EP3152660A1 - Procédé de répartition de tâches entre des systèmes informatiques, infrastructure de réseau d'ordinateurs ainsi que produit-programme d'ordinateur - Google Patents

Procédé de répartition de tâches entre des systèmes informatiques, infrastructure de réseau d'ordinateurs ainsi que produit-programme d'ordinateur

Info

Publication number
EP3152660A1
EP3152660A1 EP15727622.1A EP15727622A EP3152660A1 EP 3152660 A1 EP3152660 A1 EP 3152660A1 EP 15727622 A EP15727622 A EP 15727622A EP 3152660 A1 EP3152660 A1 EP 3152660A1
Authority
EP
European Patent Office
Prior art keywords
computer system
primary
processing
computer systems
task
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP15727622.1A
Other languages
German (de)
English (en)
Inventor
Heinz-Josef CLAES
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujitsu Technology Solutions Intellectual Property GmbH
Original Assignee
Fujitsu Technology Solutions Intellectual Property GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujitsu Technology Solutions Intellectual Property GmbH filed Critical Fujitsu Technology Solutions Intellectual Property GmbH
Publication of EP3152660A1 publication Critical patent/EP3152660A1/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5027Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5027Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
    • G06F9/505Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals considering the load
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • H04L67/1008Server selection for load balancing based on parameters of servers, e.g. available memory or workload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/288Distributed intermediate devices, i.e. intermediate devices for interaction with other intermediate devices on the same level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • H04L43/0811Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking connectivity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • H04L63/0218Distributed architectures, e.g. distributed firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/40Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass for recovering from a failure of a protocol instance or entity, e.g. service redundancy protocols, protocol state redundancy or protocol service redirection

Definitions

  • the invention relates to a method for distributing tasks between secure computer systems in one
  • Computer network infrastructure a corresponding computer network infrastructure and a computer program product for
  • Computer network infrastructures which include server client topologies, become sensitive data, e.g. Customer data or user data, between the client and the server
  • Data protection includes regulations (processes that
  • Communication structures include a load distribution, ie one Distribution of certain actions or processes (tasks) between a plurality of participating computer systems or determining a computer system from a group of
  • the object of the present invention is to improve the protection against attacks on computer systems within a computer network infrastructure, in particular the unauthorized access to confidential data, by technical measures and yet to propose a distribution of tasks within the computer network infrastructure, which provides a satisfactory forwarding of data within the computer network infrastructure.
  • this object is achieved by a method for distributing tasks between secured
  • Editing computer system based on the transmitted task information, wherein all of the group of the processing computer systems keep predetermined network ports used for this method so closed that no connection establishment to the processing computer systems is permitted from the outside and thus access via a network by means of these
  • a respective edit computer system may connect to a respective switch computer system to retrieve corresponding task information (or other data) from the task file from the switch computer system.
  • Such a method allows for load sharing such that from a group of switching computer systems, a primary computer system is selected for further processing of an incoming task file.
  • multiple individual tasks may be shared between multiple switch computer systems so that the overall load of the group of switch computer systems is not limited to one
  • the method has the advantage that a dedicated switching computer system is determined as a primary computer system, which automates the other
  • Control process flow includes communication with a plurality of processing computer systems within the computer network infrastructure.
  • predetermined network ports means that all or only selected security-critical network ports, such as the network ports used for this method, are permanently or temporarily closed in all the processing computer systems.
  • the term "closed network ports” in this context means that they do not have “listening.” ports are ", ie no external connection is allowed, in which case a third party is not able to communicate from the outside
  • SSH secure shell
  • the method allows access to a switching computer system from the group of switching computer systems from the outside.
  • Each of the switching computer system groups is thereby accessible as an "open" system with at least one addressable network “listening” port, which means that on a switching computer system, for example
  • Run programs and / or applications are prepared so that a processing computer system can access a switching computer system and connect to the
  • Conveyor computer system can build to appropriate
  • Task information from the task file according to the presented method (via a then established connection,
  • such an "open" brokerage computer system is similar to a traditional, specially secured computer system.
  • each relay computer system in the
  • task files are prepared for
  • Such processes can, for. For example:
  • a task file differs fundamentally from a pure command command to a respective processing computer system because a command command for its evaluation on the part of the editing computer system
  • instructions may be given to a processing computer system on a mediation computer system
  • the instructions may then be e.g. processed locally on the editing computer system.
  • task information from the task file is to be understood as information that is present (eg embedded) in the task file, which may include information about instructions, descriptions, process data, signatures, passwords, etc.
  • the task information may include parts from the task file or the entire task file as such
  • task information can be used to transfer parts of the task file or even the entire task file to a processing computer system.
  • a process can be triggered, which calls the selected task information in the primary switching computer system and automated from the primary
  • the automated transmission of the task information from the primary switching computer system to the primary processing computer system is configured such that a third party from outside does not
  • the task information may be encrypted.
  • (different) encryption can also be applied multiple times to parts of the task information or to entire data packets (which contain task information). The validity of the task information can then be checked in the primary processing computer system and a
  • the validity of the task information can be checked using signatures that have been used to sign data packets.
  • the task information can be transferred to the primary switch computer.
  • Interaction package for performing the at least one
  • Action in the primary editing computer system Creating a second interaction packet, in which a response to the first interaction packet is included, by the primary processing computer system,
  • a mediation computer system after performing the at least one action.
  • Packing the task information into an interaction packet allows further information to be sent, e.g. Signatures of the primary mediation computer system, permissions, instructions, and so on.
  • the task information of the original task file or the task information after performing the action in the primary processing computer system remain advantageous.
  • Information on communication between the primary relay computer system and the primary processing computer system of task information from the task file to perform a task e.g. on another target computer system.
  • the interaction package may be a kind of "sub-task file" in the particular interaction parameter between the primary
  • Mediation computer system and the primary processing computer system are transferred from the primary processing computer system back to the primary mediation computer system and embedded in the original task file.
  • Triggering a (criminal) action in a processing computer system by a manipulated switching computer system can thereby be prevented or at least made much more difficult because the "basic signature" offers a certain security against counterfeiting.
  • the at least one action in the primary processing computer system comprises at least:
  • the task information may be extracted or unpacked from the interaction package as discussed above. Decisive for all actions is that they are executed locally in a processing computer system involved, so that security-relevant passphrases or keys for processing and executing the actions must be present or used locally only on the respective computer systems and not within the computer network infrastructure, especially between the primary switch computer system and the primary
  • the method of the type explained comprises the additional steps:
  • a switching computer system wherein task information from the task file and / or information about the at least one action to be carried out by means of the group of processing computer systems are also summarized in the information packet,
  • Such a transmission is analogous to an above-described transmission of task information from the task file or a first interaction packet in which the task information is included.
  • Information package done in the process advantageous prior to the above-described transfer of task information to the primary processing computer system (by means of the first interaction package) and are used in particular first to determine a primary
  • a processing computer system of the plurality of processing computer systems present in the computer network infrastructure.
  • the task information (in the first interaction package) explained in the content may differ in content, overlap, or be identical.
  • time outs Time points or time spans
  • Edit computer systems a message about the task file and / or on the basis of the task file or task information to perform actions. In this way, each processing computer system can decide whether it should, should or should be allowed to perform the appropriate task information or perform the appropriate action based on the task information.
  • the described measures thus permit a directed request to the group of processing computer systems by means of the information packet through the primary switching computer system and a subsequent selection and determination of a primary processing computer system which responds positively to the information packet.
  • Link processing information of the corresponding processing computer system may include, for example, availability,
  • the step of negotiating a primary switching computer system comprises the following substeps:
  • Switching computer systems allow the automated (and with high probability
  • Switching computer system after receiving the task file can be achieved that each switching computer system can decide whether it may, in the function as Primary task information forward in the communication process, may or should. After waiting for the first period of time, which may be individually predetermined for each switch computer system, a switch computer system notifies all other switch computer systems that it has the
  • a switching computer system which has declared itself as a potential primary to the others, in turn connects to the other switching computer systems in order to
  • the substeps of negotiating a primary switch computer system are performed again (possibly with random wait at start) if the validation by the communicating switch computer system is the only one willing to continue processing as the primary switch computer system , was not successful.
  • validation can not be successful if multiple mediation computer systems, possibly concurrently or temporally overlapping, signal readiness, each as a primary system, to process continue. Due to parallelism in negotiation, two or more mediation computer systems may want to play the role of Primary.
  • a load distribution in particular a distribution of task files between the involved
  • Mediation computer systems it may and may preferably only a single primary
  • a step of negotiating a primary mediation computer system after each concurrent receipt of a task file by the group of mediation computer systems is negotiated.
  • the step of negotiating a primary switching computer system is after each change of the group
  • Change can be, for example, adding or removing switching computer systems in the cluster
  • Machining computer systems are connected via network paths in their communication.
  • the computer network infrastructure may experience a so-called “split-brain problem.” This problem occurs when network paths are so
  • Mediation computer systems or within the group of processing computer systems come to several primary computer systems. In this way, redundant data packets would be created, transmitted and possibly edited by several Primarys.
  • Computer system to divergent behavior This can be done by monitoring an identification of task packets
  • redundant network paths within the computer network infrastructure can be used to create a network
  • the method of the type explained comprises the steps:
  • Inaccessibility of a plurality of switching computer systems could be the indication of a split brain problem - as explained above. This could, for example, be communicated and logged via monitoring with regard to possible redundancy of forwarded data packets or task files.
  • Processing computer systems for signaling that they should go into a wait mode In this way, non-primary processing computer systems are signaled that they should (initially) perform no further action with respect to corresponding task information.
  • the method of the type explained additionally comprises the steps:
  • a first advantage is that after performing the action in the primary processing computer system, all data on involved processing computer systems associated with the
  • a second advantage is that all processing computer systems (both primary and non-primary) recognize that processing the task information or action is successful
  • an edit-and-finish instruction may also be after a retransmission of the edited task information from the primary editing computer system to the primary one
  • Switching computer system or other predetermined times are sent.
  • transferring the task information and / or other data packets and / or instructions from a mediation computer system to a processing computer system includes the following steps:
  • a switching computer system to the processing computer system wherein the predetermined network ports of the processing computer system are closed and wherein the sequence in a predetermined order addresses one or more network ports of the processing computer system,
  • Processing computer system if the verification of the transmitted sequence is positive, the processing computer system in turn establishes a connection to the switching computer system and collects the task information and / or other data packets and / or instructions.
  • Block editing computer system from the outside or a make manipulative access much more difficult.
  • an automated process for transmitting the respective task information to the processing computer system for example, via the Unix-based Secure Copy ", scp
  • the editing computer system in turn builds one
  • the IP address of the sequence-transmitting computer system can be statically specified in the processing computer system or dynamically taken from the kernel of the processing computer system known source IP addresses possible sequence-sending computer systems. Such a method is known by the term "port knocking" (English: to knock-knock)
  • the aforementioned steps can be carried out, for example, via a so-called knock daemon, that is to say a program which enables port knocking.
  • the knock daemon listens on the network ports of the processing computer system, examines the transmitted sequence of packet data, and, if necessary, initiates controlled transmission of the data (e.g., by starting a script / program)
  • the processing computer system involved inquires at regular intervals from the switching computer system (polling) whether
  • Processing computer system to be initiated. It is also conceivable that the processing computer system polls if, for example, a certain amount of time is exceeded in which no port knocking has been performed. Problems with the port knocking could be recognized and the functionality is preserved. Through the measures described is a communication between secure computer systems within the
  • a plurality of processing computer systems wherein the computer systems are arranged to transmit data packets and / or instructions from at least one of the group of switching computer systems to at least one of the group of processing computer systems for processing the data packets and / or instructions,
  • the above object is achieved by a computer program product that is configured to run on one or more computer systems and that, when executed, performs a method of the type discussed above. Further advantageous embodiments are disclosed in the subclaims and in the following description of the figures.
  • Figure 1 shows a schematic representation of at least part of a computer network infrastructure that is configured to perform load sharing between involved computer systems.
  • the computer network infrastructure includes in the shown
  • Embodiment a group of switching computer systems, namely a task server 1 and a task server 2.
  • the computer network infrastructure comprises a group of processing computer systems, namely a
  • Admin client 1 an Admin client 2 and an Admin client 3.
  • a respective user group can locally access the Admin Client 1 or 2 or 3 to access it locally
  • the admin client 1 to 3 the switching computer systems, ie the task servers 1 and 2, behave as "open" systems.
  • the task servers 1 and 2 have thus opened at least one network port, wherein a service or a
  • a network connection may be at these
  • the task servers 1 and 2 serve as agents for communication and
  • Admin client 1 to 3 For communication between the addressable switching computer systems, task servers 1 and 2, and the encapsulated editing computer systems, Admin client 1 to 3, with their respective closed network ports is a
  • Data packets and / or instructions can be transmitted directly from an Admin Client 1 to 3 to one or more of the Task Servers 1 and 2 and stored there, since the Task Servers 1 and 2 can be addressed directly via the network.
  • Sequence is sent to packet data from one of the task server 1 or 2 to one or more of the Admin clients 1 to 3, wherein the network ports of the corresponding processing computer system are closed and wherein the sequence in a predetermined order one or more network ports of the corresponding processing computer system
  • the corresponding processing computer system starts a process that fetchs a data packet to be transmitted from the corresponding switching computer system (task server 1 or 2).
  • a process can be any process that fetchs a data packet to be transmitted from the corresponding switching computer system (task server 1 or 2).
  • Computer systems communicate with each other despite encapsulated processing computer systems within the computer network infrastructure, forward data packets and / or issue instructions.
  • a task file is transmitted from an unspecified point in each case to the task server 1 and the task server 2 and stored there.
  • the task file may include an instruction for a process (task) on one of the editing computer systems and / or on a computer unspecified target computer system included.
  • a process can be, for example:
  • respective task servers 1 and 2 carry out a negotiation in step 2, which of the two task servers 1 or 2 performs the further processing of the task file as the primary switching computer system.
  • both task servers 1 or 2 can wait for predetermined periods of time (time outs), after which task server 1, for example, the task server 2
  • Task server 1 the role of Primary for further processing of the received task file.
  • Task server 2 can either discard the task file or keep the task file for a fallback position in the event of failure of the task server 1. Furthermore, task server 2 can go into a wait mode.
  • task server 1 For further processing of the task file, in particular for forwarding task information from the task file or the task file itself within the computer network infrastructure, task server 1 generates an information packet, wherein task information is contained in the information packet from the task file and / or information about at least one action to be performed by means of the group of processing computer systems are summarized. In particular, such information may be based on specifications within the task file,
  • Editing computer systems ie both at Admin-Client 1 as well as to the admin client 2 as well as to the admin client 3, according to a forwarding l: n.
  • For this task server calls 1 predetermined routing information stored in the task file, the
  • Routing information define a predetermined communication path structure between the task server 1 and the processing computer systems, Admin client 1 to 3. In step 3, this routing information is used for a 1: 1 forwarding to the processing computer systems
  • step 4 Task Server 1 performs a port-knocking process - as explained above - to all the processing computer systems, Admin-Client 1 to 3. Then, all the Admin Clients 1 to 3 retrieve the created information package from the Task Server 1.
  • step 5 which represents a significant process step, it is determined which of the processing computer systems admin client 1 to 3 carries out the further processing of further task information based on an evaluation of the transmitted information packet.
  • Such a primary processing computer system can be determined, for example, on the basis of predetermined time-outs within the information packet and / or on the basis of the fact that the processing computer systems are the first to access the
  • Constellation admin client 2 determines that he wants to carry out the further processing. In step 6, the admin client 2 calculates a routing to the task server 1 for this purpose and transports a step in step 7
  • step 8 the positive response is registered in the task server 1 and the admin client 2 is set as the primary processing computer system.
  • the admin client 2 is set as the primary processing computer system.
  • task server 1 creates an interaction packet in step 8, in which task information of the
  • the interaction package can have more than this task information
  • Contain information (eg, signatures, permissions, instructions, etc.) between the task server 1 and the admin client 2 while preserving the information of the original task file.
  • the interaction package may also contain the original task file itself as task information. It is also conceivable that the task information or the
  • step 8a the task server 1 generates in step 8a
  • step 9 in the task server 1, a routing to the
  • step 10 a retrieval of the
  • step 10a Interaction packet from the task server 1 by the admin client 2 after a corresponding port knocking process by task server 1.
  • the on-hold instructions are retrieved by the admin clients 1 and 3 from the task Server 1 for analogous performing a port-knocking process by task server 1 against these computer systems.
  • step 11 which is also an authoritative step within the method, the admin client 2 extracts as the primary editing computer system from the transmitted interaction package the task information and determines therefrom an action locally on the admin Client 2 has to be done.
  • This action concerns e.g. the insertion of further data in the task information
  • Admin Client 1 and Admin Client 3 process the fetched on-hold instruction in step IIa and switch to a wait mode ("on hold") for a request for further action on the part of the task server 1 ,
  • step 12 the admin client 2 computes a routing of the processed task information back to the task server 1, which has been notified to it as a primary switching computer system, e.g. by means of the previously sent
  • Admin Client 2 can do the
  • Pack corresponding action in a second interaction package containing, for example, a return information for the task server 1.
  • step 13 a return transport of the second interaction packet created in this way from
  • Task Server 1 creates a Edit Complete statement for all Admin Clients 1 through 3 in step 14. Further, in step 14a, the supplemented and edited task information in task server 1 is updated, e.g. B. added information that a predetermined step has been processed. Subsequently, in the task server 1, for example, the task file can be supplemented or recreated, for example, from the task information transported back. Finally, in step 15, the task server 1 calculates a routing of the processing complete instruction to the Admin clients 1 to 3. In step 15a, a routing for a
  • step 16 a port-knocking process is carried out by the task server 1 with respect to all the admin clients 1 to 3, each picking up the processing-ended instruction from the task server 1.
  • step 16 all Admin Clients 1 through 3 receive information that the process of processing task information has ended.
  • step 16a the further transport of the supplemented task file in the direction of the non-closer takes place in parallel thereto
  • Step 17 in each Admin client 1 to 3, triggered by the processing-ended instruction, a data cleansing of the data incurred in connection with the performed procedure performed and possibly executed jobs and actions removed.
  • Step 17 may be coupled to a timing. It means that
  • Step 17 is performed automatically, if any
  • a user of each can also Admin clients 1 to 3 when performing step 17 to be informed of the end of the action taken.
  • step 18 could be provided, in which the information is passed from task server 1 to task server 2 that the action
  • task server 2 may try to renegotiate the role of the primary (now by itself) and, if necessary, repeat the communication according to the method explained with the admin clients 1 to 3 a message from task server 1 to task server 2 is made when the specified time period for the action has been exceeded, but the action has not (successfully) been completed by the admin clients. As a result, the task server 2 receives the information that the action has ended "formally." Step 18 can be implemented as the last step after step 17 or alternatively even before step 17 in the method.
  • each data packet which according to the method explained between them involved
  • Computer systems is exchanged, provided in at least one participating computer system with an identifier.
  • An addition of an identifier can be, for example, a mistake with a unique addition.
  • the course of the data packets along the communication path structure can be monitored by monitoring using the identifier, if necessary in conjunction with existing signatures (forgery-proof). Further, a dwell time of the data packets may be monitored on a computer system involved along the communication path structure. In addition, all process steps through the monitoring
  • Computer systems in routing can and can be achieved successfully.
  • the identifier can be used to verify that task information is successful from the primary
  • Mediation computer system task server 1
  • Admin client 2 the primary processing computer system
  • a residence time can z. B. defined within the task file. It can be determined that after
  • alarm messages can be generated or other measures can be taken by means of monitoring.
  • the monitoring which is not shown in detail in the exemplary embodiment, can either by the involved
  • Computer systems themselves be implemented or be executed by other, unspecified computer systems. It is also conceivable and advantageous to carry out the monitoring via a separate network path structure.
  • Task Server 1 Mediation Computer System
  • Task Server 2 Mediation computer system

Abstract

L'invention concerne un procédé de répartition de tâches entre des systèmes informatiques sécurisés dans une infrastructure de réseau d'ordinateurs. Le procédé comprend les étapes suivantes : - la réception parallèle d'un fichier de tâche par une pluralité de systèmes informatiques de médiation; - la négociation d'un système informatique de médiation primaire parmi le groupe des systèmes informatiques médiateurs en vue du traitement ultérieur du fichier de tâche; - la transmission d'informations de tâche dans le fichier de tâche du système informatique de médiation primaire à un système informatique de traitement primaire parmi une pluralité de systèmes informatiques de traitement; ainsi que l'exécution d'au moins une action dans le système informatique de traitement primaire à l'aide des informations de tâche transmises. En outre, tous les ports de réseau employés pour ce procédé et prédéfinis à partir du groupe des systèmes informatiques de traitement restent fermés de sorte qu'aucun établissement de liaison n'est autorisé de l'extérieur aux systèmes informatiques de traitement et qu'ainsi un accès par l'intermédiaire d'un réseau est empêché au moyen de ces ports de réseau. Un système informatique de traitement concerné peut établir une liaison à un système informatique de médiation concerné afin d'aller chercher des informations de tâches correspondantes dans le fichier de tâche du système informatique de médiation.
EP15727622.1A 2014-06-03 2015-06-01 Procédé de répartition de tâches entre des systèmes informatiques, infrastructure de réseau d'ordinateurs ainsi que produit-programme d'ordinateur Withdrawn EP3152660A1 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
DE102014107788 2014-06-03
DE102014112478.2A DE102014112478A1 (de) 2014-06-03 2014-08-29 Verfahren zur Verteilung von Tasks zwischen Computersystemen, Computernetz-Infrastruktur sowie Computerprogramm-Produkt
PCT/EP2015/062152 WO2015185505A1 (fr) 2014-06-03 2015-06-01 Procédé de répartition de tâches entre des systèmes informatiques, infrastructure de réseau d'ordinateurs ainsi que produit-programme d'ordinateur

Publications (1)

Publication Number Publication Date
EP3152660A1 true EP3152660A1 (fr) 2017-04-12

Family

ID=54481197

Family Applications (1)

Application Number Title Priority Date Filing Date
EP15727622.1A Withdrawn EP3152660A1 (fr) 2014-06-03 2015-06-01 Procédé de répartition de tâches entre des systèmes informatiques, infrastructure de réseau d'ordinateurs ainsi que produit-programme d'ordinateur

Country Status (5)

Country Link
US (1) US20170220391A1 (fr)
EP (1) EP3152660A1 (fr)
JP (1) JP6419216B2 (fr)
DE (1) DE102014112478A1 (fr)
WO (1) WO2015185505A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11256539B2 (en) 2016-02-29 2022-02-22 Alibaba Group Holding Limited Task processing method, apparatus, and system based on distributed system

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102014107793B9 (de) * 2014-06-03 2018-05-09 Fujitsu Technology Solutions Intellectual Property Gmbh Verfahren zur Weiterleitung von Daten zwischen Computersystemen, Computernetz-Infrastruktur sowie Computerprogramm-Produkt
DE102016115193A1 (de) 2016-08-16 2018-02-22 Fujitsu Technology Solutions Intellectual Property Gmbh Verfahren zur sicheren Datenhaltung in einem Computernetzwerk
EP3413204B1 (fr) 2017-06-09 2019-05-08 dSPACE digital signal processing and control engineering GmbH Procédé d'administration parallèle de données d'entrée continues et à synchronisation de tâches d'un système en temps réel

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040019890A1 (en) * 2002-07-23 2004-01-29 Sun Microsystems, Inc., A Delaware Corporation Distributing and executing tasks in peer-to-peer distributed computing

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2281793A (en) * 1993-09-11 1995-03-15 Ibm A data processing system for providing user load levelling in a network
US6263368B1 (en) * 1997-06-19 2001-07-17 Sun Microsystems, Inc. Network load balancing for multi-computer server by counting message packets to/from multi-computer server
US20020083170A1 (en) * 2000-10-26 2002-06-27 Metilinx System-wide optimization integration model
US7111300B1 (en) * 2001-01-12 2006-09-19 Sun Microsystems, Inc. Dynamic allocation of computing tasks by second distributed server set
US7284067B2 (en) * 2002-02-20 2007-10-16 Hewlett-Packard Development Company, L.P. Method for integrated load balancing among peer servers
US20030204602A1 (en) * 2002-04-26 2003-10-30 Hudson Michael D. Mediated multi-source peer content delivery network architecture
JP2004054855A (ja) * 2002-05-28 2004-02-19 Dainippon Printing Co Ltd 並列処理システム、サーバ、処理端末装置、並列処理方法、プログラム、及び、記録媒体
US8799918B2 (en) * 2006-09-11 2014-08-05 Microsoft Corporation Dynamic network load balancing using roundtrip heuristic
US8219684B1 (en) * 2011-11-02 2012-07-10 Google Inc. Redundant data requests with cancellation
US20150067019A1 (en) * 2013-08-28 2015-03-05 Soeren Balko Method and system for using arbitrary computing devices for distributed data processing

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040019890A1 (en) * 2002-07-23 2004-01-29 Sun Microsystems, Inc., A Delaware Corporation Distributing and executing tasks in peer-to-peer distributed computing

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
KEN SLONNEGER: "XML-Rpc", INTERNET CITATION, 2006, pages 1 - 49, XP002723230, Retrieved from the Internet <URL:http://homepage.cs.uiowa.edu/~slonnegr/xml/10.XML-RPC.pdf> [retrieved on 20140410] *
See also references of WO2015185505A1 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11256539B2 (en) 2016-02-29 2022-02-22 Alibaba Group Holding Limited Task processing method, apparatus, and system based on distributed system

Also Published As

Publication number Publication date
WO2015185505A1 (fr) 2015-12-10
US20170220391A1 (en) 2017-08-03
DE102014112478A1 (de) 2015-12-03
JP6419216B2 (ja) 2018-11-07
JP2017519298A (ja) 2017-07-13

Similar Documents

Publication Publication Date Title
EP3669498B1 (fr) Procédé et système de contrôle pour le contrôle et/ou la surveillance d&#39;appareils
DE102018104637A1 (de) Ausfallsicherungsantwort unter verwendung eines bekannten guten zustands eines dezentral geführten kontobuchs
EP2981926B1 (fr) Dispositif de stockage de données permettant un échange de données protégé entre différentes zones de sécurité
EP3518492B1 (fr) Procédé et système de divulgation d&#39;au moins une clé cryptographique
EP3152884B1 (fr) Procédé de transfert de données entre des systèmes informatiques, infrastructure de réseau d&#39;ordinateurs et produit-programme d&#39;ordinateur
EP3152660A1 (fr) Procédé de répartition de tâches entre des systèmes informatiques, infrastructure de réseau d&#39;ordinateurs ainsi que produit-programme d&#39;ordinateur
DE102016115193A1 (de) Verfahren zur sicheren Datenhaltung in einem Computernetzwerk
DE102014107783B4 (de) Routing-Verfahren zur Weiterleitung von Task-Anweisungen zwischen Computersystemen, Computernetz-Infrastruktur sowie Computerprogramm-Produkt
DE112022000280T5 (de) Identitätsautorität
EP3718263B1 (fr) Procédé et système de contrôle pour le contrôle et/ou la surveillance d&#39;appareils
DE102016206739A1 (de) Systeme und Verfahren zum Absichern einer Remotekonfiguration
EP3318033B1 (fr) Procédé anti-cracking impiquant un ordinateur-relais
EP3152880B1 (fr) Procédé de communication entre des systèmes informatiques sécurisés, infrastructure de réseau d&#39;ordinateurs ainsi que produit-programme d&#39;ordinateur
EP3648430B1 (fr) Module de sécurité de matériel
DE112004000125T5 (de) Gesichertes Client-Server-Datenübertragungssystem
DE102012208290B4 (de) Netzübergangskomponente mit anfrage/antwort-zuordnung und überwachung
EP3105899B1 (fr) Procédé de démarrage d&#39;un système informatique de production
EP2378422A1 (fr) Système et procédé pour la transmission des dates
EP2446599B1 (fr) Transmission securisee contre la manipulation de donnees entre des appareils d&#39;automatisation
DE102014109906A1 (de) Verfahren zum Freischalten externer Computersysteme in einer Computernetz-Infrastruktur, verteiltes Rechnernetz mit einer solchen Computernetz-Infrastruktur sowie Computerprogramm-Produkt
EP4107640B1 (fr) Procédés et systèmes de transmission des artefacts logiciels d&#39;un réseau source vers un réseau cible
EP2183902B1 (fr) Procédé pour détecter une attaque de déni de service et terminal de communication
DE102016206741A1 (de) Systeme und Verfahren zum Absichern einer Remote-Konfiguration
DE102009036178A1 (de) Verfahren und Antwort-Mittel zum verkürzten Beantworten einer Anfrage bei Nicht-Verfügbarkeit einer angefragten Server-Vorrichtung
DE102015116601A1 (de) Verfahren zum Freischalten externer Computersysteme in einer Computernetz-Infrastruktur, verteiltes Rechnernetz mit einer solchen Computernetz-Infrastruktur sowie Computerprogramm-Produkt

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20161201

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20171026

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

RIC1 Information provided on ipc code assigned before grant

Ipc: H04L 69/40 20220101ALI20220607BHEP

Ipc: H04L 67/1001 20220101ALI20220607BHEP

Ipc: H04L 9/40 20220101ALI20220607BHEP

Ipc: H04L 43/0811 20220101ALI20220607BHEP

Ipc: G06F 9/50 20060101AFI20220607BHEP

INTG Intention to grant announced

Effective date: 20220712

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20221123