Disclosure of Invention
Aiming at the problem of low safety authentication stability of a medical insurance terminal in the prior art, the invention provides a safety authentication system and a method for the medical insurance terminal, a terminal authentication gateway is constructed based on OpenResty + Redis + Lua, and the communication stability is improved by deploying the terminal authentication gateway in each area; meanwhile, the safety certification function is integrated, the calculated amount of a medical insurance terminal management platform is reduced, and therefore the stability of safety certification is improved.
In order to achieve the purpose, the invention provides the following technical scheme:
a safety authentication system for a medical insurance terminal comprises a terminal authentication gateway; the terminal authentication gateway collects identity information of the medical insurance terminal, after authentication is successful, the medical insurance terminal and the medical insurance terminal management platform establish communication connection, and start to carry out service interaction with other service systems.
Preferably, the terminal authentication gateway communicates with the medical insurance terminal through a GRE tunnel.
Preferably, the terminal authentication gateway comprises an identity authentication unit, a communication unit and a storage unit; the identity authentication unit verifies and authenticates the identity information of the medical insurance terminal through the communication unit, and after the authentication is successful, the identity information of the medical insurance terminal is recorded into the storage unit as a white list.
Based on the system, the invention also provides a safety authentication method for the medical insurance terminal, which specifically comprises the following steps:
s1: constructing a terminal authentication gateway based on OpenResty + Redis + Lua;
s2: the terminal authentication gateway performs identity authentication on the medical insurance terminal, after the authentication is successful, the identity information of the medical insurance terminal is listed in a white list, and the medical insurance terminal is successfully activated;
s3: after the medical insurance terminal is successfully activated, a service request is sent to a terminal authentication gateway, the terminal authentication gateway detects whether the ip of the medical insurance terminal is in a white list, and if the ip is not in the white list, error information with insufficient authority is returned to the medical insurance terminal; if the ip is in the white list and the request is the medical insurance terminal management, the ip is forwarded to the medical insurance terminal management platform so as to establish the connection, and if not, the ip is forwarded to the service system corresponding to the requested domain name.
Preferably, in S1, the method for constructing the terminal authentication gateway includes:
firstly, using yum commands to install a database corresponding to the OpenResty system, then installing the OpenResty system and a Redis cache database, and then installing a Lua script and an OpenResty configuration file, thereby constructing a terminal authentication gateway; and after the establishment is successful, checking the connection state of the terminal authentication gateway and the identity authentication center, if the connection is successful, finishing the connection, and if the connection is unsuccessful, checking the network communication state and the working state of the identity authentication center.
Preferably, the S2 includes:
s2-1: the terminal authentication gateway monitors the 8081 port, receives a request original text signal sent by the medical insurance terminal, and the identity authentication unit returns original text data to the medical insurance terminal after receiving the request original text signal;
s2-2: the medical insurance terminal calculates a signature according to the original text and sends a request Token signal to the terminal authentication gateway, the terminal authentication gateway detects whether the signature exists in the request Token signal, if not, the signature is acquired from the medical insurance terminal management platform, if so, the medical insurance terminal state is acquired from the medical insurance terminal management platform and the medical insurance terminal state and the Token value are returned to the medical insurance terminal after the signature exists and the signature passes the authentication of the identity authentication center;
s2-3: the medical insurance terminal sends a Token verification request signal to the terminal authentication gateway, whether Token verification is successful or not is judged, if Token verification is successful, the ip of the medical insurance terminal is listed in a white list and is input into the storage unit, meanwhile, a verification success signal is returned to the medical insurance terminal, the medical insurance terminal is activated successfully, and if Token verification is failed, the medical insurance terminal is activated unsuccessfully.
Preferably, the S3 includes:
s3-1: when the service request is an http request, adding a Lua code at an access _ by _ Lua _ block stage of the OpenResty system, judging whether the ip of the medical insurance terminal is in a white list, and if the ip is not in the white list, returning error information with insufficient authority to the medical insurance terminal; if the ip is in the white list and the request is the medical insurance terminal management, forwarding the ip to the medical insurance terminal management platform to establish a connection, and if not, forwarding the ip to a service system corresponding to the requested domain name;
s3-2: when the service request is an https request, opening a ssl _ read function, embedding a Lua code in a read _ by _ Lua _ block stage of the OpenResty system to judge a white list, and if the ip is not in the white list, returning error information with insufficient authority to the medical insurance terminal; if the ip is in the white list and the request is the medical insurance terminal management, the ip is forwarded to the medical insurance terminal management platform so as to establish the connection, and if not, the ip is forwarded to the business system corresponding to the requested domain name.
In summary, due to the adoption of the technical scheme, compared with the prior art, the invention at least has the following beneficial effects:
the method and the system construct a terminal authentication gateway based on OpenResty + Redis + Lua, install and deploy in the access area of the medical insurance terminal management platform of each area, and solve the problem of unstable network communication; in addition, the terminal authentication gateway integrates the function of safety authentication, namely the safety authentication function is transferred from the medical insurance terminal management platform to the terminal authentication gateway, the pressure of safety authentication is reduced, the waste of computing resources is reduced, and the stability is improved.
Detailed Description
The present invention will be described in further detail with reference to examples and embodiments. It should be understood that the scope of the above-described subject matter is not limited to the following examples, and any techniques implemented based on the disclosure of the present invention are within the scope of the present invention.
In the description of the present invention, it is to be understood that the terms "longitudinal", "lateral", "upper", "lower", "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", and the like, indicate orientations or positional relationships based on those shown in the drawings, and are used merely for convenience of description and for simplicity of description, and do not indicate or imply that the referenced devices or elements must have a particular orientation, be constructed in a particular orientation, and be operated, and thus, are not to be construed as limiting the present invention.
The technical scheme of the invention is that a terminal authentication gateway is deployed in a medical insurance core private network access area of each province, a communication operator is responsible for constructing a GRE tunnel to enable network requests of medical insurance terminals to pass through the terminal authentication gateway deployed in the area, the terminal authentication gateway performs security authentication on the network requests through an identity authentication (CA) gateway, and the network requests are allowed to be forwarded to a medical insurance terminal management platform after the security authentication is successful.
As shown in fig. 1, the present invention provides a security authentication system for a medical insurance terminal, which includes a medical insurance terminal, a terminal authentication gateway and a medical insurance terminal management platform;
the medical insurance terminal sends the identity information to the terminal authentication gateway through a GRE tunnel (point-to-point connection is realized, and the transmission speed and stability of signals are improved), and after the identity information authentication is successful, the medical insurance terminal and the medical insurance terminal management platform establish connection communication.
In this embodiment, the terminal authentication gateway includes an identity authentication unit, a communication unit, and a storage unit.
The identity authentication unit verifies and authenticates the identity of the medical insurance terminal through the communication unit, and after the identity authentication is successful, the identity information of the medical insurance terminal is used as a white list and is recorded into the storage unit.
As shown in fig. 2, the present invention provides a security authentication method for a medical insurance terminal, which specifically includes the following steps:
s1: constructing a terminal authentication gateway based on OpenResty + Redis + Lua:
firstly, an yum command is used for installing a database required by the OpenResty device, then the OpenResty device and the Redis cache database are installed, and then a Lua script and an OpenResty configuration file are installed, so that the terminal authentication gateway is constructed. And after the establishment is successful, checking the connection state of the terminal authentication gateway and the identity authentication center, if the connection is successful, finishing the connection, and if the connection is unsuccessful, checking whether the network communication is in problem or not and whether the identity authentication center is not started or not. After the connection is successful, the connection state of the terminal authentication gateway and the identity authentication center is checked
S2: and the terminal authentication gateway performs identity authentication on the medical insurance terminal, after the authentication is successful, the identity information of the medical insurance terminal is listed in a white list, and the medical insurance terminal is successfully activated.
In this embodiment, for a network request of the medical insurance terminal security authentication, the openness of the terminal authentication gateway does not perform white list verification, the parameters are directly assembled in the Lua script, the network request is forwarded to the identity authentication (CA) gateway, once the security authentication passes, the ip address of the terminal is written into a white list data structure of the Redis database, and meanwhile, the interface of the medical insurance terminal prompts successful activation.
In this embodiment, the network request for the security authentication of the medical insurance terminal includes a request original text, a request Token, and a Token check.
S2-1: the terminal authentication gateway monitors the 8081 port, receives the original text request signal sent by the medical insurance terminal, and the identity authentication unit returns the original text data to the medical insurance terminal after receiving the original text request signal.
S2-2: the medical insurance terminal calculates a signature according to the original text and sends a request Token signal (including the signature, the original text, a security certificate and the like) to the terminal authentication gateway, the terminal authentication gateway detects whether the signature exists in the request Token signal, if not, the signature is acquired from the medical insurance terminal management platform, if so, and after the authentication succeeds through the identity authentication center, the medical insurance terminal state (activated, inactivated, frozen and locked) is acquired from the medical insurance terminal management platform, and then the medical insurance terminal state and the Token value are returned to the medical insurance terminal.
S2-3: the medical insurance terminal sends a Token verification request signal to the terminal authentication gateway, whether Token verification is successful is judged, if Token verification is successful, the ip of the medical insurance terminal is listed in a white list and is input into the storage unit, meanwhile, a verification success signal is returned to the medical insurance terminal, and the medical insurance terminal is activated successfully; if the token check fails, the medical insurance terminal fails to activate, all service requests on the medical insurance terminal cannot succeed, the cause of the problem needs to be checked, and after the problem is solved, the machine is restarted and the activating process is carried out again.
In this embodiment, the Token value is used as a security Token, and there is a security risk of interception and tampering in the transmission process, so that the Token value needs to be verified, and the ip of the medical insurance terminal is listed in the white list only if verification is successful.
S3: after the medical insurance terminal is successfully activated, sending a service request (an http protocol, an https protocol, an ntp protocol and an mqtt protocol) to a terminal authentication gateway, detecting whether an ip of the medical insurance terminal is in a white list by the terminal authentication gateway, and if the ip is not in the white list, returning error information with insufficient authority to the medical insurance terminal; if the ip is in the white list and the request is the request of the medical insurance terminal management, the ip is forwarded to the medical insurance terminal management platform so as to establish the connection, and if the ip is not the request of the medical insurance terminal management, the ip is forwarded to other business systems corresponding to the request domain name.
In this embodiment, if the medical insurance terminal sends a non-service related network request, for example, an ntp protocol request for time synchronization, the terminal authentication gateway does not perform security authentication, and directly forwards the request to the medical insurance terminal management platform.
In this embodiment, when the terminal authentication gateway sends a service request, a function of white list verification is added to the http request and the https request at different processing stages of openreserve, so that the terminal is prevented from performing identity verification too frequently, resource consumption is reduced, and stability is improved.
S3-1: when the service request is an http request, adding a Lua code at an access _ by _ Lua _ block stage of an OpenResty system, wherein the Lua code is realized by firstly obtaining a Redis connection from a Redis cache database connection pool to obtain an operation example of the Redis, judging whether the IP of the medical insurance terminal is stored in a white list or not through the operation example of the Redis (so that the phenomenon that the Redis example is frequently created and memory overflow is caused can be avoided), if not, prompting error report is carried out, and if the IP is in the white list, forwarding the service request to a medical insurance terminal management platform through a proxy _ pass instruction.
S3-2: when the service request is an https request, the ssl _ read function is required to be opened, and the version of the used TSL communication protocol is required to be above v1.2, because the target domain name is to be acquired, if the TSL version is too low, the field of the target domain name is not provided, and cannot be acquired. In addition, for the processing of https requests, it is particularly necessary to embed Lua codes in the pre _ by _ Lua _ block stage for white list control.
In this embodiment, because https communication is encrypted communication, the destination domain name of the request can only be obtained in a handshake phase, that is, a pre _ by _ lua _ block phase, and the access _ by _ lua _ block phase already enters an encrypted communication phase for the https request, and therefore the destination domain name of the request cannot be obtained.
According to the invention, the terminal authentication gateway is directly deployed in the access area of the private network of the medical insurance in each area, and meanwhile, the GRE tunnel technology is used in the environment of the Internet of things, so that the network connection is more stable and reliable, the services such as the activation authentication of the medical insurance terminal interface, the face-brushing settlement and the like are more efficient, and the problems of unstable network connection, failure in activation authentication and the like do not occur. Meanwhile, each area is provided with a deployment terminal authentication gateway, so that the concurrence pressure of a medical insurance terminal management platform is effectively relieved, and the condition that the computing resources exceed the threshold value is avoided.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific examples for carrying out the invention, and that various changes in form and details may be made therein without departing from the spirit and scope of the invention in practice.