JP2000047997A - Mobile agent system and mobile agent managing control method in distributedly configurated computer system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To make improvable the security, certification or access control for safely operating an agent in a mobile agent system. SOLUTION: The agent system 100 is provided with an agent access right inquiring part for inquiry to an agent certifying server 120 in order to check the right of agent operation and the agent certifying server 120 is provided with an access right checking part 122 for holding the right of access to the agent and answering whether access is legal or not when there is an inquiry.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an agent technology in network computing and the like, and more particularly to a mobile agent system related to security, authentication, access control, and the like, and a mobile agent system in a distributed computer system. It relates to an agent management control method.

[0002]

2. Description of the Related Art Conventionally, an agent technology in a network computing or the like, particularly a mobile agent, aims to perform an appropriate process at an appropriate place while moving an agent code and data. And By moving the agent and continuing the processing while performing communication between the agents as needed, a highly flexible system can be constructed.

[0005] An application system created based on the mobile agent technology can be regarded as a set of programs that operate on different computers. An agent that has mobility based on a conventional object-oriented technology can be regarded as an agent.

[0004] The agent proceeds with processing while moving a plurality of computers, and when the initial work is completed, the agent holds the result and returns.

Generally, an agent moves while collecting information from each computer and obtaining a processing result.

The agent operates as a proxy of the user who created the agent at the destination computer.

[0007] The behavior of an agent is to move to a computer at a remote place on behalf of the user and perform data collection and device operation, but generation of an agent by an unauthorized user behaves in the same manner as a virus program. Also. Against this background, there has been a problem that agent technology is not applied to practical systems.

[0008]

As described above, for this purpose, the creator information of the agent is accurately retained, the information is prevented from being falsified during the movement of the agent, and the information is stored in the destination computer. You need to retrieve that information from the agent and authenticate that you are the agent.

[0009] The mobile agent executes processing at the destination as a proxy for the user. For this purpose, a mechanism is required to check whether the agent is an agent generated by a correct user or an agent that the user can operate.

The present invention has been made in consideration of the above circumstances, and solves the above-mentioned problems and the like in order to operate an agent safely. The following (1) to (4)
It is an object of the present invention to provide a mobile agent system for improving security, authentication, and access control, and a mobile agent management control method in a distributed computer system.

(1) A function for accurately retaining the authority of the user in the agent (2) A function for preventing eavesdropping and tampering of the agent and its execution code while moving (3) Whether the agent is an executable agent Checking function (4) Function of checking whether or not the destination resource can be accessed The function (1) prevents the generation of an unauthorized agent that does not follow the authority of the user. The function (2) is to prevent eavesdropping and tampering of agent data on the network. The function (3) is to prevent destruction of a node by checking whether the agent can be executed by the computer when the agent moves. The function (4) is to prevent the agent from illegally accessing the computer resources by checking the access right to the resource of the agent.

[0012]

In order to achieve the above object, the present invention has a structure having the following functions (1) to (17).

(1) In a computer system in which an agent system composed of a plurality of mobile agents and an agent authentication server are connected together via a network, each agent system checks the authority of agent operation. Agent access right inquiring means for making an inquiry to an agent authentication server, wherein the agent authentication server retains the access right to the agent and, when there is an inquiry, an access right checking means for replying whether the access is valid or not. It is characterized by having.

According to the configuration having such a function, the execution authority of the agent and the resource access authority of the agent are centrally managed by the agent authentication server. As a result, even when the access authority is changed, it is possible to perform the correction collectively.

(2) In a computer system in which an agent system composed of a plurality of mobile agents is connected via a network, at least one agent system is set to have an agent operation authority to another agent system. , And each agent system has an access right holding unit for holding an agent operation right.

According to the configuration having such a function, by registering the execution authority of the agent and the resource access authority of the agent collectively from the remote machine,
You can set consistent access permissions,
Authority check can be performed locally when the agent moves or when the agent accesses the computer resource.

(3) In an agent system composed of a plurality of mobile agents and a computer system in which an agent authentication server is connected to a network, the agent authentication server holds access authority to the agent and performs access. Having access authority setting means for setting the authority of agent operation to the agent system when the authority is changed, and each agent system having access authority holding means for holding the authority of agent operation It is characterized by.

According to the configuration having such a function, the execution authority of the agent and the resource access authority of the agent are centrally managed, and the access authority information is distributed to the corresponding agent system, thereby accessing the agent authentication server every time. Since there is no need, operation efficiency can be increased. In addition, when access rights are changed, corrections can be made collectively, and authority checking can be performed locally when an agent moves or when an agent accesses a computer resource. become.

(4) In a computer system in which an agent system constituted by a plurality of mobile agents and an agent authentication server are connected together via a network, the agent authentication server receives a user name from the agent system. Identify this,
An identification code management unit that returns an identification code that is valid for a predetermined period; and an identification code determination unit that determines whether an identification code passed from the agent system is valid. The agent generation means for holding the identification code returned from the agent authentication server in the agent, and the agent system which receives the agent when the agent moves, inquires the agent authentication server of the identification code embedded in the agent, and if it is correct, executes the execution. It has an agent execution control means for performing.

With the configuration having such a function, in the life cycle of the agent, old user information is obtained by some means by using an identification code that is valid only for a certain period as user information. Even so, the validity period makes it difficult for unauthorized use.

(5) In addition to the above (4), when the agent moves, the identification code management means generates a new identification code if it is correct and returns it to the agent system in response to an inquiry made from the agent system. Invalidate the identification code. In the agent system, when the identification code is correct, the new identification code is embedded in the agent and executed. When the identification code is incorrect, the movement is rejected.

According to such a configuration, by shortening the lifetime of the identification code, it is possible to reduce unauthorized access using the accidentally obtained identification code.

(6) In an agent system composed of a plurality of mobile agents and a computer system in which an agent authentication server is connected to a network, when the agent is generated, the agent system generates the agent. The agent inquires the agent authentication server whether or not the user has the right, and if it can be generated, the agent is generated and executed by holding the information of the agent creator as user information in the agent. It is characterized in that the agent is not generated when there is no authority to generate the agent.

According to the configuration having such a function, by generating the agent by the agent authentication server, it is possible to prevent an unauthorized agent from being generated in the computer system.

(7) In addition to the above (6), when the agent moves, the agent system extracts the user information held by the moving agent and determines whether or not the agent has authority to execute the computer. To the agent authentication server, and if executable, allow the agent to move and execute it. It is characterized in that the movement of the agent is refused when the user does not have the authority to execute.

According to the configuration having such a function, the agent authentication server checks the authority to move the agent, thereby preventing an unauthorized agent who is not permitted to a specific computer in the computer system from moving. Can be.

(8) In a computer system in which an agent system composed of a plurality of mobile agents is connected via a network, when a user changes the access authority of an agent, the agent system is operated by the user. When the access right information in the access right setting means is corrected, the access right setting means sends the changed access right information to the corresponding agent system. An agent system in which an access right has been changed receives information changed by the access right holding unit, and changes the internally held access right.

According to the configuration having such a function, by registering the execution authority of the agent and the resource access authority of the agent collectively from the remote machine,
It is possible to set access rights without inconsistency.

(9) In a computer system in which an agent system composed of a plurality of mobile agents is connected via a network, when the agent moves, the agent system holds the agent system. The user information is fetched, the internal access right holding means is inquired as to whether or not the user has the right to execute the computer, and if executable, the agent is permitted to move and executed. It is characterized in that the movement of the agent is refused when the user does not have the authority to execute.

According to the configuration having such a function, the authority to move the agent can be checked locally, so that the load on the network can be reduced, and a specific computer in the computer system can be authorized. Unauthorized agents can be kept from moving.

(10) In a computer system in which an agent system composed of a plurality of mobile agents is connected via a network, when the agent accesses a resource in the computer, the agent system is connected to a user held by the agent. The information is taken out, and user information is added as an interface to resource management means for managing resources in the computer. At the time of access to the resource, the resource management means passes the user information and the resource information to the access right holding means, determines whether or not the access is possible, and permits the access to the resource when the access is possible. It is characterized in that access is denied when not permitted.

According to the configuration having such a function, when the agent makes a resource access (specific function call or memory access) in the computer, it checks whether or not the operation is permitted by the agent. As a result, it is possible to prevent the resources of the computer from being used improperly or performing unexpected operations.

(11) Instead of the user information of (10), when the moving agent accesses the computer resources, the operation group information is extracted from the user information embedded in the agent, and the group is accessed when the resources are accessed. It is characterized by adding information.

According to the configuration having such a function, it can be used when an agent performing a task wants to operate not with an individual but with the authority of a group.

(12) When an agent accesses a resource in a computer, user information held by the agent is passed in advance as an interface to resource management means for managing the resource in the computer, and the agent based on the information is passed. Returns a table describing APIs that can be operated to the agent. When the agent calls the API, the agent adds the table, and the resource management unit determines whether operation is possible based on the information in the table. Features.

According to the configuration having such a function, the access authority is not checked every time the agent accesses the computer resource, so that an efficient access operation can be performed.

(13) In a computer system in which a plurality of agent systems each composed of a plurality of mobile agents and an agent authentication server are connected to each other via a network, when an agent is generated, the agent system sends a request to the agent authentication server. Pass the user name and have it issue an identification code that is valid for a certain period of time. The identification code is stored in the generated agent and executed.

According to the configuration having such a function, as the user information in the life cycle of the agent,
By using an identification code that is valid only for a certain period of time, even if old user information is obtained by some means, it is difficult to be illegally used because of the valid period.

(14) When the agent moves, the sending side of the agent extracts the identification code embedded in the agent, and inquires of the agent authentication server whether or not it becomes invalid during the movement of the agent.
If the validity period is sufficient, it is moved as it is. If the validity period is insufficient, a new identification code is issued based on the current identification code, and the agent holds and moves it. The agent system that receives the agent takes out the identification code embedded in the agent and passes it to the agent authentication server to determine whether the identification code is correct. When the identification code is correct, the agent is executed, and when the identification code is not correct, the movement of the agent is rejected.

According to the configuration having such a function, in the life cycle of the agent, the old user information is obtained by some means by using the identification code valid only for a certain period as the user information. However, because they have a validity period, they are less likely to be illegally used.

(15) When the agent moves, the agent system that receives the agent takes out the identification code embedded in the agent and passes it to the agent authentication server to determine whether or not the identification code is correct. If the identification code is correct, a new identification code is returned from the agent authentication server. This is held by the agent, and the agent is executed.
On the other hand, when it is not correct, the movement of the agent is refused.

According to the configuration having such a function, in the life cycle of the agent, the old user information is obtained by some means by using the identification code valid only for a certain period as the user information. However, because they have a validity period, they are less likely to be illegally used.

(16) When the agent moves, the agent system passes the identification code embedded in the agent to the agent authentication server, and checks whether the identification code is issued by the identification code management means. If it is correct, the identification code management means leaves a passage record in the identification code and returns it. The agent system stores the returned identification code in the agent.

According to the configuration having such a function, the log of the movement of the agent is obtained by recording the movement path of the agent in the identification code.

(17) When the agent moves, the agent system passes the identification code embedded in the agent to the agent authentication server, and checks whether or not the identification code has been issued by the identification code management means. At this time, the pass record held in the agent authentication server is compared with the pass record left in the identification code, and it is checked that there is no inconsistency. If the identification code is correct, the identification code management means leaves a passage record in the agent authentication server and the identification code, and returns the identification code. The agent system stores the returned identification code in the agent.

According to the configuration having such a function, by recording the moving path of the agent in the identification code, not only the log that the agent has moved, but also the log is left on the agent authentication server side. Can be collated.

[0047]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS An embodiment of the present invention will be described below with reference to the drawings.

(First Embodiment) FIG. 1 shows a first embodiment of the present invention.
1 is a schematic configuration diagram illustrating an embodiment of a distributed configuration computer system including a plurality of agent systems 100 including a plurality of agents and an agent authentication server 120 according to the embodiment.

More specifically, FIG. 11 is a diagram showing a mode of operation when checking whether or not an agent has been generated by a correct user and is accessing a permitted resource.

As shown, the agent client C1 (101),..., The agent client Cn
(101), agent platform P1 (10
2),..., Agent platform Pn (10
2) are connected via the network 110.

For example, the agent client C1
The agent issued from (101) moves through several agent platforms (102,...) Via the network 110, and finally returns to the agent client C1 (101).

The agent client 101,
…, 101 and agent platform 102,
, 102 differ depending on whether or not the user operates directly. If the two are not distinguished, they will be referred to as agent systems 100,. Also, in this embodiment, when describing each (or specific) agent system, agent client, agent platform and those related thereto, the agent system is simply 100, except for special cases.
The description will be made assuming that the agent client is 101, the agent platform is 102, and the like.

The agent authentication server 120 is a server that holds an access control list and determines whether an agent is created for a correct user and can access computer resources.

FIG. 2 shows a module configuration of the agent authentication server 120.

The agent authentication server 120 includes an access right holding unit 121 for holding the access right to the agent, an access right check unit 122 for replying whether the access is valid when inquired about the access right, an access right Is configured to have an access authority setting unit 123 and the like for setting the authority of agent operation to the agent system when there is a change.

FIG. 3 shows a module configuration provided in each agent system 100. Here, the agent system C is a representative example of the agent system.
The description will be made using m (100), but the same applies to other cases.

In the agent system 100, there are an agent 103, which is an application which is a task to be performed by the user, and an agent manager 104 which manages the life cycle of the agent 103. The agent 103 is generated by the agent manager 104. The agent manager 104 may be created when the agent system operates, or may be created dynamically. In the present embodiment, the agent manager is a generic term for the following management modules.

That is, the agent manager 104
An access right inquiring unit 105 for inquiring the agent authentication server 120 for checking the authority of the agent operation, an agent generating unit 106 for generating the agent, and the agent can be executed on the computer when the agent moves. It is composed of an agent execution control unit 107 for judging and executing the above.

The agent 103 is generated by the agent system 104.

The operation of the agent system and the agent authentication server when an agent is generated will be described with reference to the flowchart of FIG. Note that the flow of the processing in the flowchart is described in, for example, an area such as (agent system) or (agent authentication server) so that it is possible to grasp where the processing is mainly performed. Exclude:
This is common to all embodiments of the present invention.

When the agent 103 is generated,
Agent generation unit 10 of agent system 100
6 retrieves, from the computer, user information for generating the agent 103 (step S402).

Here, the user information is a user name.

It is assumed that the user name can be obtained from the information of the user currently logged in to the computer.

As another method, there is a method of reading and using user information from an IC card or the like. In any case, it is assumed that the user information is obtained outside the agent system.

Upon acquiring the user information, the agent generation unit 106 passes the user name and the name of the agent to be generated to the access authority inquiry unit 105, and determines whether the agent can be generated (step S404).

The access right inquiry unit 105 sends the user name and the agent name to the agent authentication server 120.

In the agent authentication server 120, the access authority checking unit 122 extracts the access control list of the user name and the agent name from the access authority holding unit 121 (step S406), and determines whether or not the user has the execution authority (step S406). Step S408).

If it is determined that the user has the execution authority (YES in step S406), a message of “success” is returned (step S410). A "failure" message is returned (step S412).

When “success” is returned from agent authentication server 120 (YES in step S 414), access right inquiry section 106 determines that an agent can be generated, and agent generation section 106 generates an agent. Pass the user name as a parameter of to keep the user name. Then, the agent is executed by putting it in the agent pool 108 (step S416).

On the other hand, the access right inquiry section 105
When the "failure" message is returned from the agent authentication server 120 (NO in step S414), it is determined that generation of the agent is impossible, and the agent generation unit 106 does not generate the agent, and informs the creator. To notify that there is no execution authority (step S
418) End the process.

As a method for making the generation more reliable, for example, it is assumed that an agent is generated by a Java applet, and for a page that calls the applet,
By setting the read access authority, the creator can be limited.

Next, the operation when the agent moves will be described with reference to the flowchart of FIG. Here, it is assumed that the agent B moves from the agent system A1 to the agent system A2.

The agent system A1 extracts the agent name held by the agent and the user name as the agent creator from the agent (step S5).
02), it is added to the agent movement request for the agent system A2 (step S504).

The agent execution control unit 107 of the agent system A2 checks whether or not the agent system can be operated based on the agent name and the user name included in the movement request (step S506).
The agent name and the user name are passed to the access right inquiry unit 105.

The access right inquiry unit 105 sends the user name and the agent name to the agent authentication server 120.

In the agent authentication server 120, the access right holding unit 12 is
Then, the access control list of the user name and the agent name is extracted from Step 1 (Step S508), and it is determined whether the user has the execution right (Step S510).

If the user has the execution right (step S51)
(YES in step S51), a "success" message is returned (step S512).
0 (NO), return a "failure" message (step S
514).

When “success” is returned from the agent authentication server 120 (YES in step S 516), the access right inquiry unit 105 determines that the agent can be moved and notifies this (step S 51).
8) The agent execution control unit 107 receives the agent B from the agent system A1 (step S520).

The agent B is accepted and put into the agent pool 108 to execute the agent (step S522).

On the other hand, the access right inquiry section 105
When "failure" is returned from the agent authentication server 120 (NO in step S516), it is determined that the agent cannot be moved, and the agent execution control unit 107 does not move the agent. To notify that the user does not have the authority to move (step S524), and ends the processing.

Similarly, a case where an agent in an agent system accesses a computer resource which does not have ownership during execution of the agent will be described with reference to the flowchart of FIG.

Here, it is assumed that the agent B created by the user U accesses the computer resource R1.

The agent execution control unit 107 of the agent system in which the agent B operates operates to check the access right inquiry unit from the resource name and the user name included in the resource access request to determine whether the agent is accessible. The resource name and the user name are passed to 105 (steps S602 and S60).
4). The access authority inquiry unit 105 sends the user name and the resource name to the agent authentication server 120.

In the agent authentication server 120, the access right checking unit 122 makes the access right holding unit 12
Then, the access control list of the user name and the resource name is extracted from Step 1 (Step S606), and it is determined whether the user has the execution right (Step S608).

If the user has the execution right (step S60)
8), a “success” message is returned (step S610), and if there is no execution authority (step S60)
8; NO), return a "failure" message (step S
612).

When "success" is returned from the agent authentication server 120 (YES in step S614), the access right inquiry unit 105 determines that the agent can access the resource R, and determines that the resource is actually accessed. Execute (step S616).

On the other hand, when “failure” is returned from the agent authentication server 120 (NO in step S 614), the access right inquiry unit 105 rejects the agent from accessing the resource R by the agent execution control unit 107. By notifying that there is no access right, the execution of the agent is stopped (step S618).

Note that the processing operation of the above-described embodiment is realized by middleware, and the contents thereof include a magnetic disk such as a floppy disk and a hard disk,
Obviously, it can be provided and realized by an optical disk such as a CD-ROM or an MO or a distribution form via a network.

(Second Embodiment) Hereinafter, a second embodiment of the present invention will be described.

FIG. 7 is a block diagram showing an embodiment of a distributed computer system comprising a plurality of agent systems comprising a plurality of agents according to this embodiment. Specifically, it is a diagram illustrating an operation mode when checking whether or not an agent is accessing a permitted resource generated by a correct user.

As shown, the agent clients C1 (201),..., Cn (201) and the agent platforms P1 (202),.
Are connected via the network 210. For example, an agent issued from the agent client C1 (201) moves through several agent platforms 202 via the network 210,
Finally, the operation returns to the agent client C1 (201).

The difference between the agent client 201 and the agent platform 202 is whether or not the user operates directly. If the two are not distinguished, they are simply referred to as the agent system 200. Also, in the present embodiment, when describing each or specific agent systems, agent clients, agent platforms and those related thereto, unless otherwise specified, the agent system is simply 200, the agent client is 201, the agent The platform will be described as 202 or the like.

FIG. 8 shows a module configuration of the agent system 200. Agent system 2
00 is an agent 203 that is an application that is a task that the user wants to perform, and an agent manager 20 that manages the life cycle of the agent 203.
4 exists.

The agent 203 is generated by the agent manager 204. Agent Manager 20
4 may be generated when the agent system operates, or may be dynamically generated.

In the present embodiment, the agent manager is a generic term for the following management modules. That is, the agent manager includes an access right distribution unit 205 for setting the authority of the agent operation to another agent system, an access right holding unit 206 for holding the authority of the agent operation and determining locally, and an agent for generating an agent. The generation unit 207 includes an agent execution control unit 208 and the like that determines whether or not the agent can be executed by the computer when the agent moves, and executes the agent.

With respect to the above configuration, a method in which the user changes access authority such as agent execution authority and resource access authority and reflects the change in the related agent system will be described with reference to the flowchart of FIG.

The user uses the agent system 200 to change the access right by using a means (not shown).
The access control list in the access right holding unit 206 is corrected. For example, modify the access control list in the editor. For simplicity,
It is assumed that the user has changed a part related to the agent system A2 in the access control list held in the agent system A1.

When the access control list is changed in the access right holding unit 206 of the agent system A1, the changed access control list is sent to the access right distribution unit 206 to send the changed information to another agent system. .

The access right distribution unit 205 of the agent system A1 extracts information about each agent system from the access control list (step S902), and sends it to each access right holding unit 206 (step S904). In this example, the changed access control list is sent to the access right holding unit 206 of the agent system A2.

The access authority holding unit 206 of the agent system A2 internally holds the sent access control list as new information (Step S).
906, S908).

Next, the operation of the agent system when an agent is generated will be described with reference to the flowchart of FIG.

When an agent is generated, the agent generation unit 207 of the agent system 200
User information for generating an agent is extracted from the computer (step S1002). Here, the user information is a user name.

Upon acquiring the user information, the agent generation unit 207 passes the user name and the name of the agent to be generated to the access authority holding unit 26, and determines whether the agent can be generated.

The access right holding unit 206 extracts the access control list of the user name and the agent name (step S1004), and determines whether or not the user has the execution right (step S1006).

If the user has the execution right (step S10
(YES in step 06), a “success” message is returned. If the user does not have the execution right (NO in step S1006), a “failure” message is returned.

When "success" is returned from the access right holding unit 206, the agent generation unit 207 determines that an agent can be generated, and passes the user name as a parameter for agent generation to hold the user name. Let it. Then, the agent is executed by being put into the agent pool 209 (step S100).
8).

On the other hand, when "failure" is returned from the access right holding unit 206, the agent generation unit 207 determines that generation of an agent is impossible, and notifies the creator that there is no execution right. (Step S
1010) The process ends.

Next, the operation when the agent moves will be described with reference to the flowchart of FIG.

Here, it is assumed that agent B moves from agent system A1 to agent system A2.

The agent system A1 extracts the agent name held by the agent and the user name as the agent creator from the agent (step S1).
102), it is added to the agent movement request for the agent system A2 (step S1104).

In the agent execution control unit 208 of the agent system A2, the access authority holding unit 206 is used to check whether the agent system can be operated from the agent name and the user name included in the transfer request.
Pass the agent name and user name to.

The access authority holding unit 206 of the agent system A2 extracts the access control list of the user name and the agent name (step S110).
6) It is determined whether or not the user has the execution right (step S1).
108).

If the user has the execution authority (step S11)
(YES of 08), a message of “success” is returned, and if there is no execution authority (NO of step S1108), a message of “failure” is returned.

When "success" is returned from the access right holding unit 206, the agent execution control unit 208 of the agent system A2 determines that the agent can be moved, and notifies this to the effect. The agent B is accepted from the system A1 (steps S1110 and S1112). Then, the agent B is accepted and put into the agent pool 209 to execute the agent (step S111).
4).

On the other hand, the agent execution control unit 208
When "failure" is returned from the access right holding unit 206, it is determined that the agent cannot be moved, and the agent system A1 is notified that there is no moving right (step S1116), and the process ends. I do.

Similarly, a case where an agent in the agent system accesses a computer resource which does not have ownership during execution of the agent will be described with reference to the flowchart of FIG. Here, it is assumed that the agent B created by the user U accesses the computer resource R1.

The agent execution control unit 208 of the agent system in which the agent B operates operates to check whether the agent is a resource that can be accessed from the resource name and the user name included in the resource access request. The resource name and the user name are passed to 206.

The access right holding unit 206 extracts the access control list of the user name and the resource name (step S1202), and determines whether or not the user has the execution right (step S1204).

If the user has the execution right (step S12)
04), a “success” message is returned. If the user does not have the execution right (NO in step S1204), a “failure” message is returned.

When the access right holding unit 206 returns “success”, the agent execution control unit 208
The agent determines that the resource R is accessible, and actually accesses the resource (step S1206).

On the other hand, the agent execution control unit 208
When "failure" is returned from the access authority holding unit 206, this is notified, access to the resource R is refused, and execution of the agent is stopped (step S1208).

In this example, the access control is confirmed by the user name. However, the operation group information is extracted from the user information stored in the agent, and the access control list is confirmed by the group name instead of the user name. Is also good. There is also a method of checking the access control list at one time.

That is, the agent B created by the user U
Are computer resources R1, R in the agent system A1
2. Access to R3.

In the agent execution control unit 208 of the agent system in which the agent B operates, the user name is passed to the access authority holding unit 206 before accessing the resource.

The access authority holding unit 206 extracts the access control list of the user name (corresponding to step S1202 in FIG. 12), creates a table of resources having execution authority, and returns it to the agent execution control unit 208.

The agent execution control unit 208 holds the returned resource table as a pair with the user name.

When the agent B tries to access the resource R1, the agent execution control unit 208 determines whether or not R1 can be accessed using the resource table (corresponding to step S1204).

When access to the resource R1 is possible, access to the resource is actually performed (corresponding to step S1206).

On the other hand, if the access is not possible, this is notified, access to the resource R is refused, and the execution of the agent is stopped (step S1208 described above).
Equivalent).

(Third Embodiment) Hereinafter, a third embodiment of the present invention will be described.
An embodiment will be described. In the present embodiment, a configuration diagram of a distributed configuration computer system composed of a plurality of agent systems composed of a plurality of agents shown in FIG.
Referring to the diagram showing the module configuration of the agent system shown in FIG. 14 and the diagram showing the module configuration of the agent authentication server shown in FIG. 15, the same as in the first and second embodiments described above. The configuration will be described.

The agent authentication server 320 issues an identification code management unit 321 for issuing a valid identification code for a certain period based on the user information, an identification code holding unit 322 for holding a valid identification code, and an identification code validity unit. It is composed of an identification code determination unit 323 for determining whether or not the identification code is valid.

The agent 303 is generated by the agent system 300.

The operation of the agent system and the agent authentication server when an agent is generated will be described below with reference to the flowchart of FIG.

When the agent is generated, the agent generation unit 307 of the agent system 300
User information for generating an agent is extracted from the computer (step S1602).

Here, the user information is a user name.

Upon acquiring the user information, the agent generation unit 307 passes the user name and the name of the agent to be generated to the access authority inquiry unit, and determines whether the agent can be generated (step S1604).

The access right inquiry section sends the user name and the agent name to the agent authentication server 320.

In the agent authentication server 320, the access right checking unit fetches the access control list of the user name and the agent name from the access right holding unit 306 (step S1606), and determines whether the user has the execution right (step S1608). ).

If the user has the execution authority (step S16)
(YES in step 06), an identification code valid for a certain period is returned (step S1610), and if there is no execution authority (NO in step S1606), "failure" is returned (step S1).
612).

When the identification code is returned from agent authentication server 320 (YES in step S1614), access authority inquiry section 305 determines that an agent can be generated, and generates an agent.
In step (1), the identification code is held by passing the identification code as a parameter generated by the agent. Then, the agent is executed by putting it in the agent pool (step S1616).

On the other hand, when "failure" is returned from the agent authentication server (NO in step S1614), access right inquiry section 305 determines that generation of an agent is impossible, and agent generation means generates the agent. Is not performed, the creator is notified that there is no execution authority (step S1618), and the process ends.

Next, the operation when the agent moves will be described with reference to the flowchart of FIG. Here, it is assumed that the agent B moves from the agent system A1 to the agent system A2.

The agent system A1 extracts the identification code I1 held by the agent from the agent (step S1702), and the agent authentication server 3
20 is asked to determine whether the validity period of the identification code is sufficient (step S1704).

The identification code management unit 321 of the agent authentication server 320 checks the validity period of the identification code (step S1706). If the validity period defined by the system remains (sufficiently remains), "successful" Is returned (YES in step S1706, S1708).

If the validity period is short (step S1)
706), a new identification code I2 is issued and returned (step S1710).

If the identification code is invalid (invalid in step S1706), "failure" is returned (step S1).
712).

The agent system A1 behaves as follows according to the result returned from the agent authentication server 320.

That is, when "success" is returned (S1
708), an agent movement request is made to the agent system A2 by adding the agent name and the identification code I1 (step S1714).

When the new identification code is returned (step S1710), the new identification code I2 is embedded in the agent, and an agent move request is made to the agent system A2 by adding the agent name and the identification code I2 (step S1714). ).

When "failure" is returned (step S
1712) Since there is no authority to move, the process of moving is interrupted.

The agent execution control unit 308 of the agent system A2 sends the agent authority control unit 308 to the access authority inquiry unit 305 in order to check whether or not the agent system can be operated based on the agent name and the identification code included in the transfer request. The name and the identification code are passed (step S1716).

The access right inquiry section 305 sends the user name and the identification code to the agent authentication server 320.

In the agent authentication server 320, the access control list of the identification code and the agent name is extracted from the identification code holding unit 322 by the identification code determination unit 323 (step S1718), and it is determined whether or not the user has the execution right (step S1718). S1720).

If the user has the execution right (step S17)
20), a "success" message is returned (step S1722). If there is no execution authority (step S
(NO at 1720), and returns a “failure” message (step S1724).

When the access right inquiry section 305 of the agent system A2 returns "success" from the agent authentication server 320 (Y in step S1726).
ES), it is determined that the agent can be moved, and the agent execution control unit 208 notifies the agent system A1 of the acceptance of the agent B (step S1728) and accepts it (step S173).
0).

Then, accepting agent B,
The agent is executed by putting it in the agent pool (step S1730).

On the other hand, when "failure" is returned from the agent authentication server 320 (NO in step S1726), the access right inquiry unit 305 determines that the agent cannot be moved, and the agent execution control unit 307 The agent is not moved, and the agent system A1 is notified that there is no authority to move, and the process ends (step S1734).

Next, another method of the operation when the agent moves will be described with reference to the flowchart of FIG. Here, agent system A
Consider that agent B moves from 1 to agent system A2.

The agent system A1 extracts the identification code I1 held by the agent from the agent (step S1802), and the agent system A2
Then, an agent move request is made by adding the agent name and the identification code I1 to the agent (step S1804).

The agent execution control unit 307 of the agent system A2 checks from the agent name and the identification code included in the movement request whether or not the agent system A2 can be operated (step S180).
6) The agent name and identification code are passed to the access right inquiry unit 305.

The access right inquiry section 305 sends the user name and the identification code to the agent authentication server 320.

In the agent authentication server 320, the access control list of the identification code and the agent name is extracted from the identification code holding unit 322 by the identification code determination unit 323 (step S1808), and it is determined whether or not the user has the execution right (step S1808). S1810).

If the user has the execution right (step S18)
(YES in 10), issues a new identification code I2 and returns it (step S1812).

If there is no execution authority (step S18)
10: NO), “failure” is returned (step S181)
2).

The access right inquiry unit 305 of the agent system A2 receives the new identification code I2 from the agent authentication server 320 (step S2).
1816), it is determined that the agent can be moved, and the agent execution control unit 307 notifies the agent system A1 of the acceptance of the agent B (step S1818).

Then, the agent B is accepted (step S1820), and the identification code I is given to the agent.
The agent is executed by embedding 2 into the agent pool (step S1822).

On the other hand, when “failure” is returned from the agent authentication server 320 (NO in step S1816), the access right inquiry unit 305 determines that the agent cannot be moved and the agent execution control unit At 307, the agent is not moved, and the agent system A1 is notified that there is no authority to move (step S1824), and the process ends.

The above-described agent authentication server 32
It is also possible to change the operation of 0 as follows. That is, in the agent authentication server 320, the identification code determination unit 323 extracts the access control list of the identification code and the agent name from the identification code holding unit 322, and determines whether or not the user has the execution right. If the user has the execution right, the fact that the transfer request has been made is recorded in the identification code I1, and the result is returned as a new identification code I2. In addition to not only recording the movement request in the identification code, the identification code holding unit 322 in the agent authentication server 320
In addition, it is also possible to compare the past passage records in the determination and check whether the identification code is valid.

[0169]

As described above in detail, according to the present invention, the agent's authority can be accurately held by the agent, and the agent and its execution code can be prevented from being eavesdropped or falsified while moving, and further executed. It is possible to check whether the agent is a possible agent and to check whether the destination resource can be accessed. This eliminates the problem of operating the agent safely, and provides security functions and authentication. ,
Access control can be improved.

[Brief description of the drawings]

FIG. 1 is a block diagram showing a configuration of a distributed computer system including a plurality of agent systems including a plurality of agents and an agent authentication server according to an embodiment of the present invention.

FIG. 2 is a block diagram showing a module configuration of the agent authentication server according to the embodiment;

FIG. 3 is an exemplary block diagram showing a module configuration of each agent system according to the embodiment;

FIG. 4 is a flowchart for explaining operations of an agent system and an agent authentication server when an agent is generated according to the embodiment;

FIG. 5 is a flowchart illustrating an operation when an agent moves according to the embodiment;

FIG. 6 is a flowchart for explaining an operation in the case where an agent in the agent system accesses a non-owned computer resource during execution of the agent according to the embodiment;

FIG. 7 is a block diagram showing a configuration of a distributed configuration computer system including a plurality of agent systems including a plurality of agents according to a second embodiment of the present invention.

FIG. 8 is a block diagram showing a module configuration of the agent system according to the embodiment;

FIG. 9 is a flowchart illustrating a method according to the embodiment, in which a user changes an access right such as an agent execution right and a resource access right, and reflects the change in a related agent system.

FIG. 10 is a flowchart for explaining an agent system operation when an agent is generated according to the embodiment;

FIG. 11 is a flowchart illustrating an operation when an agent moves according to the embodiment;

FIG. 12 is a flowchart illustrating a case where an agent in an agent system accesses a computer resource that does not have ownership during execution of the agent according to the embodiment;

FIG. 13 is a block diagram illustrating a configuration of a distributed configuration computer system including a plurality of agent systems including a plurality of agents according to a third embodiment of the present invention.

FIG. 14 is a block diagram showing a module configuration of the agent system according to the embodiment;

FIG. 15 is a block diagram showing a module configuration of the agent authentication server according to the embodiment;

FIG. 16 is a flowchart for explaining operations of the agent system and the agent authentication server when an agent is generated according to the embodiment;

FIG. 17 is a flowchart illustrating an operation when the agent moves according to the embodiment;

FIG. 18 is a flowchart for explaining the operation of another method for the operation when the agent moves according to the embodiment;

[Description of Signs] 100, 200, 300 ... Agent systems 101, 201, 301 ... Agent clients 102, 202, 302 ... Agent platforms 103, 203, 303 ... Agents 104, 204, 304 ... Agent manager 105 ... Access authority inquiry unit 106, 207, 307 ... agent generation units 107, 208, 308 ... agent execution control units 108, 209, 309 ... agent pools 110, 210, 310 ... networks 120, 220, 320 ... agent authentication servers 121, 206, 306 ... access Authority holding unit 122: access authority checking unit 123: access authority setting unit 205, 305: access authority distribution unit

Claims (17)

[Claims] In a computer system in which an agent system composed of a plurality of mobile agents and an agent authentication server are connected to a network, each agent system has the above-mentioned agent authentication in order to check the authority of agent operation. An agent access right inquiring means for inquiring the server; an access right checking means for holding the access right to the agent in the agent authentication server and determining whether or not the access is valid when an inquiry is made; A mobile agent system comprising: 2. In a computer system in which an agent system including a plurality of mobile agents is connected to a network, an access right for setting an agent operation right to at least one agent system to another agent system. A mobile agent system comprising: a distribution unit; and an access right holding unit for holding an agent operation right in each agent system. 3. In a computer system in which an agent system constituted by a plurality of mobile agents and an agent authentication server are connected to a network, the agent authentication server holds an access right to an agent, and It has an access right setting means for setting an agent operation right to the agent system when a change occurs, and each agent system has an access right holding means for holding an agent operation right. Characteristic mobile agent system. 4. In a computer system in which an agent system constituted by a plurality of mobile agents and an agent authentication server are connected to a network, the agent authentication server receives user name information from the agent system, Along with identifying the information, an identification code management unit that returns an identification code that is valid for a certain period, and an identification code determination unit that determines whether the identification code passed from the agent system is valid, At the time of agent generation, the above agent system
Agent generation means for holding the identification code returned from the agent authentication server in the agent, and an agent system receiving the agent when the agent moves, inquires the agent authentication server of the identification code embedded in the agent, and if correct, performs the processing. A mobile agent system, comprising: agent execution control means for executing. 5. An identification code management means for generating a new identification code and returning it to the agent system if the inquiry is correct from the agent system when the agent is moved, and invalidating the identification code if the inquiry is incorrect. 5. The agent system according to claim 4, wherein the agent system embeds a new identification code in the agent when the identification code is correct, executes the process, and rejects the movement when the identification code is incorrect. Mobile agent system. 6. In a computer system in which an agent system composed of a plurality of mobile agents and an agent authentication server are connected to a network, when an agent is generated, the agent system has authority to generate an agent. The agent authentication server is inquired as to whether or not the agent is generated. If the agent can be generated, the agent generation information is held in the agent, and the agent is generated. If the user does not have generation authority, the agent is not generated. Mobile agent management and control method in a distributed configuration computer system. 7. When moving an agent, the agent system extracts agent generation information held by the moving agent, inquires of the agent authentication server whether or not the computer has the authority to execute the computer, and if the agent is executable, 7. The mobile agent management and control method in a distributed computer system according to claim 6, wherein the agent migration is permitted, and the agent migration is rejected if the user does not have the execution right. 8. In a computer system in which an agent system composed of a plurality of mobile agents is connected via a network, when changing the access authority of an agent, the access authority information is changed in the operation target agent system. When modified, the changed access right information is sent to the corresponding agent system, and the agent system with the changed access right is
A mobile agent management and control method in a distributed computer system, characterized by receiving changed information and changing an access right held internally. 9. In a computer system in which an agent system composed of a plurality of mobile agents is connected to a network, when the agent moves, the agent system extracts user information held by the moving agent and executes the user information on the computer. A distributed configuration computer system that inquires whether or not the user has the authority to execute the agent, and if the operation is executable, the agent is allowed to move, and if the user does not have the execution authority, the agent is refused the agent movement. Mobile Agent Management and Control Method 10. In a computer system in which an agent system constituted by a plurality of mobile agents is connected to a network, when the agent accesses a resource in the computer, the agent system stores user information held by the agent. Fetching and adding user information as an interface to resource management means for managing resources in the computer, wherein the resource management means, when accessing the resources,
Pass the user information and resource information to the access authority holding means to judge whether or not access is possible. If the access is possible, permit access to the resource. If the access is not possible, deny access. A mobile agent management and control method in a distributed computer system characterized by the following. 11. The moving agent extracts operation group information from user information embedded in the agent when accessing a resource of the computer, and adds the group information when accessing the resource. A mobile agent management control method in the distributed configuration computer system described above. 12. When an agent accesses a resource in a computer, the agent passes user information held by the agent in advance as an interface to a resource management unit that manages resources in the computer, and the agent based on the information transmits the user information. Operable API
Is returned to the agent, the agent adds the table when calling the API, and the resource management unit determines whether or not operation is possible based on information in the table. Agent management and control method in a distributed distributed computer system. 13. In a computer system in which an agent system constituted by a plurality of mobile agents and an agent authentication server are connected to a network, when the agent is generated, the agent system:
Passing the user name information to the agent authentication server, controlling the issuance of an identification code that is valid for a certain period, and holding the identification code in the generated agent,
A mobile agent management and control method in a distributed configuration computer system characterized by being executed. 14. When the agent moves, the sending side of the agent takes out the identification code embedded in the agent, inquires of the agent authentication server whether or not it becomes invalid during the movement of the agent. If the agent system is not within the validity period, a new identification code is issued based on the current identification code, and the agent holds and moves the agent. The embedded identification code is taken out and passed to the agent authentication server to determine whether it is the correct identification code. If the identification code is correct, the agent is executed. If not, the agent is rejected. Distributed configuration computer system characterized by In mobile agent management control method Temu. 15. An agent system which receives an agent at the time of movement of an agent extracts an identification code embedded in the agent, passes it to an agent authentication server and determines whether or not the identification code is correct. The agent executes the agent by holding the new identification code returned from the agent authentication server, and rejects the movement of the agent if the identification code is incorrect, in the distributed configuration computer system. Mobile agent management control method. 16. When the agent moves, the agent system passes the identification code embedded in the agent to the agent authentication server and checks whether or not the identification code has been issued by the identification code management means. In the case of normal judgment by the management means,
A mobile agent management control method in a distributed configuration computer system, wherein the agent system sends back the identification code while leaving a passage record, and the agent system holds the returned identification code in an agent. 17. When the agent moves, the agent system passes the identification code embedded in the agent to the agent authentication server, checks whether or not the identification code has been issued by the identification code management means, and checks the agent authentication information. The pass record held in the server is compared with the pass record remaining in the identification code, and it is checked that there is no inconsistency. Wherein the agent system retains the returned identification code in the agent. A mobile agent management and control method in a distributed computer system, comprising: