terminal management method, device and centralized management system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111406400.9A CN114125827B (en) | 2021-11-24 | 2021-11-24 | Terminal management method, device and centralized management system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114125827A CN114125827A (en) | 2022-03-01 |
CN114125827B true CN114125827B (en) | 2023-11-10 |
Family
ID=80372138
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111406400.9A Active CN114125827B (en) | 2021-11-24 | 2021-11-24 | Terminal management method, device and centralized management system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114125827B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115189998B (en) * | 2022-07-11 | 2024-05-17 | 北京蔚领时代科技有限公司 | Method, system and equipment for maintaining server based on PaaS platform |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101505550A (en) * | 2008-02-04 | 2009-08-12 | 华为技术有限公司 | Method, terminal, apparatus and system for device management |
CN102457395A (en) * | 2010-10-26 | 2012-05-16 | 华为终端有限公司 | Method and equipment for managing terminal in equipment management system |
CN104113552A (en) * | 2014-07-28 | 2014-10-22 | 百度在线网络技术(北京)有限公司 | Platform authorization method, platform server side, application client side and system |
CN105635249A (en) * | 2015-12-18 | 2016-06-01 | 小米科技有限责任公司 | Session management method and apparatus |
KR20170041037A (en) * | 2015-10-06 | 2017-04-14 | 충북대학교 산학협력단 | Control and Management Server of Network System and Network Routing Method |
CN109218263A (en) * | 2017-07-04 | 2019-01-15 | 阿里巴巴集团控股有限公司 | A kind of control method and device |
CN109428751A (en) * | 2017-08-29 | 2019-03-05 | 中兴通讯股份有限公司 | A kind of method and device of SDN management network access equipment |
CN110933180A (en) * | 2019-12-10 | 2020-03-27 | 深信服科技股份有限公司 | Communication establishing method and device, load equipment and storage medium |
CN111737016A (en) * | 2020-08-17 | 2020-10-02 | 上海飞旗网络技术股份有限公司 | Service data processing method and device for cloud edge fusion system |
CN111885604A (en) * | 2020-06-28 | 2020-11-03 | 北京交通大学 | Authentication method, device and system based on heaven and earth integrated network |
CN112565225A (en) * | 2020-11-27 | 2021-03-26 | 北京百度网讯科技有限公司 | Method and device for data transmission, electronic equipment and readable storage medium |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9549317B2 (en) * | 2011-10-17 | 2017-01-17 | Mitel Mobility Inc. | Methods and apparatuses to provide secure communication between an untrusted wireless access network and a trusted controlled network |
-
2021
- 2021-11-24 CN CN202111406400.9A patent/CN114125827B/en active Active
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101505550A (en) * | 2008-02-04 | 2009-08-12 | 华为技术有限公司 | Method, terminal, apparatus and system for device management |
CN102457395A (en) * | 2010-10-26 | 2012-05-16 | 华为终端有限公司 | Method and equipment for managing terminal in equipment management system |
CN104113552A (en) * | 2014-07-28 | 2014-10-22 | 百度在线网络技术(北京)有限公司 | Platform authorization method, platform server side, application client side and system |
KR20170041037A (en) * | 2015-10-06 | 2017-04-14 | 충북대학교 산학협력단 | Control and Management Server of Network System and Network Routing Method |
CN105635249A (en) * | 2015-12-18 | 2016-06-01 | 小米科技有限责任公司 | Session management method and apparatus |
CN109218263A (en) * | 2017-07-04 | 2019-01-15 | 阿里巴巴集团控股有限公司 | A kind of control method and device |
CN109428751A (en) * | 2017-08-29 | 2019-03-05 | 中兴通讯股份有限公司 | A kind of method and device of SDN management network access equipment |
CN110933180A (en) * | 2019-12-10 | 2020-03-27 | 深信服科技股份有限公司 | Communication establishing method and device, load equipment and storage medium |
CN111885604A (en) * | 2020-06-28 | 2020-11-03 | 北京交通大学 | Authentication method, device and system based on heaven and earth integrated network |
CN111737016A (en) * | 2020-08-17 | 2020-10-02 | 上海飞旗网络技术股份有限公司 | Service data processing method and device for cloud edge fusion system |
CN112565225A (en) * | 2020-11-27 | 2021-03-26 | 北京百度网讯科技有限公司 | Method and device for data transmission, electronic equipment and readable storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN114125827A (en) | 2022-03-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2501083B1 (en) | Relay node, distributed network of relay node and networking method thereof | |
CN110598444B (en) | Physical security system with multiple server nodes | |
KR100445374B1 (en) | Topology propagation in a distributed computing environment with no topology message traffic in steady state | |
CN103475566A (en) | Real-time message exchange platform and distributed cluster establishment method | |
CN110932876B (en) | Communication system, method and device | |
CN108111401B (en) | Group building method of cross instant communication system | |
US20140358812A1 (en) | Dynamic information sharing platform | |
CN110311800A (en) | Communication equipment, the connection method of node, storage medium, electronic device | |
Viana et al. | Indirect routing using distributed location information | |
CN101595689A (en) | In multi-chassis network access environment, change user profile | |
JP2020502686A (en) | Management method, system, and device for master and standby databases | |
CN114125827B (en) | Terminal management method, device and centralized management system | |
CN111858170B (en) | Configuration management method, system and readable storage medium | |
CN114301823A (en) | Route notification method, device, equipment and storage medium | |
CN110875857A (en) | Method, device and system for reporting disconnected network state | |
CN100563263C (en) | In network storage service, realize the method and system of system high-available | |
EP3570169B1 (en) | Method and system for processing device failure | |
CN108366087B (en) | ISCSI service realization method and device based on distributed file system | |
CN112995027A (en) | Route publishing method and VTEP node | |
US20010048665A1 (en) | Centralized management technique of call control data | |
CN110417636B (en) | Decentralized self-organizing instant messaging system and method thereof | |
CN110661651A (en) | SDN controller data management method, system, device and readable storage medium | |
CN114629747B (en) | Gateway connection method, internet of things equipment, gateway and Internet of things system | |
CN103001987B (en) | A kind of data processing method and data processing node | |
WO2008131675A1 (en) | Method, network node and system for backuping resource in structured p2p |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |