CN117811833B - Unified network crypto-engine management system and method based on publishing and subscribing mode - Google Patents
Unified network crypto-engine management system and method based on publishing and subscribing mode Download PDFInfo
- Publication number
- CN117811833B CN117811833B CN202410199531.1A CN202410199531A CN117811833B CN 117811833 B CN117811833 B CN 117811833B CN 202410199531 A CN202410199531 A CN 202410199531A CN 117811833 B CN117811833 B CN 117811833B
- Authority
- CN
- China
- Prior art keywords
- network
- management system
- unified management
- message
- topic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 238000012545 processing Methods 0.000 claims abstract description 17
- 238000007726 management method Methods 0.000 claims description 106
- 230000007246 mechanism Effects 0.000 claims description 28
- 238000012544 monitoring process Methods 0.000 claims description 14
- 230000004044 response Effects 0.000 claims description 10
- 230000008569 process Effects 0.000 claims description 8
- 238000012550 audit Methods 0.000 claims description 5
- 230000005540 biological transmission Effects 0.000 claims description 4
- 238000001514 detection method Methods 0.000 claims description 3
- 230000001419 dependent effect Effects 0.000 claims 1
- 238000004891 communication Methods 0.000 description 4
- 230000003993 interaction Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention discloses a unified management system and a method for network ciphers based on a publish-subscribe mode, which belong to the technical field of network security management. The invention can solve the problems of limited access quantity, high time delay and the like caused by unified management of large-scale and even massive network ciphers under the technical architecture of high concurrency processing of the traditional server/client network, thereby ensuring the unified management requirement of the massive network ciphers.
Description
Technical Field
The invention relates to the technical field of network security management, in particular to a unified network crypto-engine management system and method based on a publishing and subscribing mode.
Background
The conventional network crypto system unified management system mostly adopts a technical architecture of high concurrency processing of a conventional server/client mode, but with the development of the internet of things technology, network crypto application deployment is more and more prone to miniaturization and scale, the technical architecture generally has the problems of limited access quantity, high time delay and the like, and is more and more unsuitable for unified management of large-scale and even massive network crypto systems. Therefore, a fast, efficient and reliable unified management system and method are particularly important.
The traditional server/client mode is a point-to-point messaging mode in which a message producer produces a message to send to a queue, and then a message consumer fetches and consumes the message from the queue. After the message is consumed, there is no more storage in the queue, so it is not possible for the message consumer to consume the message that has been consumed.
Publish-subscribe is a new message schema where message producers (publishes) publish messages to topics while multiple message consumers (subscriptions) consume the messages, as opposed to point-to-point, where messages to publish topics are consumed by all subscribers.
The nature of the publish-subscribe model is a messaging mechanism, so-called "event driven", which includes three main components: publishers, subscribers and messages. Wherein publishers are responsible for publishing messages, subscribers are responsible for subscribing to messages of interest, and messages are the tools for delivering information. In the publish-subscribe mode, no coupling relationship is directly generated between publishers and subscribers, and interaction is performed between the publishers and the subscribers through messages. The publisher only needs to send the messages, and the subscriber can select which messages to subscribe according to own requirements and execute corresponding operations after receiving the messages. Such decoupling may reduce the complexity and maintenance costs of the system and improve the scalability and reliability of the system.
The publish-subscribe mode supports a large number of subscribers and topics and thus can support large-scale device management applications. The publish-subscribe mode may use a validation mechanism and a retransmission mechanism to ensure reliability of the message, thereby avoiding loss and errors of the message, and may use persistent storage to support persistent storage and recovery of the message, thereby providing better reliability and scalability.
Disclosure of Invention
The invention provides a unified management system and a method for network ciphers based on a publish-subscribe mode, which can solve the problems of limited access quantity, high time delay and the like caused by the unified management of large-scale and even massive network ciphers under the technical architecture of high concurrency processing of a traditional server/client network, thereby ensuring the unified management requirement of the massive network ciphers.
In order to solve the technical problems, the invention provides the following technical scheme:
In one aspect, a unified management system of network crypto-sets based on a publish-subscribe mode is provided, which is used for connecting with the network crypto-sets through a computer network, and adopts a message transmission mechanism based on the publish-subscribe mode, and the unified management system is provided with a message processing module which adopts a full-asynchronous architecture based on the publish-subscribe mode.
Furthermore, the unified management system is provided with a message processing module which is provided with a publishing and subscribing mechanism, a heartbeat detection mechanism, an offline mechanism, a keep-alive mechanism and a data quality mechanism.
Furthermore, a heartbeat mechanism exists between each subscription end and the release topic, each subscription end registers own offline actions when being connected, and once the subscription end is judged to be offline, the corresponding heritage is sent to the appointed topic for the related party to process the business.
Further, the release theme integrates the heartbeat interval and the keep-alive time length to judge whether the network cipher machine is offline or not.
Further, there are three qualities of the data that is uploaded: at least once, at most once, only once, data messages with different qualities trigger different numbers of round-trip messages to complete the guarantee of the quality convention, and according to the service characteristics of the network cipher machine, the equipment monitors the data with at most once data quality, and the strategy and the cipher resource management adopt at least once data quality.
On the other hand, the method for managing the unified management system of the network crypto-engine based on the publish-subscribe mode comprises the following steps:
Step 1: after the unified management system is started, the message processing module sequentially issues each theme in the system;
step 2: after the network cipher machine is started, each theme issued by the unified management system is subscribed in turn.
Further, the topics include one or more of a user management topic, a policy management topic, a password resource management topic, a system management topic, a device monitoring topic, and a log audit topic.
Further, the method further comprises:
step 3: through the release of each theme, the unified management system pushes related strategies and password resource information to the network password machine;
Step 4: the unified management proxy service in the network cipher machine receives and processes the strategy and cipher resource information pushed by the unified management system, and reports monitoring information and log/alarm information to the unified management system in real time.
Further, the step 2 includes:
The network cipher machine sends a subscription request message to a related theme of the unified management system through a publishing subscription mode, wherein the subscription request message contains information for carrying out identity authentication, operation identification and operation parameters of the network cipher machine;
and the unified management system performs corresponding operation according to the subscription request message and returns an operation result as a response message to the network crypto-engine.
Furthermore, the messages are irrelevant, and the unified management system does not need to maintain the relevant state of the messages;
And/or, the message contains single or multiple operation requests or responses;
and/or all operations are authenticated, and related operations can be normally operated only after the authentication is successful.
The invention has the following beneficial effects:
The unified management system and method for the network cipher machine based on the publish-subscribe mode can solve the problems of limited access quantity, high time delay and the like caused by the unified management of large-scale and even massive network cipher machines under the technical architecture of high concurrency processing of the traditional server/client network, thereby ensuring the unified management requirement of the massive network cipher machines. The invention can ensure the connection and communication between the unified management system and the network cipher machine even under the condition of large number and scale or even mass of the network cipher machine based on the message transmission mechanism of the publishing subscription mode, and develop the functions of user management, strategy management, cipher resource management, equipment monitoring and the like based on the connection and communication, thereby realizing the management and control of the unified management system to the network cipher machine.
Drawings
FIG. 1 is an application model diagram of a unified management system of network crypto-engine based on a publish-subscribe mode of the present invention;
fig. 2 is a flow chart of a unified management method of network crypto-engine based on a publish-subscribe mode of the present invention.
Detailed Description
In order to make the technical problems, technical solutions and advantages to be solved more apparent, the following detailed description will be given with reference to the accompanying drawings and specific embodiments.
In one aspect, the present invention provides a unified management system for network crypto-sets based on a publish-subscribe mode, as shown in fig. 1, for connecting with a network crypto-set through a computer network, and adopting a message passing mechanism based on the publish-subscribe mode.
In the invention, the unified management system is connected with the network cipher machine through a computer network, and a message transmission mechanism based on a publishing and subscribing mode is adopted, so that the connection and communication of the unified management system and the network cipher machine can be ensured even under the condition of large number and large scale or even mass of the network cipher machine, and the functions of user management, policy management, cipher resource management, equipment monitoring and the like are developed based on the connection and communication, so that the management and control of the network cipher machine by the unified management system are realized. The invention is suitable for the centralized management of the network security equipment by the unified management system.
Furthermore, the unified management system can be provided with a message processing module as a core, adopts a full-asynchronous architecture based on a publish-subscribe mode, has a publish-subscribe mechanism, a heartbeat detection mechanism, an offline mechanism, a keep-alive mechanism and a data quality mechanism, and is very suitable for unified management when the network crypto-engine is used on a large scale.
Through a publishing and subscribing mechanism, data can be collected into a unified publishing theme by multiple parties and then is subjected to data interaction by multiple business systems, and the interaction mode can be shared or independent or grouped and independent.
Heartbeat, keep-alive and heritage mechanisms: a heartbeat mechanism exists between each subscription terminal and the release topic, each subscription terminal can register own offline actions when being connected, and once the subscription terminal is judged to be offline, the corresponding heritage is sent to the appointed topic for the related party to process the business. The release theme can integrate the heartbeat interval and the keep-alive time length to judge whether the network cipher machine is offline or not. If the equipment monitoring theme is offline, the corresponding heritage informs the unified management system, informs the offline network cipher machine equipment information, and the offline specific information such as specific time, address, reason and the like, and is correspondingly processed by the unified management system.
Data quality: there are three qualities of the data that is uploaded: at least once, at most once, only once. The data messages with different qualities trigger different numbers of round-trip messages to finish the guarantee of the quality agreement, according to the service characteristics of the network cipher machine, the equipment monitoring data can adopt the data quality at most once, and the important data such as strategy, cipher resource management and the like can adopt the data quality at least once.
On the other hand, the present invention provides a method for managing the unified management system of network crypto-engine based on the publish-subscribe mode, as shown in fig. 2, including:
Step 1: after the unified management system is started, the message processing module sequentially issues each theme in the system;
step 2: after the network cipher machine is started, each theme issued by the unified management system is subscribed in turn.
In the invention, after the unified management system is started, the message processing module sequentially publishes each theme in the system, and after the network cipher machine is started, the message processing module sequentially subscribes each theme published by the unified management system, and the message processing module and the network cipher machine are mutually matched to realize the unified management of the unified management system on the network cipher machine.
Further, after the unified management system is started, the message processing module sequentially issues each theme in the system, for example: user management topics, policy management topics, password resource management topics, system management topics, device monitoring topics, log audit topics, and the like. The user management theme is used for managing the information of the manager and the operator logged in by the network cipher machine, and specifically comprises the addition, deletion, modification and check of the manager and the operator; the strategy management theme is used for managing the service strategy of the network cipher machine, and specifically comprises adding, deleting, modifying and searching the service strategy; the password resource management theme is used for managing password resources (including equipment certificates, symmetric keys, asymmetric keys and other information) of the network password machine, and specifically comprises destroying and updating the password resources; the system management theme is used for managing system information of the network cipher machine, such as IP address, working mode and the like of the cipher machine; the equipment monitoring theme is used for monitoring the state of the network cipher machine and comprises CPU, memory, hard disk and network utilization information of the cipher machine; the log audit theme is used for carrying out log audit on the network cipher machine and comprises log information and alarm information generated in the working process of the cipher machine.
Further, the method may further include:
step 3: through the release of each theme, the unified management system pushes related strategies and password resource information to the network password machine;
Step 4: the unified management proxy service in the network cipher machine receives and processes the strategy and cipher resource information pushed by the unified management system, and reports monitoring information and log/alarm information to the unified management system in real time.
In this way, through the release of each theme, the unified management system pushes information such as related strategies, password resources and the like to the network password machines, and receives information such as monitoring information, logs/alarms and the like reported by each network password machine in real time; the unified management proxy service operates in each network cipher machine and exists as an independent process, after the unified management proxy service is started, each theme issued by the unified management system is subscribed, and through the subscription of each theme, the unified management proxy service receives and processes information such as strategies and cipher resources pushed by the unified management system, and reports monitoring information, logs/alarms and the like to the unified management system in real time.
Further, the step 2 may include:
step 21: the network cipher machine sends a subscription request message to a related theme of the unified management system through a publishing subscription mode, wherein the subscription request message contains information for carrying out identity authentication, operation identification and operation parameters of the network cipher machine;
step 22: and the unified management system performs corresponding operation according to the subscription request message and returns an operation result as a response message to the network crypto-engine.
In this way, the network cipher machine transmits a subscription request message to the related subject of the unified management system through the publishing subscription mode, and the request message contains information for carrying out identity authentication, operation identification, operation parameters and the like of the network cipher machine. The unified management system verifies according to the subscription request message and returns a verification result (whether subscription to the topic is allowed) to the network cipher machine as a response message, if the response message is the subscription allowed, the subscription of the topic of the network cipher machine is successful, and if the response message is the subscription refusal, the subscription of the topic of the network cipher machine is failed.
In the invention, the messages are irrelevant, and the unified management system does not need to maintain the relevant state of the messages. The message may contain a single operation request or response or may contain a plurality of operation requests or responses. All operations must be authenticated, and related operations can be normally operated only after authentication is successful.
In conclusion, the method provides a certain reference meaning for unified management of the network crypto-engine, and has a strong popularization meaning for unified management of mass network security equipment especially in the field of network security.
While the foregoing is directed to the preferred embodiments of the present invention, it will be appreciated by those skilled in the art that various modifications and adaptations can be made without departing from the principles of the present invention, and such modifications and adaptations are intended to be comprehended within the scope of the present invention.
Claims (8)
1. The method for managing the network cryptographic machine unified management system based on the publishing and subscribing mode is characterized in that the network cryptographic machine unified management system based on the publishing and subscribing mode is used for being connected with the network cryptographic machine through a computer network, a message transmission mechanism based on the publishing and subscribing mode is adopted, and the unified management system is provided with a message processing module which adopts a full-asynchronous architecture based on the publishing and subscribing mode;
The method comprises the following steps:
Step 1: after the unified management system is started, the message processing module sequentially issues each theme in the system;
step 2: after the network cipher machine is started, subscribing each theme issued by the unified management system in sequence;
step 3: through the release of each theme, the unified management system pushes related strategies and password resource information to the network password machine;
Step 4: the unified management proxy service in the network cipher machine receives and processes the strategy and cipher resource information pushed by the unified management system, and reports monitoring information and log/alarm information to the unified management system in real time.
2. The method of claim 1, wherein the unified management system is provided with a message processing module having a publish-subscribe mechanism, a heartbeat detection mechanism, an offline mechanism, a keep-alive mechanism, and a data quality mechanism.
3. The method of claim 2, wherein a heartbeat mechanism exists between each subscriber and the published topic, each subscriber registers its own offline action when connected, and once it is determined to be offline, the corresponding seminal emission will be sent to the specified topic for the relevant party to conduct business processing.
4. The method of claim 3, wherein the release topic integrates a heartbeat interval and a keep-alive time period to make the determination of whether the network crypto-engine is offline.
5. The method of claim 2, wherein the data being uploaded has three qualities: at least once, at most once, only once, data messages with different qualities trigger different numbers of round-trip messages to complete the guarantee of the quality convention, and according to the service characteristics of the network cipher machine, the equipment monitors the data with at most once data quality, and the strategy and the cipher resource management adopt at least once data quality.
6. The method of claim 1, wherein the topics include one or more of a user management topic, a policy management topic, a password resource management topic, a system management topic, a device monitoring topic, a log audit topic.
7. The method according to claim 1, wherein the step 2 comprises:
The network cipher machine sends a subscription request message to a related theme of the unified management system through a publishing subscription mode, wherein the subscription request message contains information for carrying out identity authentication, operation identification and operation parameters of the network cipher machine;
and the unified management system performs corresponding operation according to the subscription request message and returns an operation result as a response message to the network crypto-engine.
8. The method of claim 1, wherein messages are independent from message to message, and wherein the unified management system does not need to maintain message dependent status;
And/or, the message contains single or multiple operation requests or responses;
and/or all operations are authenticated, and related operations can be normally operated only after the authentication is successful.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410199531.1A CN117811833B (en) | 2024-02-23 | 2024-02-23 | Unified network crypto-engine management system and method based on publishing and subscribing mode |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410199531.1A CN117811833B (en) | 2024-02-23 | 2024-02-23 | Unified network crypto-engine management system and method based on publishing and subscribing mode |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117811833A CN117811833A (en) | 2024-04-02 |
| CN117811833B true CN117811833B (en) | 2024-05-10 |
Family
ID=90432096
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410199531.1A Active CN117811833B (en) | 2024-02-23 | 2024-02-23 | Unified network crypto-engine management system and method based on publishing and subscribing mode |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117811833B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1908970A (en) * | 2005-08-03 | 2007-02-07 | 北京航空航天大学 | Distribution type information issuing/ ordering system |
| CN103458033A (en) * | 2013-09-04 | 2013-12-18 | 北京邮电大学 | System for providing services of event-driven service-oriented internet of things and working method thereof |
| CN109672684A (en) * | 2018-12-25 | 2019-04-23 | 山东超越数控电子股份有限公司 | A kind of management service system of network cryptographic machine |
| WO2021038558A1 (en) * | 2019-08-26 | 2021-03-04 | Israel Aerospace Industries Ltd. | System, method and computer program product implementing a decentralized avionic channel |
| CN113315683A (en) * | 2021-06-23 | 2021-08-27 | 北京精密机电控制设备研究所 | Efficient distributed equipment state management method |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB0521355D0 (en) * | 2005-10-19 | 2005-11-30 | Ibm | Publish/subscribe system and method for managing subscriptions |
| GB2520514A (en) * | 2013-11-22 | 2015-05-27 | Ibm | Message delivery in a messaging system |
| WO2020101747A1 (en) * | 2018-01-08 | 2020-05-22 | All Purpose Networks, Inc. | Publish-subscribe broker network overlay system |
-
2024
- 2024-02-23 CN CN202410199531.1A patent/CN117811833B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1908970A (en) * | 2005-08-03 | 2007-02-07 | 北京航空航天大学 | Distribution type information issuing/ ordering system |
| CN103458033A (en) * | 2013-09-04 | 2013-12-18 | 北京邮电大学 | System for providing services of event-driven service-oriented internet of things and working method thereof |
| CN109672684A (en) * | 2018-12-25 | 2019-04-23 | 山东超越数控电子股份有限公司 | A kind of management service system of network cryptographic machine |
| WO2021038558A1 (en) * | 2019-08-26 | 2021-03-04 | Israel Aerospace Industries Ltd. | System, method and computer program product implementing a decentralized avionic channel |
| CN113315683A (en) * | 2021-06-23 | 2021-08-27 | 北京精密机电控制设备研究所 | Efficient distributed equipment state management method |
Non-Patent Citations (2)
| Title |
|---|
| 面向电子政务的发布订阅中间件设计与实现;逯鹏;林学练;王斌;刘力;;计算机工程;20080505(第09期);全文 * |
| 高性能发布/订阅系统接口服务的设计与应用;温鹏;章洋;;软件;20131115(第11期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117811833A (en) | 2024-04-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9817657B2 (en) | Integrated software development and deployment architecture and high availability client-server systems generated using the architecture | |
| US8554855B1 (en) | Push notification delivery system | |
| EP3734913A1 (en) | Communication method and communication apparatus | |
| US20070043824A1 (en) | Methods, apparatus and computer programs for data communication efficiency | |
| CN113067882A (en) | Message processing method and device, electronic equipment and medium | |
| US8874753B2 (en) | Optimized cooperation between resource list servers and presence servers | |
| CN112711635B (en) | Method for cross-regional data consistency of distributed Internet of things equipment and service cluster | |
| US20090290503A1 (en) | Controlling Access to a Destination in a Data Processing Network | |
| Moniz et al. | RITAS: Services for randomized intrusion tolerance | |
| CN111240862A (en) | Universal interface platform and data conversion method | |
| Sousa et al. | Engineering software for the cloud: Messaging systems and logging | |
| US20020138605A1 (en) | Message tracking system and method | |
| CN113315689B (en) | Information processing method, system, electronic device and readable storage medium | |
| CN117811833B (en) | Unified network crypto-engine management system and method based on publishing and subscribing mode | |
| CN100382493C (en) | System and method for realizing service | |
| CN113778709B (en) | Interface calling method, device, server and storage medium | |
| CN114025005B (en) | Data communication method, system, electronic equipment and storage medium | |
| CN111756836B (en) | Information sending method and device based on event management model | |
| CN113992352A (en) | Message pushing method and device, electronic equipment and storage medium | |
| CN115883639A (en) | Web real-time message pushing method and device, equipment and storage medium | |
| CN113076380A (en) | Data synchronization method, device, system, equipment and storage medium | |
| CN110990213A (en) | Method and device for monitoring user logs in cluster environment in real time | |
| CN112511317A (en) | Input distribution method, input agent and mimicry distributed storage system | |
| CN115102854B (en) | Remote procedure call route management control method, system and equipment for micro-service | |
| CN112016115B (en) | Event subscription system based on block chain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |