CN115396496A - Tenant cryptographic service session affinity method, system, medium and device in cloud environment - Google Patents

Tenant cryptographic service session affinity method, system, medium and device in cloud environment Download PDF

Info

Publication number
CN115396496A
CN115396496A CN202211322274.3A CN202211322274A CN115396496A CN 115396496 A CN115396496 A CN 115396496A CN 202211322274 A CN202211322274 A CN 202211322274A CN 115396496 A CN115396496 A CN 115396496A
Authority
CN
China
Prior art keywords
service
password
cryptographic
cipher
micro
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211322274.3A
Other languages
Chinese (zh)
Other versions
CN115396496B (en
Inventor
李宁
张大伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Unita Information Technology Co ltd
Original Assignee
Beijing Unita Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Unita Information Technology Co ltd filed Critical Beijing Unita Information Technology Co ltd
Priority to CN202211322274.3A priority Critical patent/CN115396496B/en
Publication of CN115396496A publication Critical patent/CN115396496A/en
Application granted granted Critical
Publication of CN115396496B publication Critical patent/CN115396496B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • H04L67/1023Server selection for load balancing based on a hash applied to IP addresses or costs

Abstract

The invention discloses a tenant password service session affinity method, a system, a medium and equipment in a cloud environment, wherein the system comprises a password application SDK, a password service gateway, a password micro-service and server password machine; the server cipher machine and the cipher micro-service are in one-to-one binding relationship; and the password application SDK is in communication connection with the server cipher machine through the password service gateway and the password microservice in sequence. The invention relates the context of the cryptographic operation performed by the tenant by using the cryptographic service and the process of opening the session, and solves the problems that multiple requests of the cryptographic operation service for the same session are randomly scheduled and the load balance cannot be performed.

Description

Tenant password service session affinity method, system, medium and device in cloud environment
Technical Field
The invention relates to the technical field of key management, in particular to a tenant cryptographic service session affinity method, a system, a medium and equipment in a cloud environment.
Background
The password is an important component of a network space security system, and is a 'gene' and a key technology of a network space security and trust mechanism. The construction of traditional password application needs to introduce various password devices and password products with different types and a large number to interface various password application services. The direct consequence of this traditional cryptographic application building model is: the equipment is distributed and deployed and is difficult to manage; the password application docking integration is complex; lack of intensive use and scheduling of cryptographic resources; not adapted to a cloud computing environment; the password service lacks quantification, the password application lacks supervision, and the requirements of compliance construction are difficult to meet.
In order to solve the problems, a cloud password service technology is promoted, various password devices are integrated, and password services which are managed in a unified mode and are convenient to use are provided for users through flexible multi-mode service aggregation capability.
In a cloud password service scenario, a traditional password device mode is no longer applicable, because in the traditional mode, a user of the password device is changed from a device owner to a service renter, and various requirements of multi-tenant such as isolation, authentication, current limiting and the like need to be met. Therefore, the industry standard GMT 0104-2021 cloud server cipher machine technical specification of the cloud server cipher machine recommends using http protocol to provide service, and the invention also uses http as a transmission protocol.
In a cloud password service scene, service resources can be provided for a plurality of tenants for use, the tenants pay for purchasing one or more service resources and establish password applications on the basis of the service resources, when most applications use the password services, the operation is not completed at one time, but a plurality of steps of session opening, operation executing, session closing and the like are provided, the steps have context association relations, servers providing the password operation for the same context must be always the same, otherwise, the context states must be synchronized before a plurality of servers, the time consumption of server synchronization waiting is too long due to the context state synchronization, and the performance is seriously influenced in a high concurrency scene. Another idea is to use a session affinity mechanism to ensure that the back-end resources that provide the service are the same when using the same context. Meanwhile, the performance of service resources in a cloud password service scene is not balanced, and due to the large performance difference of password equipment, in order to fully utilize the password equipment resources, a method or a system is needed to ensure that both session affinity and weighted load balance can be realized.
Disclosure of Invention
Therefore, the technical problem to be solved by the present invention is to provide a method, a system, a medium, and a device for tenant cryptographic service session affinity in a cloud environment, in which a context for a tenant to use a cryptographic service to perform cryptographic operation and a process for opening a session are associated, thereby solving the problems that multiple requests of the cryptographic operation service for the same session are randomly scheduled and load balancing cannot be performed.
In order to solve the technical problems, the invention provides the following technical scheme:
the tenant password service affinity method in the cloud environment comprises the following steps:
s1) importing a password micro-service unit through a password service gateway
Figure 828869DEST_PATH_IMAGE001
Address information of
Figure 372108DEST_PATH_IMAGE002
And setting a password micro-service unit
Figure 542058DEST_PATH_IMAGE001
Weight of (2)
Figure 560436DEST_PATH_IMAGE003
Wherein, in the process,
Figure 499443DEST_PATH_IMAGE004
=0,1,2,3,…n;
s2) the cryptographic service gateway receives the SDK from the cryptographic application m Obtaining a cookie request according to the weight
Figure 151266DEST_PATH_IMAGE005
The size of the password micro-service unit is random to
Figure 136408DEST_PATH_IMAGE006
Initiating weight polling, wherein m is an integer greater than zero; wherein the weight is
Figure 224057DEST_PATH_IMAGE005
The probability of the large password micro-service unit obtaining the weight polling is higher, and the weight polling is carried out
Figure 220832DEST_PATH_IMAGE007
The probability that a small cryptographic microserver will obtain a weighted poll is small, i.e., the weight is weighted
Figure 105873DEST_PATH_IMAGE005
The large password micro-service unit has a high probability of preferentially obtaining the weight polling;
s3) when the weight polling of the password service gateway is received, the password micro-service unit
Figure 984836DEST_PATH_IMAGE008
First generation with address information
Figure 672913DEST_PATH_IMAGE002
And a time stamp
Figure 87976DEST_PATH_IMAGE009
Information of (2)
Figure 845717DEST_PATH_IMAGE010
Then according to the information
Figure 303987DEST_PATH_IMAGE010
Generate a corresponding
Figure 969323DEST_PATH_IMAGE011
Then will be
Figure 442155DEST_PATH_IMAGE012
Feeding back to the cryptographic service gateway, wherein,
Figure 901955DEST_PATH_IMAGE012
containing address information
Figure 543063DEST_PATH_IMAGE002
And a time stamp
Figure 841451DEST_PATH_IMAGE009
Time stamp
Figure 464062DEST_PATH_IMAGE009
For polled cryptographic microservices
Figure 62140DEST_PATH_IMAGE008
A point in time at which a response is made;
s4) cipher service gateway
Figure 402992DEST_PATH_IMAGE013
Returned to the cryptographic application SDK m
S5) cryptographic application SDK m Issuing a challenge to a cryptographic service gateway
Figure 239492DEST_PATH_IMAGE011
Cryptographic service request, cryptographic service gateway resolution
Figure 982189DEST_PATH_IMAGE011
Obtaining address information
Figure 751168DEST_PATH_IMAGE002
Then through the password micro service unit
Figure 579316DEST_PATH_IMAGE008
Server cipher machine for initiating cipher service call
Figure 953928DEST_PATH_IMAGE014
Applying SDK for cryptography m Providing a cryptographic service; wherein, the server cipher machine
Figure 315246DEST_PATH_IMAGE015
With password micro-service unit
Figure 756591DEST_PATH_IMAGE008
And (4) correspondingly.
In the tenant password service affinity method in the cloud environment, in step S5), the password applies the SDK m The number of the password service requests sent to the password service gateway at the same time is more than or equal to 1; when simultaneously issuing a cryptographic service requestAt numbers greater than 1, each cryptographic service request carries a unique cookie.
According to the tenant password service affinity method in the cloud environment, before the password service call session is initiated, the password applies the SDK m The cookie is retrieved once again.
In step S5), the tenant password service affinity method in the cloud environment specifically includes:
s5-1) cryptographic application SDK m Issuing a challenge to a cryptographic service gateway
Figure 573500DEST_PATH_IMAGE016
Open password service call session request;
s5-2) cipher service gateway resolution
Figure 250338DEST_PATH_IMAGE017
Obtaining address information
Figure 200583DEST_PATH_IMAGE002
And forwards the request for opening the cryptographic service call session to the address information
Figure 812830DEST_PATH_IMAGE002
Corresponding cipher micro service unit
Figure 117034DEST_PATH_IMAGE018
S5-3) cipher micro-service unit
Figure 361677DEST_PATH_IMAGE018
Responsive to opening the cryptographic service invocation session, the cryptographic microserver unit upon allowing the cryptographic service invocation session to be opened
Figure 871156DEST_PATH_IMAGE018
Execution opening and server cipher machine
Figure 280403DEST_PATH_IMAGE015
A cryptographic service session therebetween;
s5-4) obtaining the password micro-service unit
Figure 570439DEST_PATH_IMAGE018
After allowing the response of the cryptographic service invocation session to open, the cryptographic application SDK m Issuing a challenge to a cryptographic service gateway
Figure 962981DEST_PATH_IMAGE019
To invoke cryptographic services;
s5-5) cipher service gateway parsing
Figure 654862DEST_PATH_IMAGE019
Obtaining address information
Figure 438273DEST_PATH_IMAGE002
And forwards the cryptographic operation request to the address information
Figure 714140DEST_PATH_IMAGE002
Corresponding cipher micro-service unit
Figure 536471DEST_PATH_IMAGE018
S5-6) password micro-service unit
Figure 318745DEST_PATH_IMAGE018
Converting the http or https request in the cryptographic operation request into a custom protocol and sending the custom protocol to the server cryptographic engine
Figure 443695DEST_PATH_IMAGE020
Initiating a cryptographic operation request;
s5-7) server cipher machine
Figure 964717DEST_PATH_IMAGE015
After receiving the password operation request, the password operation is carried out and the operation result is returned to the password micro-service unit
Figure 357783DEST_PATH_IMAGE018
Micro serviceUnit cell
Figure 696361DEST_PATH_IMAGE018
Returning the operation result to the SDK of the password application through the password service gateway m
In the tenant password service affinity method in the cloud environment, in step S5-3), when the password service call session is allowed to be opened, the tenant password service affinity method in the cloud environment is to be used for providing a password service call session
Figure 553065DEST_PATH_IMAGE021
One-to-one binding with a handle to a cryptographic service call session and use in cryptographic operation requests
Figure 367306DEST_PATH_IMAGE022
A handle to a cryptographic service call session.
The tenant password service affinity method in the cloud environment is used when the password operation service is called
Figure 908271DEST_PATH_IMAGE023
A handle to the cryptographic service call session to confirm and distinguish the issuer calling the cryptographic operation service.
Tenant cipher service session affinity system in cloud environment, including:
the password application SDK is used for providing a dynamic function library example for a cloud password service manufacturer and is responsible for converting input parameters into http or https calls for password services;
the password service gateway is a general entrance of the cloud password service and is responsible for processing transmission flow, wherein the processing comprises authentication, current limiting and load balancing;
the password microservice is used for providing a service instance of http or https operation and is responsible for converting parameters in an http or https request into parameters required by a server password machine standard function interface library;
the server cipher machine is a cipher module for really providing cipher operation and is responsible for providing hardware-level hardware operation capability for the cloud cipher service; the server cipher machine and the cipher micro-service are in one-to-one binding relationship;
and the password application SDK is in communication connection with the server cipher machine through the password service gateway and the password micro-service in sequence.
A computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the tenant cryptographic service affinity method in a cloud environment described above.
The computer device comprises a readable storage medium, a processor and a computer program which is stored on the readable storage medium and can run on the processor, and when the computer program is executed by the processor, the computer program realizes the tenant cryptographic service affinity method in the cloud environment.
The technical scheme of the invention achieves the following beneficial technical effects:
1. supporting a specified service weight;
2. the performance is extremely high, the traditional cookie scheme uses a consistent hash algorithm to determine the back-end service, the digest operation needs to be carried out on the cookie, then the back-end service is selected by using the algorithm, the ip address is directly analyzed from the cookie, and the performance is obviously improved;
3. when the service instance is newly added, part of normally operated services can be loaded on the new service instance to cause service errors.
Drawings
FIG. 1 is a working schematic diagram of a tenant cryptographic service session affinity system in a cloud environment according to the present invention;
FIG. 2 is a flow diagram of a cryptographic service call using a tenant cryptographic service session affinity system in a cloud environment;
FIG. 3 is a flow chart of cookie retrieval in the present invention;
FIG. 4 is a flow chart of the use of the get cookie of FIG. 3;
FIG. 5 is a flow chart of a cryptographic service based on a session affinity method of a tenant cryptographic service in a cloud environment;
FIG. 6 is another flow chart of a cryptographic service based on a session affinity method of a tenant cryptographic service in a cloud environment;
FIG. 7 is a schematic diagram of a tenant application invoking a cryptographic service logic interface;
fig. 8 is a schematic diagram of a computer device capable of performing session affinity processing of tenant cryptographic services in a cloud environment according to the present invention.
Detailed Description
The present invention is further described below with reference to examples.
As shown in fig. 1, the tenant cryptographic service session affinity system in the cloud environment includes a cryptographic application SDK, a cryptographic service gateway, a cryptographic micro-service and a server cryptographic engine, the cryptographic application SDK is in communication connection with the server cryptographic engine sequentially through the cryptographic service gateway and the cryptographic micro-service, and the server cryptographic engine and the cryptographic micro-service are in a one-to-one binding relationship. In the actual application process, the server cryptographic machine can be replaced by other cryptographic devices, such as a signature verification server, a timestamp server, a virtual server cryptographic machine and the like.
The password application SDK is a dynamic function library instance provided by a cloud password service manufacturer and is responsible for converting input parameters into http or https calls for the password service; the cloud password service gateway is a main inlet of the cloud password service and is responsible for processing transmission flow, wherein the processing comprises authentication, flow limitation and load balancing; the password microservice is used for providing a service instance for http or https operation and is responsible for converting parameters in an http or https request into parameters required by a server password machine standard function interface library; and the server cipher machine is a cipher module for really providing cipher operation and is responsible for providing hardware-level hardware operation capability for the cloud cipher service. In fig. 1, arrow 1 indicates a service call of the cryptographic application SDK1, and arrow 2 indicates a service application of the cryptographic application SDK 2.
As shown in fig. 2, when the cryptographic application SDK calls the cryptographic service, the present invention first obtains the cookie, opens the cryptographic service call session, then executes the cryptographic operation by the server cryptographic engine and returns the operation result, and then closes the cryptographic service call session. Fig. 2 shows only two threads, and in the case of a plurality of threads, the processing flow of the cryptographic application SDK is completely the same as that of the two threads.
As shown in fig. 3 and 4, the cryptographic application SDK obtains a cookie containing an IP address of a device providing cryptographic service or a proxy device and uses the cookie to complete cryptographic service invocation in a cryptographic service invocation process, thereby implementing cryptographic service session affinity, and the specific steps are as follows:
s1) importing the password micro-service unit through the password service gateway
Figure 163672DEST_PATH_IMAGE018
Address information of
Figure 253594DEST_PATH_IMAGE002
And setting a password micro-service unit
Figure 931963DEST_PATH_IMAGE018
Weight of (2)
Figure 571891DEST_PATH_IMAGE003
Wherein, in the process,
Figure 180334DEST_PATH_IMAGE004
=0,1,2,3, \8230n; wherein, the password micro-service unit
Figure 942622DEST_PATH_IMAGE008
Expressed as the first of n cryptographic micro-service units
Figure 639445DEST_PATH_IMAGE004
A password micro-service unit;
s2) the cryptographic service gateway receives the SDK from the cryptographic application m Obtain a cookie request by weight
Figure 83065DEST_PATH_IMAGE005
Random cipher micro service unit
Figure 749276DEST_PATH_IMAGE006
Initiating weight polling, wherein m is an integer greater than zero;
s3) upon receiving the secretWhen the weight of the code service gateway is polled, the password micro service unit
Figure 620149DEST_PATH_IMAGE008
First generation with address information
Figure 866585DEST_PATH_IMAGE002
And a time stamp
Figure 612431DEST_PATH_IMAGE009
Information of (2)
Figure 634613DEST_PATH_IMAGE010
Then according to the information
Figure 177852DEST_PATH_IMAGE010
Generate a corresponding
Figure 675699DEST_PATH_IMAGE024
Then will be
Figure 959656DEST_PATH_IMAGE024
Feeding back to the cryptographic service gateway, wherein,
Figure 836345DEST_PATH_IMAGE022
containing address information
Figure 143961DEST_PATH_IMAGE002
And a time stamp
Figure 299742DEST_PATH_IMAGE009
Time stamp
Figure 826539DEST_PATH_IMAGE009
As polled cryptographic microservices
Figure 855937DEST_PATH_IMAGE008
A point in time at which a response is made;
s4) the password service gateway will
Figure 239514DEST_PATH_IMAGE025
Returned to the cryptographic application SDK m
S5) cryptographic application SDK m Issuing a challenge to a cryptographic service gateway
Figure 718529DEST_PATH_IMAGE024
Cryptographic service request, cryptographic service gateway resolution
Figure 908070DEST_PATH_IMAGE022
Obtaining address information
Figure 323133DEST_PATH_IMAGE002
Then through the password micro-service unit
Figure 80874DEST_PATH_IMAGE001
Initiate cryptographic service call, server cryptographic engine
Figure 945668DEST_PATH_IMAGE020
Applying SDK for cryptography m Providing a cryptographic service; wherein, the server cipher machine
Figure 440366DEST_PATH_IMAGE015
With password micro-service unit
Figure 474050DEST_PATH_IMAGE001
Corresponding; cryptographic application SDK m The specific operation of invoking the cryptographic service comprises the following steps:
s5-1) cryptographic application SDK m Issuing a challenge to a cryptographic service gateway
Figure 635647DEST_PATH_IMAGE024
Open password service call session request;
s5-2) cipher service gateway resolution
Figure 754782DEST_PATH_IMAGE026
Obtaining address information
Figure 522012DEST_PATH_IMAGE002
And forwards the request for opening the cryptographic service call session to the address information
Figure 144623DEST_PATH_IMAGE002
Corresponding cipher micro-service unit
Figure 273860DEST_PATH_IMAGE002
S5-3) cipher micro-service unit
Figure 709652DEST_PATH_IMAGE001
Responsive to opening the cryptographic service invocation session, the cryptographic microserver unit upon allowing the cryptographic service invocation session to be opened
Figure 716791DEST_PATH_IMAGE008
Execution opening and server cipher machine
Figure 692444DEST_PATH_IMAGE015
A cryptographic service session therebetween; when a cryptographic service call session is allowed to open, it will
Figure 962888DEST_PATH_IMAGE012
One-to-one binding with a handle to a cryptographic service call session and use in cryptographic operation requests
Figure 292500DEST_PATH_IMAGE027
A handle to a cryptographic service call session;
s5-4) obtaining the password micro service unit
Figure 837751DEST_PATH_IMAGE008
After allowing a response to open the cryptographic service invocation session, the cryptographic application SDK m Issuing a challenge to a cryptographic service gateway
Figure 261386DEST_PATH_IMAGE013
To invoke cryptographic services;
s5-5) cipher service gateway resolution
Figure 702731DEST_PATH_IMAGE013
Obtaining address information
Figure 254061DEST_PATH_IMAGE002
And forwards the cryptographic operation request to the address information
Figure 868582DEST_PATH_IMAGE002
Corresponding cipher micro-service unit
Figure 146723DEST_PATH_IMAGE008
S5-6) password micro-service unit
Figure 322752DEST_PATH_IMAGE008
Converting the http or https request in the cryptographic operation request into a custom protocol and sending the custom protocol to the server cryptographic engine
Figure 328754DEST_PATH_IMAGE028
Initiating a cryptographic operation request;
s5-7) server cipher machine
Figure 42238DEST_PATH_IMAGE015
After receiving the password operation request, the password operation is carried out and the operation result is returned to the password micro-service unit
Figure 614034DEST_PATH_IMAGE008
Micro service unit
Figure 695385DEST_PATH_IMAGE008
Returning the operation result to the SDK of the password application through the password service gateway m . Use in invoking cryptographic operation services
Figure 923104DEST_PATH_IMAGE027
A handle to the cryptographic service call session to confirm and distinguish the issuer calling the cryptographic operation service.
In this embodiment, in the stepS5), the code applies SDK m The number of the password service requests sent to the password service gateway at the same time is more than or equal to 1; when the number of the simultaneously sent password service requests is more than 1, each password service request is provided with a unique cookie. And each time before initiating a cryptographic service invocation session, the cryptographic application SDK m The cookie is retrieved once again. In one cryptographic service call session, multiple cryptographic service requests can be initiated, and the cookies used by the cryptographic service requests initiated in the same cryptographic service call session are the same cookie. Fig. 5 and fig. 6 show the whole process of the cryptographic application SDK invoking cryptographic service in the present invention, where the process shown in fig. 5 uses a cryptographic micro-service unit to perform protocol conversion, and the process shown in fig. 6 uses a protocol conversion server to perform protocol conversion. As can be seen from the combination of the two flowcharts shown in FIG. 5 and FIG. 6, the load is applied to the server cryptographic engine when the cookie is obtained
Figure 401400DEST_PATH_IMAGE015
Subsequent session opening and cryptographic operation are carried out to the server cipher machine
Figure 391484DEST_PATH_IMAGE015
The effect of session affinity is realized, and when the cookie is obtained, the cookie is loaded to the server cipher machine
Figure 142271DEST_PATH_IMAGE020
The probability of (A) being specifiable on demand, weight-polled selective server crypto engine
Figure 418138DEST_PATH_IMAGE015
The probability of (c) is:
Figure DEST_PATH_IMAGE029
thus, a session affinity that can be assigned a weight is achieved.
In the invention, the
Figure 476355DEST_PATH_IMAGE019
One-to-one binding with a handle of a cryptographic service invocation sessionEach cryptographic service invocation session can have a cookie of its own, so that even if only one cryptographic application SDK is used, the effect of load balancing can be achieved.
For example, fig. 7 shows that a tenant application calls a certain cryptographic service logical interface on a certain public cloud, wherein the cryptographic application SDK uses cryptographic services, the cryptographic microservers are two in total, and the administrator uses the cryptographic microserver P 1 Weight Q of 1 Set to 6, cryptographic microservice unit P 2 Weight Q of 2 Set to 4.
When the password application SDK calls the password service, 5 password service call sessions are needed, 5 cookies are obtained first, a weight polling strategy is adopted to poll two password micro-service units when the cookies are obtained, the cookies are generated by the polled password micro-service units according to rules, and five cookies are shown in a table 1.
TABLE 1 polled cryptographic microservice generated cookie
Figure 757164DEST_PATH_IMAGE030
Wherein the cookie 1 、cookie 3 And a cookie 4 By cryptographic microservice unit P 1 Generating, cookies 2 And a cookie 5 By cryptographic microservice unit P 2 And (4) generating. Cryptographic microservice unit P 1 The reason why the generated cookies are more is that the password micro service unit P 1 The weight of (c) is relatively high. If the total number of cookies generated by the two cryptographic microservice units is enough, the ratio of the number of cookies generated by the two cryptographic microservice units approaches 6 infinitely.
After obtaining the cookie, the cryptographic application SDK opens 5 cryptographic service call sessions, when the cryptographic service call sessions are opened, one cookie is introduced into each cryptographic service call request, the cookie in each cryptographic service call request is different from the cookies in other cryptographic service call requests, and after the cryptographic service call sessions are opened, handles of the cryptographic service call sessions and the cookies used by the cryptographic service call sessions are bound in a one-to-one mode. The SDK uses the handle of the cryptographic service calling session in all cryptographic calling service requests in the cryptographic service calling session, and the handle of the cryptographic service calling session and the cookie used by the cryptographic service calling session need to be brought into the cryptographic service calling requests. In the cloud environment, the number of sessions is huge, and thus the load of performing the cryptographic operation per session can be considered to be the same, so in the above example, the load ratio of the cryptographic operation can be considered to be 6.
Based on the above tenant password session affinity method in the cloud environment, correspondingly, this example further provides a computer readable storage medium storing a computer program, where the computer program when executed by a processor implements the following steps: the method comprises the steps of obtaining a cookie containing IP address information of a password micro-service unit and time information of the request cookie, calling password service by using the cookie, carrying out password operation, analyzing the cookie when the password service is called, obtaining the IP address information contained in the cookie, sending a request for calling the password service to the password micro-service unit with the IP address information, calling a server cipher machine by the password micro-service unit to complete the password operation, and returning a password operation result to a password application SDK.
As shown in fig. 8, based on the tenant cryptographic service session affinity method in the cloud environment and the computer readable storage medium, in this embodiment, a computer device is further provided, which includes a readable storage medium, a processor, and a computer program stored on the readable storage medium and executable on the processor, where the readable storage medium and the processor are both disposed on a bus, and the processor executes the computer program to implement the following steps: the method comprises the steps of obtaining a cookie containing IP address information of a password micro-service unit and time information of the cookie request, calling the password service by using the cookie, carrying out password operation, analyzing the cookie when the password service is called, obtaining the IP address information contained in the cookie, sending a request for calling the password service to the password micro-service unit with the IP address information, calling a server password machine by the password micro-service unit to complete the password operation, and returning a password operation result to a password application SDK.
It should be understood that the above examples are only for clarity of illustration and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. This need not be, nor should it be exhaustive of all embodiments. And obvious variations or modifications are possible which remain within the scope of the appended claims.

Claims (9)

1. The tenant password service affinity method under the cloud environment is characterized by comprising the following steps:
s1) importing the password micro-service unit through the password service gateway
Figure DEST_PATH_IMAGE001
Address information of
Figure 324017DEST_PATH_IMAGE002
And setting a password micro-service unit
Figure 365791DEST_PATH_IMAGE001
Weight of (2)
Figure DEST_PATH_IMAGE003
Wherein, in the step (A),
Figure 713506DEST_PATH_IMAGE004
=0,1,2,3,…n;
s2) the cryptographic service gateway receives the SDK from the cryptographic application m Obtain a cookie request by weight
Figure DEST_PATH_IMAGE005
The size of the password micro-service unit is random to
Figure 593868DEST_PATH_IMAGE001
Initiate weight Polling, mIs an integer greater than zero;
s3) when the weight polling of the password service gateway is received, the password micro-service unit
Figure 828147DEST_PATH_IMAGE001
First generation with address information
Figure 276708DEST_PATH_IMAGE002
And time stamp
Figure 668376DEST_PATH_IMAGE006
Information of
Figure DEST_PATH_IMAGE007
Then according to the information
Figure 615078DEST_PATH_IMAGE007
Generate a corresponding
Figure 644477DEST_PATH_IMAGE008
Then will be
Figure 559212DEST_PATH_IMAGE008
Feeding back to the cryptographic service gateway, wherein,
Figure 936710DEST_PATH_IMAGE008
containing address information
Figure 532777DEST_PATH_IMAGE002
And a time stamp
Figure 478998DEST_PATH_IMAGE006
Time stamp
Figure 767897DEST_PATH_IMAGE006
For polled cryptographic microservices
Figure 632691DEST_PATH_IMAGE001
A point in time at which a response is made;
s4) cipher service gateway
Figure 32449DEST_PATH_IMAGE008
Returned to the cryptographic application SDK m
S5) cryptographic application SDK m Issuing a challenge to a cryptographic service gateway
Figure 833177DEST_PATH_IMAGE008
Cryptographic service request, cryptographic service gateway resolution
Figure 292977DEST_PATH_IMAGE008
Obtaining address information
Figure 441805DEST_PATH_IMAGE002
Then through the password micro-service unit
Figure 881139DEST_PATH_IMAGE001
Initiate cryptographic service call, server cryptographic engine
Figure DEST_PATH_IMAGE009
Applying SDK for password m Providing a cryptographic service; wherein, the server cipher machine
Figure 923657DEST_PATH_IMAGE009
Micro service unit with cipher
Figure 819938DEST_PATH_IMAGE001
And correspondingly.
2. The tenant password service affinity method in the cloud environment according to claim 1, wherein in step S5), the password applies SDK m The number of the password service requests sent to the password service gateway at the same time is more than or equal to 1; when number of simultaneous requests for cryptographic services is issuedAbove 1, each cryptographic service request carries a unique cookie.
3. The tenant password service affinity method in the cloud environment of claim 1, wherein the password application SDK is applied each time before the password service call session is initiated m The cookie is retrieved once again.
4. The tenant cryptographic service affinity method in the cloud environment according to claim 1, wherein in step S5), the specific operations are:
s5-1) cryptographic application SDK m Issuing a challenge to a cryptographic service gateway
Figure 131095DEST_PATH_IMAGE008
Open a cryptographic service call session request;
s5-2) cipher service gateway parsing
Figure 934972DEST_PATH_IMAGE008
Obtaining address information
Figure 645046DEST_PATH_IMAGE002
And forwards the request for opening the cryptographic service call session to the address information
Figure 712228DEST_PATH_IMAGE002
Corresponding cipher micro service unit
Figure 572999DEST_PATH_IMAGE001
S5-3) cipher micro-service unit
Figure 118250DEST_PATH_IMAGE001
Responsive to opening the cryptographic service invocation session, the cryptographic microserver unit
Figure 971847DEST_PATH_IMAGE001
Execution opening and server cipher machine
Figure 508132DEST_PATH_IMAGE009
A cryptographic service session therebetween;
s5-4) obtaining the password micro service unit
Figure 292418DEST_PATH_IMAGE001
After allowing the response of the cryptographic service invocation session to open, the cryptographic application SDK m Issuing a challenge to a cryptographic service gateway
Figure 139894DEST_PATH_IMAGE008
To invoke cryptographic services;
s5-5) cipher service gateway parsing
Figure 122763DEST_PATH_IMAGE008
Obtaining address information
Figure 767633DEST_PATH_IMAGE002
And forwards the cryptographic operation request to the address information
Figure 101531DEST_PATH_IMAGE002
Corresponding cipher micro service unit
Figure 487120DEST_PATH_IMAGE001
S5-6) password micro-service unit
Figure 793336DEST_PATH_IMAGE001
The http or https request in the cryptographic operation request is converted into a custom protocol and sent to the server cryptographic engine
Figure 140266DEST_PATH_IMAGE009
Initiating a cryptographic operation request;
s5-7) server cipher machine
Figure 164723DEST_PATH_IMAGE009
After receiving the password operation request, the password operation is carried out and the operation result is returned to the password micro-service unit
Figure 150740DEST_PATH_IMAGE001
Micro service unit
Figure 812928DEST_PATH_IMAGE001
Returning the operation result to the SDK through the cryptographic service gateway m
5. The tenant password service affinity method in the cloud environment according to claim 4, wherein in step S5-3), when the password service call session is allowed to be opened, the tenant password service affinity method is further performed
Figure 94874DEST_PATH_IMAGE008
One-to-one binding with a handle of a cryptographic service invocation session and use in cryptographic operation requests
Figure 839582DEST_PATH_IMAGE008
A handle to a cryptographic service call session.
6. The tenant cipher service affinity method in cloud environment according to claim 4 or 5, wherein the cipher operation service is called by using
Figure 334018DEST_PATH_IMAGE008
A handle to the cryptographic service call session.
7. Tenant cryptographic service session affinity system under cloud environment, characterized by, includes:
the password application SDK is used for providing a dynamic function library example for a cloud password service manufacturer and is responsible for converting input parameters into http or https calls for password services;
the cloud password service gateway is a main inlet of the cloud password service and is responsible for processing transmission flow, wherein the processing comprises authentication, flow limitation and load balancing;
the password microservice is used for providing a service instance for http or https operation and is responsible for converting parameters in an http or https request into parameters required by a server password machine standard function interface library;
the server cipher machine is a cipher module for really providing cipher operation and is responsible for providing hardware operational capability of a hardware level for the cloud cipher service; the server cipher machine and the cipher micro-service are in one-to-one binding relationship;
and the password application SDK is in communication connection with the server cipher machine through the password service gateway and the password microservice in sequence.
8. A computer-readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the tenant cryptographic service affinity method in a cloud environment of any one of claims 1 to 6.
9. Computer device comprising a readable storage medium, a processor and a computer program stored on the readable storage medium and executable on the processor, wherein the computer program, when executed by the processor, implements the tenant cryptographic service affinity method in a cloud environment as claimed in any one of claims 1 to 6.
CN202211322274.3A 2022-10-27 2022-10-27 Tenant password service session affinity method, system, medium and device in cloud environment Active CN115396496B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211322274.3A CN115396496B (en) 2022-10-27 2022-10-27 Tenant password service session affinity method, system, medium and device in cloud environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211322274.3A CN115396496B (en) 2022-10-27 2022-10-27 Tenant password service session affinity method, system, medium and device in cloud environment

Publications (2)

Publication Number Publication Date
CN115396496A true CN115396496A (en) 2022-11-25
CN115396496B CN115396496B (en) 2023-01-17

Family

ID=84127606

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211322274.3A Active CN115396496B (en) 2022-10-27 2022-10-27 Tenant password service session affinity method, system, medium and device in cloud environment

Country Status (1)

Country Link
CN (1) CN115396496B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103563294A (en) * 2011-06-30 2014-02-05 国际商业机器公司 Authentication and authorization methods for cloud computing platform security
CN105071936A (en) * 2010-09-20 2015-11-18 安全第一公司 Systems and methods for secure data sharing
CN108701182A (en) * 2016-08-31 2018-10-23 甲骨文国际公司 The data management of multi-tenant identity cloud service
US20180337914A1 (en) * 2017-05-18 2018-11-22 Oracle International Corporation User authentication using kerberos with identity cloud service
CN109314704A (en) * 2016-09-14 2019-02-05 甲骨文国际公司 Function is nullified for multi-tenant identity and the single-sign-on and single-point of data safety management cloud service
CN109565505A (en) * 2016-08-05 2019-04-02 甲骨文国际公司 Tenant's Self-Service troubleshooting for multi-tenant identity and data safety management cloud service
CN113821305A (en) * 2021-09-15 2021-12-21 中国电信集团系统集成有限责任公司 Cloud password service calling method based on Docker and middleware system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105071936A (en) * 2010-09-20 2015-11-18 安全第一公司 Systems and methods for secure data sharing
CN103563294A (en) * 2011-06-30 2014-02-05 国际商业机器公司 Authentication and authorization methods for cloud computing platform security
CN109565505A (en) * 2016-08-05 2019-04-02 甲骨文国际公司 Tenant's Self-Service troubleshooting for multi-tenant identity and data safety management cloud service
CN108701182A (en) * 2016-08-31 2018-10-23 甲骨文国际公司 The data management of multi-tenant identity cloud service
CN109314704A (en) * 2016-09-14 2019-02-05 甲骨文国际公司 Function is nullified for multi-tenant identity and the single-sign-on and single-point of data safety management cloud service
US20180337914A1 (en) * 2017-05-18 2018-11-22 Oracle International Corporation User authentication using kerberos with identity cloud service
CN113821305A (en) * 2021-09-15 2021-12-21 中国电信集团系统集成有限责任公司 Cloud password service calling method based on Docker and middleware system

Also Published As

Publication number Publication date
CN115396496B (en) 2023-01-17

Similar Documents

Publication Publication Date Title
US9215229B2 (en) Systems and methods for establishing cloud-based instances with independent permissions
US7330872B2 (en) Method for distributed program execution with web-based file-type association
US9124569B2 (en) User authentication in a cloud environment
US8555339B2 (en) Identifying guests in web meetings
Khan et al. OpenID authentication as a service in OpenStack
US8606897B2 (en) Systems and methods for exporting usage history data as input to a management platform of a target cloud-based network
JP5714690B2 (en) Pluggable token provider model that enforces authentication across multiple web services
US9641340B2 (en) Certificateless multi-proxy signature method and apparatus
US20030074393A1 (en) Methods for distributed program execution with file-type association in a client-server network
WO2010087829A1 (en) Selectively communicating data of a peripheral device to plural sending computers
CN106533932A (en) Method and device for pushing instant message
US20230013371A1 (en) Data communication method, apparatus, and device, storage medium, and computer program product
CN107453872A (en) A kind of unified safety authentication method and system based on Mesos container cloud platforms
CN113778499B (en) Method, apparatus, device and computer readable medium for publishing services
US11683166B2 (en) Secure file modification with supervision
CN115396496B (en) Tenant password service session affinity method, system, medium and device in cloud environment
CA3120889A1 (en) Computing system with gateway data transfer based upon device data flow characteristics and related methods
CN110351333B (en) Request queue method and system with verification mechanism
JP2001282737A (en) Job load dispersion system
Tusa et al. Federation between CLEVER clouds through SASL/Shibboleth authentication
WO2014140116A1 (en) System and method for managing computational task sets
US20220405245A1 (en) User-based access to content of files
US20220385718A1 (en) Computing system with data transfer based upon device data flow characteristics and related methods
US20230300135A1 (en) Generation of multiple limited-scope access tokens
Put et al. Priman: Facilitating the development of secure and privacy-preserving applications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant