JP2011160383A - Monitoring device, monitoring method, and monitoring program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a monitoring device, a monitoring method and a monitoring program which can disable a server application which is not normally operated while the server application is retained to be easily obtainable. <P>SOLUTION: A CA server 20 which is an example monitoring device holds a condition determination table 207 which stores criteria including at least a first criterion indicating the frequency of use of the server application. When there is a request for issuance of a certificate from a management server, a certificate issuer 202 unconditionally issues a trial certificate. When receiving a request for issuance of the official certificate from the management server, a log collector 205 acquires a communication history (communication log) with an image processing device. A determiner 204 determines the degree of actual use of the management server based on the condition determination table 207 and the communication history. When it is determined that there is actual use, the certificate issuer 202 issues the official certificate with a relaxed limitation on communication. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a monitoring apparatus, a monitoring method, and a monitoring program, and more particularly to a monitoring apparatus, a monitoring method, and a monitoring program that can monitor the operation of a server application for managing an image processing apparatus.

  When a server application for managing an image processing apparatus such as an MFP (Multi Function Peripheral) is installed in the communication apparatus and an electronic certificate necessary for authentication on the image processing apparatus side is issued, the communication The apparatus can function as a management server for the image processing apparatus.

  Regarding issuance of an electronic certificate, in Patent Document 1, when a client applies for issuance of an electronic certificate, a server issues a certificate by collating application information from the client with personal information in a client authentication DB. It describes that a condition is determined and a certificate authority is requested to issue an electronic certificate when the condition is satisfied.

JP 2001-36521 A

  Server applications handle important information such as customer usage and billing information and should not be installed indefinitely. On the other hand, the server application needs to be easily available for reasons such as causing a third vendor to develop software corresponding to the server application.

  However, if it is easily available, there is a possibility that a management server that has been left installed or a management server that is insufficiently set or managed may be left open. If a customer's device (image processing apparatus) is connected to such a management server that is not properly operated, a problem such as information leakage may occur, which may lead to a disadvantage for the customer.

  Although it is conceivable to determine the validity of the management server at the time of issuing the electronic certificate as in the above-mentioned Patent Document 1, in such a case, the personal information of the communication device that can be the management server must be stored in advance. Therefore, communication devices that can obtain server applications are limited.

  The present invention has been made to solve the above-described problems, and its purpose is to invalidate a server application that is not properly operated while keeping the server application easily available. It is to provide a monitoring device, a monitoring method, and a monitoring program.

  A monitoring apparatus according to an aspect of the present invention is a monitoring apparatus for monitoring the operation of a server application for managing an image processing apparatus, and includes a determination condition including at least a first condition indicating a usage frequency of the server application. The stored storage means, the server application installed, the acquisition server for acquiring the communication history between the management server to which the first certificate is issued, and the image processing apparatus, the determination condition and the communication history And determining means for determining whether to relax the communication restriction set in the management server by determining the usage record of the management server.

Preferably, it further comprises issuing means for issuing the first certificate.
Preferably, the first certificate is a trial version certificate, and the issuing unit issues the second certificate with the communication restriction relaxed when it is determined by the determining unit that there is a usage record. .

  Preferably, the issuing means rejects the issue of the second certificate when the determining means determines that there is no usage record.

  Preferably, the issuing unit sets the communication restriction level of the second certificate according to the determination condition determined by the determining unit to be satisfied by the management server.

Preferably, the communication restriction represents a communicable period with the image processing apparatus.
Preferably, the communicable period represents the validity period of the electronic certificate.

  Preferably, the determination unit determines the usage record of the management server when the remaining validity period of the first certificate is equal to or less than a threshold value.

  Preferably, the judging means judges the usage record of the management server when a predetermined period has elapsed since the first certificate was issued, and if it is judged that there is a usage record, the first certification The information processing apparatus further includes means for revoking the first certificate when it is determined that the certificate is continuously used and there is no record of use.

  Preferably, the determination unit determines the usage record of the management server when at least one of the cumulative number of communication histories, the total amount of communication data, and the number of image processing apparatuses that are communicating exceeds a specified value. to decide.

  Preferably, the determination condition further includes a second condition indicating presence / absence of unauthorized communication of the management server, and the determination means determines whether or not to relax the communication restriction of the management server. The presence / absence determination result is further used.

  Preferably, the monitoring device is included in the management server, and further includes a protection unit for protecting the storage unit, the acquisition unit, and the determination unit.

  A monitoring method according to another aspect of the present invention is a monitoring method for monitoring the operation of a server application for managing an image processing apparatus, wherein the server application is installed and the first certificate is issued. Based on the step of acquiring a communication history between the server and the image processing apparatus, a determination condition including at least a first condition indicating the use frequency of the server application, and the communication history, the use record of the management server is determined. And determining whether to relax the communication restriction of the management server.

  A monitoring program according to still another aspect of the present invention is a monitoring program for monitoring the operation of a server application for managing an image processing apparatus, wherein the server application is installed and a first certificate is issued. Based on a step of obtaining a communication history between the management server and the image processing apparatus, a determination condition including at least a first condition indicating the use frequency of the server application, and a communication history, the use record of the management server is determined. By doing so, the computer is caused to execute a step of determining whether or not to relax the communication restriction of the management server.

  According to the present invention, the monitoring device can change the communication restriction of the management server by determining the usage record of the management server. Therefore, it is possible to invalidate a server application that is not properly operated while keeping the server application easily available.

It is a figure which shows the structural example of the communication system in Embodiment 1 of this invention. It is a figure which shows typically the hardware constitutions of CA server (authentication apparatus) which concerns on Embodiment 1 of this invention. It is a figure which shows typically the hardware constitutions of the server application (management server) which concerns on Embodiment 1 of this invention. 1 is a diagram schematically showing a hardware configuration of an MFP (image processing apparatus) according to Embodiment 1 of the present invention. FIG. It is a figure which shows typically the hardware constitutions of the log collection server which concerns on Embodiment 1 of this invention. It is a block diagram which shows the function structure of the CA server in Embodiment 1 of this invention. It is a figure which shows the example of a data structure of the certificate management table in Embodiment 1 of this invention. It is a figure which shows an example of the description content of the electronic certificate in Embodiment 1 of this invention. It is a figure which shows the example of the content of the condition judgment table in Embodiment 1 of this invention. It is a block diagram which shows the function structure of the server application in Embodiment 1 of this invention. 2 is a block diagram showing a functional configuration of the MFP according to the first embodiment of the present invention. FIG. It is a figure which shows an example of the judgment policy table in Embodiment 1 of this invention. It is a block diagram which shows the function structure of the log collection server in Embodiment 1 of this invention. It is a figure which shows the example of a data structure of the MFP management table in Embodiment 1 of this invention. It is a figure which shows the example of a data structure of the communication log stored in a log preservation | save part in Embodiment 1 of this invention. In Embodiment 1 of this invention, it is a flowchart which shows the process performed when a CA server issues a trial version certificate. 5 is a flowchart illustrating processing executed when a CA server issues a main operation certificate in the first embodiment of the present invention. In Embodiment 1 of this invention, it is a flowchart which shows the process performed when a server application requests | requires a trial version certificate. 5 is a flowchart illustrating processing executed when a server application requests to issue a present operation certificate in the first embodiment of the present invention. 6 is a flowchart illustrating processing executed when the MFP communicates with a server application in the first embodiment of the present invention. In Embodiment 1 of this invention, it is a flowchart which shows the process in which a log collection server transmits a communication log. It is a sequence diagram which shows the flow of a process of the communication system in Embodiment 1 of this invention. It is a sequence diagram which shows the flow of a process of the communication system in Embodiment 1 of this invention. It is a block diagram which shows the function structure of the CA server in the modification 1 of Embodiment 1 of this invention. It is a figure which shows the example of a data structure of the judgment start condition table in the modification 1 of Embodiment 1 of this invention. It is a block diagram which shows the function structure of the CA server in the modification 2 of Embodiment 1 of this invention. It is a figure which shows the example of a data structure of the judgment result preservation | save table in the modification 2 of Embodiment 1 of this invention. It is a block diagram which shows the function structure of the CA server in Embodiment 2 of this invention. In Embodiment 2 of this invention, it is a flowchart which shows the certificate revocation judgment processing which CA server performs. It is a figure which shows the structural example of the communication system in Embodiment 3 of this invention. It is a block diagram which shows the function structure of the CA server in Embodiment 3 of this invention. It is a block diagram which shows the function structure of the server application in Embodiment 3 of this invention. In Embodiment 3 of this invention, it is a flowchart which shows the process performed when a server application determines whether the issuing of this operation certificate is permitted.

  Embodiments of the present invention will be described in detail with reference to the drawings. In the drawings, the same or corresponding parts are denoted by the same reference numerals and description thereof will not be repeated.

  In the embodiment of the present invention, the server application is in an easily accessible state, and a communication device (for example, a general personal computer) can freely install the server application.

  In order for a communication apparatus (hereinafter referred to as “management server”) in which a server application is installed to communicate with an image processing apparatus such as an MFP, an electronic certificate is required for authentication. In the present embodiment, when an electronic certificate issuance request is issued from the management server, a certificate issuing device called a certificate authority (authentication device) (hereinafter referred to as a “CA (Certificate Authority) server”) authenticates the management server. Unconditionally issue an electronic certificate without judging. Therefore, the management server can immediately start managing the image processing apparatus by communication using the electronic certificate. However, a predetermined communication restriction is set for the management server immediately after the electronic certificate is issued when the server application is installed.

  The communication system according to the present embodiment includes a monitoring device that monitors the operation of a server application. The monitoring device is at least a management server at a predetermined timing after an electronic certificate is issued to the management server. The legitimacy of the management server is determined by determining the usage record of the management server. And according to the determination result, the communication restriction of the management server can be changed (relaxed or tightened). Therefore, according to the communication system of the present embodiment, it is possible to eliminate management servers that are not operating correctly.

  Specific embodiments will be described below. In the following description, the management server in which the server application is installed is referred to as “server application” for convenience.

[Embodiment 1]
<About configuration>
First, a configuration example of the communication system and each device in the present embodiment will be described.

(Schematic configuration of communication system)
FIG. 1 is a diagram illustrating a configuration example of a communication system according to Embodiment 1 of the present invention.

  Referring to FIG. 1, the communication system according to the present embodiment includes a CA server 20 that issues an electronic certificate for proving the validity of each node, a server application 30 that is a management server, and a server application 30. One or more MFPs 40 that communicate with each other, and a log collection server 50 that communicates with the MFP 40 and acquires a communication log (communication history) between the server application 30 and the MFP 40 are included. The server application 30 and the MFP 40 exist on the same intranet 12. The CA server 20 and the server application 30, and the MFP 40 and the log collection server 50 are communicated via the Internet 10.

  In the present embodiment, the CA server 20 functions as the monitoring device described above. That is, the CA server 20 has a function of monitoring the server application 30.

  The log collection server 50 may be on the intranet 12. That is, for example, the log collection server 50 may be installed in the company of the customer who uses the MFP 40. Alternatively, the log collection server 50 may be the same device as the CA server 20 that also functions as a monitoring device. That is, the CA server 20 may collect communication logs directly from the MFP 40. In that case, the log collection server 50 may not be included in the communication system.

  The server application 30 may exist on the Internet 10. That is, the function of the server application 30 may be provided as a service on the Internet 10. Alternatively, the server application 30 may be the same as one of the MFPs 40. That is, a server application may be installed in the MFP 40.

  In the present embodiment, all the image processing apparatuses are described as MFPs. However, the present invention is not limited, and all or some of them may be, for example, a copying machine, a facsimile apparatus, a scanner apparatus, or the like.

(Hardware configuration of each device)
FIG. 2 is a diagram schematically showing a hardware configuration of the CA server 20 according to Embodiment 1 of the present invention. FIG. 3 is a diagram schematically showing a hardware configuration of the server application 30 according to the first embodiment of the present invention. FIG. 4 is a diagram schematically showing a hardware configuration of MFP 40 according to the first embodiment of the present invention. FIG. 5 is a diagram schematically showing a hardware configuration of the log collection server 50 according to the first embodiment of the present invention.

  Referring to FIG. 2, CA server 20 includes a CPU 21 that controls the overall operation of CA server 20, a RAM (Random Access Memory) 22 that functions as a work area for CPU 21, and a ROM ( Read Only Memory) 23, an input unit 24 such as a keyboard for receiving instructions from a user, a communication interface 25 for communicating with other devices via a network such as the Internet 10, a monitor 26 for displaying various information, A hard disk device (HDD) 27 having a hard disk for storing programs and files, and a media drive 28 for accessing a recording medium 28A such as a removable CD-ROM are provided.

  The hardware configuration of the server application 30 and the log collection server 50 may be the same as that of the CA server 20. Referring to FIG. 3, the server application 30 includes a CPU 31, a RAM 32, a ROM 33, an input unit 34, a communication interface 35, a monitor 36, an HDD 37, and a media drive 38 that accesses a recording medium 38A. Referring to FIG. 5, the log collection server 50 includes a CPU 51, a RAM 52, a ROM 53, an input unit 54, a communication interface 55, a monitor 56, an HDD 57, and a media drive 58 that accesses a recording medium 58A. Since the function of each device is the same as the function described in CA server 20, description thereof will not be repeated.

  Referring to FIG. 4, each MFP 40 includes a control unit 41, a memory unit 42, an image reading unit 43, a printing unit 44, a communication interface 45, an operation panel unit 46, and a storage unit 47.

  The control unit 41 is typically composed of an arithmetic device such as a CPU, and implements a monitoring process according to the present embodiment by executing a program. The memory unit 42 is typically a volatile storage device such as a DRAM (Dynamic Random Access Memory), and holds a program executed by the control unit 41 and data necessary for executing the program. The image reading unit 43 reads an original and acquires an image. The print unit 44 performs a printing process on a paper medium or the like. The printing unit 44 includes a control device for controlling the operation of each unit in addition to the hardware configuration related to the printing process.

  The communication interface 45 transmits / receives data to / from the server application 30 in the intranet 12 and transmits / receives data to / from the log collection server 50 via the Internet 10. The communication interface 45 includes, for example, a LAN adapter and driver software that controls the LAN adapter. The operation panel unit 46 includes, for example, a display panel composed of a liquid crystal display device, a touch panel, etc., and a plurality of operation buttons. The storage unit 47 is typically a non-volatile storage device such as a hard disk device or a flash memory, and stores a program and various data for the operation of the control unit 41.

  Each MFP 40 may further include a media drive (not shown) that can access a recording medium such as a removable CD-ROM (Compact Disk Read Only Memory).

(Functional configuration of CA server 20)
FIG. 6 is a block diagram showing a functional configuration of the CA server 20 according to Embodiment 1 of the present invention.

  Referring to FIG. 6, CA server 20 includes communication unit 201, certificate issuing unit 202, CRL (Certificate Revocation List) issuing unit 203, determination unit 204, log collection unit 205, certificate management table. 206 and a condition determination table 207.

  The communication unit 201 communicates with other devices on the network. Specifically, data transmission / reception is performed between the server application 30 and the log collection server 50. The communication unit 201 corresponds to the communication interface 25 illustrated in FIG.

  The certificate issuing unit 202 issues an electronic certificate. Typically, the certificate issuing unit 202 issues a certificate with a digital signature based on a public key infrastructure (PKI). The electronic certificate is a public key infrastructure such as X.264 defined by ITU-T (International Telecommunication Union Telecommunication Standardization Sector). The configuration conforms to the 509 recommendation. An example of the data structure of the electronic certificate will be described later with reference to FIG.

  In the present embodiment, the certificate issuing unit 202 issues two types of electronic certificates, that is, a trial version certificate and a main operation certificate, to the server application 30 according to conditions.

  The CRL issuing unit 203 performs processing for generating a CRL and issuing the generated CRL. The CRL is a list of electronic certificates that have been revoked within the validity period, and the device that has received the electronic certificate checks whether the received electronic certificate is still valid by checking it against the CRL. can do.

  The certificate management table 206 manages electronic certificates issued by the certificate issuing unit 202. The certificate management table 206 is included in the hard disk 27 shown in FIG. 2, for example.

  FIG. 7 is a diagram illustrating an example of the data structure of the certificate management table 206. Each management data stored in the certificate management table 206 includes, for example, serial number, issue destination, issuer, start date / time of the valid period, end date / time of the valid period, purpose of use, whether or not it is a trial period, And information on whether or not it has expired.

  Management data whose trial period item is “YES” indicates that the type of certificate to be managed is a trial version. Management data in which the trial period item is “NO” indicates that the type of certificate to be managed is a certificate for this operation.

  Here, one of the differences between the trial version certificate and the operational certificate is that the trial version certificate has a shorter validity period. For example, as shown in the certificate management table 206 of FIG. 7, the validity period of the trial version certificate is one week, whereas the certificate of the operation is set to a validity period of three years. As described above, in this embodiment, the communication restriction is set for the server application 30 by setting the validity period of the trial version certificate shorter than that of the operation certificate. Note that the type of communication restriction is not limited to the validity period of the certificate, and for example, the effective number of communication and the communication destination during the trial period may be set as the communication restriction.

  In the present embodiment, as one of the differences between the trial version certificate and the operational certificate, the usage purpose of the trial version certificate may be limited as shown in the item of purpose of use. . That is, the operational certificate can be used for the purpose of authentication and encryption (“authentication / encryption”), but the trial version certificate may be limited to authentication.

  Management data in which the revoked item is “YES” indicates that the certificate to be managed has been revoked, and management data for electronic certificates that have been revoked with the revocation flag set is saved. The Note that the management data may be deleted when the end date of the valid period has passed.

  FIG. 8 is a diagram showing an example of the description content of the electronic certificate according to Embodiment 1 of the present invention. As described above, the electronic certificate in this embodiment is an X. It includes a plurality of items (serial number, valid period start / end date and time, etc.) according to the 509 format, and data specific to the certificate is stored in each item.

  Referring to FIG. 6 again, the log collection unit 205 collects the communication log collected by the log collection server 50 via the communication unit 201. The determination unit 204 determines the usage record of the server application 30 and the presence / absence of unauthorized communication in order to determine the validity of the server application 30. Thereby, it is determined whether or not the communication restriction set in the server application 30 is relaxed, that is, whether or not the operation certificate is issued. In the present embodiment, the validity of the server application 30 is determined based on the condition determination table 207 and the communication log collected by the log collection unit 205. The determination result by the determination unit 204 is output to the certificate issuing unit 202.

  FIG. 9 is a diagram showing an example of the contents of the condition determination table 207 according to Embodiment 1 of the present invention. The condition determination table 207 stores in advance a plurality of conditions indicating that the server application 30 is correctly operated, that is, conditions necessary for permitting the issuance of the operation certificate. The condition determination table 207 is included in, for example, the hard disk 27 shown in FIG.

  The condition determination table 207 includes a condition indicating the usage frequency for determining the usage record of the server application 30 and a condition indicating whether or not the server application 30 has unauthorized communication as the issuance permission condition of the operation certificate. .

  In this embodiment, the condition No. 1, “the number of communication of the server application is 10 times or more and less than 300 times a day” is set. The condition of 10 times or more is a condition for judging the usage record, and the condition of less than 300 times is a condition for judging the presence or absence of unauthorized communication (illegal use). If the server application that manages 20 MFPs is set to communicate with each MFP 4 times a day, the average number of communications per day will be 80, but if there is much more than this, This is because the possibility of unauthorized communication is high.

  Condition No. The condition “3 or more MFPs connected to the server application” set as 3 is a condition for determining the usage record. Other condition No. 2, 4 to 8 are set as conditions for determining the presence or absence of unauthorized communication. Specifically, “the communication data amount of the server application is less than 10 MB once” (Condition No. 2), “the number of certificate authentication failures is 0” (Condition No. 4), “the number of successful certificate authentications is 10 times or more” (Condition No. 5), “Predetermined communication protocol (for example, HTTP (HyperText Transfer Protocol) / FTP (File Transfer Protocol) / SMTP (Simple Mail Transfer Protocol))” (Condition No. 6), “Predetermined type” No. (for example, consumables remaining amount acquisition, usage amount acquisition, failure information acquisition) ”(condition No. 7) and“ request error count less than 20 times ”(condition No. 8) are set.

  Note that only a part of these may be stored in the condition determination table 207. However, it is desirable that at least one condition for determining the usage record of the server application 30 is stored.

  The functions of the certificate issuing unit 202, the CRL issuing unit 203, the determining unit 204, and the log collecting unit 205 described above may be realized by the CPU 21 shown in FIG. 2 executing software. For example, a program including modules corresponding to these functional units is stored in the hard disk 27. Note that at least one of these may be realized by hardware.

(Functional configuration of server application 30)
FIG. 10 is a block diagram illustrating a functional configuration of the server application 30 according to the first embodiment of the present invention.

  Referring to FIG. 10, server application 30 includes a communication unit 301, a certificate storage unit 302, and a certificate request unit 303.

  The communication unit 301 communicates with other devices on the network. Specifically, data transmission / reception is performed between the CA server 20 and the MFP 40. The communication unit 301 corresponds to the communication interface 35 illustrated in FIG.

  The certificate storage unit 302 stores an electronic certificate issued from the CA server 20, that is, a trial version certificate or a main operation certificate. The certificate storage unit 302 may be included in the hard disk 37 shown in FIG. 3, for example.

  The certificate request unit 303 generates a request for issuing a trial version certificate and a main operation certificate at a predetermined timing, and transmits the request for issuing each certificate to the CA server 20 via the communication unit 301. The function of the certificate request unit 303 may be realized by the CPU 31 illustrated in FIG. 3 executing software. For example, a program including a module corresponding to the certificate request unit 303 is stored in the hard disk 37.

(Functional configuration of MFP 40)
FIG. 11 is a block diagram showing a functional configuration of MFP 40 in the first embodiment of the present invention.

  Referring to FIG. 11, MFP 40 includes a communication unit 401, a certificate storage unit 402, a communication determination unit 403, a communication log storage unit 404, a communication log output unit 405, and a determination policy table 406.

  The communication unit 401 communicates with other devices on the network. Specifically, data transmission / reception is performed between the server application 30 and the log collection server 50. The communication unit 401 corresponds to the communication interface 45 illustrated in FIG.

  The certificate storage unit 402 temporarily stores the electronic certificate received from the server application 30 via the communication unit 401. The certificate storage unit 402 may be included in, for example, the memory unit 42 illustrated in FIG.

  Based on the determination policy table 406, the communication determination unit 403 verifies the electronic certificate (trial version certificate or main operation certificate) of the server application 30 temporarily stored in the certificate storage unit 402 and the validity of the request type. Is verified to determine whether communication with the server application 30 is possible.

  FIG. 12 is a diagram illustrating an example of the determination policy table 406. The determination policy table 406 stores in advance a plurality of policies for determining that communication with the server application 30 is possible. The determination policy table 406 is included, for example, in the storage unit 47 shown in FIG.

  When the communication determination unit 403 determines that communication is possible, information corresponding to the type of request is transmitted to the server application 30 via the communication unit 401.

  When communication with the server application 30 occurs, the communication log storage unit 404 stores a communication log (communication history) indicating the contents thereof. The communication log storage unit 404 may be included in the storage unit 47 illustrated in FIG. 4, for example.

  The communication log output unit 405 transmits the communication log stored in the communication log storage unit 404 to the log collection server 50 via the communication unit 401.

  The functions of the communication determination unit 403 and the communication log output unit 405 described above may be realized by the control unit 41 executing software. For example, a program including modules corresponding to each of these functional units is stored in the storage unit 47. Note that at least one of these may be realized by hardware.

  Note that the MFP 40 may also hold its own electronic certificate and perform secure communication using each other's electronic certificate when communicating with the server application 30.

(Functional configuration of log collection server 50)
FIG. 13 is a block diagram showing a functional configuration of the log collection server 50 according to Embodiment 1 of the present invention.

  Referring to FIG. 13, log collection server 50 includes a communication unit 501, a log collection unit 502, a log storage unit 503, a log output unit 504, and an MFP management table 505.

  The communication unit 501 communicates with other devices on the network. Specifically, data transmission / reception is performed between the CA server 20 and the MFP 40. The communication unit 501 corresponds to the communication interface 55 illustrated in FIG.

  A log collection unit 502 collects communication logs from the MFP 40 registered in the MFP management table 505.

  FIG. 14 is a diagram illustrating an example of the data structure of the MFP management table 505. The MFP management table 505 manages identification information and log acquisition timing of the MFP 40 that is a log collection target. Specifically, each management data includes, for example, a serial number, a user name, a model name, a registration date and time, and a log acquisition time. If a communication log is automatically transmitted from the MFP 40 every time there is communication between the server application 30 and the MFP 40, the item of log acquisition time is unnecessary.

  The MFP management table 505 is included in, for example, the hard disk 57 shown in FIG. The method for registering management data in the MFP management table 505 is not particularly limited.

The log storage unit 503 stores the communication log collected by the log collection unit 502.
FIG. 15 is a diagram illustrating a data structure example of a communication log stored in the log storage unit 503 according to Embodiment 1 of the present invention. Here, an example in which a plurality of server applications are included in the communication system is shown. A log storage unit 503 may also be included in the hard disk 57.

  Referring to FIG. 15, each communication log is managed by an index, and the date and time, the IP address of the communication source (server application), the IP address of the communication destination (MFP), the MAC address of the communication source, the communication source certificate Document identification information, communication protocol, request type, presence / absence of normal termination, error type, and data amount.

  In this embodiment, both the IP address and the MAC address are included in the communication log in order to specify the server application of the communication source. However, only one of them may be included. . However, since the IP address may not be fixed, it is desirable to include both addresses in the communication log. Further, since the communication source server application can be specified only by the communication source certificate, the communication log may not include the communication source address itself.

  When the log output unit 504 receives a communication log request from the CA server 20 via the communication unit 501, the log output unit 504 determines whether or not a certificate can be issued out of the communication logs stored in the log storage unit 503. Extract communication logs. The extracted communication log is transmitted to the CA server 20 via the communication unit 501.

  The functions of the log collection unit 502 and the log output unit 504 described above may be realized by the CPU 51 illustrated in FIG. For example, a program including modules corresponding to each of these functional units is stored in the hard disk 57. Note that at least one of these may be realized by hardware.

<About operation>
Next, the operation of each device in the present embodiment will be described.

(Operation of CA server 20)
FIG. 16 is a flowchart showing processing executed when the CA server 20 issues a trial version certificate in the first embodiment of the present invention.

  Referring to FIG. 16, the communication unit 201 receives a request for issuing a trial version certificate from the server application 30 (step S2). When the server application 30 requests certificate issuance for the first time after installing the server application, a request for issuing a trial version certificate is transmitted.

  Upon receiving the request for issuance of the trial version certificate, the certificate issuing unit 202 executes a trial version certificate issuance process (step S4). Specifically, the certificate issuing unit 202 generates a trial version certificate based on the issue request received by the communication unit 201. The configuration of the trial version certificate may be as shown in FIG. The certificate issuing unit 202 also registers management data of the generated trial version certificate in the certificate management table 206. The certificate issuing unit 202 transmits the generated trial version certificate to the server application 30 via the communication unit 201.

  FIG. 17 is a flowchart showing processing executed when the CA server 20 issues the operation certificate in the first embodiment of the present invention.

  Referring to FIG. 17, the communication unit 201 receives a request for issuing the operation certificate from the server application 30 (step S12). When receiving the operation certificate issuance request, first, it is confirmed whether or not the trial version certificate of the server application 30 is registered in the certificate management table 206, and then the log collection unit 205 passes through the communication unit 201. The communication log between the server application 30 and the MFP 40 is acquired (collected) from the log collection server 50 (step S14).

  Based on the conditions recorded in the condition determination table 207 as shown in FIG. 9, the determination unit 204 determines whether the operation certificate issuance for the server application 30 is possible from the communication log between the server application 30 and the MFP 40. (Step S16). That is, it is checked whether the server application 30 is normally operated.

  Specifically, for example, if one of the plurality of conditions recorded in the condition determination table 207 does not satisfy one of the conditions, it may be determined that communication is impossible. Alternatively, it may be determined that communication is possible as long as a predetermined number of conditions or more are satisfied even if all the conditions are not satisfied.

  Here, a specific example of determining whether or not to issue the operation certificate based on the condition determination table 207 and the communication log will be described.

  For example, when 100 communications per day are coming from the server application 30, the condition No. 1 is satisfied, but only two communications per day come from the server application 30. Since 1 is not satisfied, it is determined that it cannot be issued. When the number of MFPs 40 connected to the server application 30 is less than 5 (that is, when there is only a communication log with less than 5 MFPs 40), the condition No. Since 3 is not satisfied, it is determined that it cannot be issued. By making such a determination, server applications that are hardly used can be eliminated.

  If 1000 communications per day are coming from the server application 30, the condition No. Since 1 is not satisfied, it is determined that it cannot be issued. As a result, it is possible to eliminate server applications that perform illegal operations.

  If there is a communication log with a communication data amount of 15 MB for the server application 30, the condition No. Since 2 is not satisfied, it is determined that it cannot be issued. Assuming that the amount of communication data per time of the server application 30 is almost the same amount each time, if there is communication with a communication amount that greatly exceeds this amount, there is a high possibility of unauthorized communication. Thereby, when the server application 30 performs an illegal operation such as sending illegal data, the issuance of the operation certificate can be rejected.

  If there are a plurality of certificate authentication failures or the certificate authentication success is less than 10, the condition No. Since 4 and 5 are not satisfied, it is determined that it cannot be issued. If the server application 30 uses a certificate issued from the CA server 20, the certificate verification should be successful. For this reason, if the verification of the certificate fails, there is a high possibility that it is an unauthorized communication using a certificate issued from an unauthorized CA server or a tampered certificate. Thereby, it is possible to eliminate a server application that attempts to communicate using an invalid certificate.

  The communication protocol is condition No. If there is a communication log of communication requests other than those predetermined as 6, it is determined that issuance is impossible. As a result, it is possible to refuse the issuance of the operation certificate to the server application 30 that attempts to gain unauthorized access using a protocol that should not be used.

  In addition, the request type is a condition No. If there is a communication log other than that predetermined as 7, it is determined that it cannot be issued. As a result, it is possible to eliminate a malicious server application that transmits an unauthorized request by refusing to issue the operation certificate.

  Further, even if the type of request is permitted, if the number of times the request is in error is 20 times or more, the condition No. Since 8 is not satisfied, it is determined that it cannot be issued. If there are several errors, there may be data loss due to communication or a temporary setting error, but if there are several tens of errors, there is a high possibility of unauthorized use (for example, server The data format transmitted from the application 30 is different). As a result, server applications that attempt unauthorized use can be eliminated by refusing to issue the operation certificate.

  If it is determined in step S16 that the operation certificate can be issued (“OK” in step S16), the certificate issuing unit 202 executes the operation certificate issuance process (step S18). Specifically, first, a new operation certificate of the server application 30 is newly generated based on the trial version certificate of the server application 30 or the information of this operation certificate request recorded in the certificate management table 206. With this operational certificate, the communication restrictions (short expiry date, number of communications, etc.) set in the trial version certificate are released. Then, the information of the generated operation certificate is recorded in the certificate management table 206, and the operation certificate is transmitted together with the issue permission notification to the server application 30 via the communication unit 201. As a result, the operation certificate can be automatically issued to the server application 30 having high reliability (trusted).

  On the other hand, if it is determined in step S16 that the operation certificate cannot be issued (“NG” in step S16), the certificate issuing unit 202 transmits the certificate to the server application 30 via the communication unit 201. In response to this, the operation certificate issuance rejection notification is transmitted (step S20). Here, the CRL issuing unit 203 may generate a CRL to revoke the trial version certificate that the server application 30 currently has. In this case, the certificate issuing unit 202 rewrites the item “Revoked” in the management data of the trial version certificate of the server 30 managed in the certificate management table 206 from “No” to “Yes”. The CRL issuing unit 203 transmits the generated CRL to the server application 30 and the MFP 40 via the communication unit 201. Accordingly, the trial period can be automatically terminated for the server application 30 with low reliability (unreliable).

  In this embodiment, the trial period is terminated when it is determined that the operation certificate cannot be issued. However, the trial period may be continued and the progress may be observed. Specifically, the certificate issuing unit 202 generates a new trial version certificate based on the information of the original trial version certificate, and registers the management data of the certificate in the certificate management table 206. May be. The new trial version certificate generated in this way is transmitted to the server application 30 via the communication unit 201. When performing such processing, the CA server 20 holds, for example, the number of trial certificate issuances, and determines that the operation certificate cannot be issued when the specified number of issuances is reached. It is good to do.

  In the present embodiment, it is determined whether or not the operation certificate is issued based on a request for issuing the operation certificate from the server application 30, but the present invention is not limited thereto. For example, the CA server 20 checks the expiration date of the trial version certificate in the certificate management table 206, and acquires a communication log when the remaining validity period becomes a certain value or less (for example, the remaining one day). It may be determined whether or not the operation certificate is issued. Other modified examples will be described in detail with reference to FIGS. 24 and 25 in “Modified Example 1” later.

  In the present embodiment, the determination unit 204 only determines whether or not the operation certificate is issued. However, the reliability of the server application 30 may be further determined. Specifically, for example, the number of points indicating the reliability of the server application is also recorded for each condition No in the condition determination table 207, and the number of points corresponding to the condition No determined that the server application 30 is satisfied. And the total points may be output as the reliability.

  In such a case, the certificate issuing unit 202 can set the validity period of this operational certificate according to the reliability determination result by the determination unit 204. That is, the degree of relaxing the communication restriction set in the trial version certificate may be changed according to the reliability.

  For example, when it is determined that the reliability of the server application 30 is equal to or higher than a first threshold (for example, 90 points when 100 is the maximum), the validity period of the operation certificate is set to the longest period (for example, 5 years). Set to. If it is determined that the reliability is equal to or lower than a second threshold value (for example, 80 points) lower than the first threshold value, an expiration date may be set for a period shorter than the maximum effective period (for example, four years). Good.

(Operation of server application 30)
FIG. 18 is a flowchart illustrating processing executed when the server application 30 requests a trial version certificate.

  Referring to FIG. 18, the certificate request unit 303 generates a request for issuing a trial version certificate, and transmits the generated issuance request to the CA server 20 via the communication unit 301 (step S32). The request for issuance of the trial version certificate may be executed, for example, when there is an instruction from the user. Alternatively, it may be automatically generated at the first activation after installing the server application.

  When the issuance request for the trial version certificate is transmitted, the trial version certificate is unconditionally issued in the CA server 20, so that the trial version certificate is obtained (received) via the communication unit 301 (step S34). The acquired trial version certificate is stored in the certificate storage unit 302.

  FIG. 19 is a flowchart illustrating processing executed when the server application 30 issues a request for issuing the operation certificate.

  Referring to FIG. 19, the certificate request unit 303 checks the expiration date of the trial version certificate stored in the certificate storage unit 302 and determines whether the certificate needs to be updated (step S42). ). Specifically, it is determined whether or not the remaining validity period of the trial version certificate is equal to or less than a threshold value. As described above, the reason for determining the timing of the certificate request before the expiration of the valid period is to prevent a period during which the server application cannot be used from occurring. When it is determined that the remaining effective period is equal to or less than the threshold (NO in step S42), the process proceeds to step S44. In other cases (YES in step S42), the validity period of the certificate is periodically checked.

  In step S44, the certificate request unit 303 generates a request for issuing the operation certificate. The generated issue request is transmitted to the CA server 20 via the communication unit 301.

  Next, the CA server 20 receives a notification of whether or not the operation certificate is issued. When the notification content is permission to issue (“OK” in step S46), the communication unit 301 receives the operation certificate from the CA server 20 and stores the operation certificate in the certificate storage unit 302 (step S48). ).

  On the other hand, if the notification content is an issuance refusal (“NG” in step S46), it is determined that the issuance of the operation certificate has been rejected (step S50). When the CRL is transmitted from the CA server 20, it is received and stored. When the issuance of the operation certificate is rejected, the server application 30 continues to operate until the expiration date of the trial version certificate stored in the certificate storage unit 302 comes. Or it is good also as invalidating the function as a server application immediately. Specifically, the communication between the server application 30 and the MFP 40 may be blocked. Alternatively, access to the database of the server application 30 may be restricted.

(Operation of MFP 40)
FIG. 20 is a flowchart illustrating processing executed when the MFP 40 communicates with the server application 30.

  Referring to FIG. 20, when communication unit 401 receives a certificate and a communication request from server application 30 (step S62), communication determination unit 403 determines whether or not communication with server application 30 is possible (step S64). Specifically, every time a certificate and a communication request are transmitted from the server application 30, the communication determination unit 403, based on the determination policy table 406, the server application 30 certificate (trial certificate or main operation certificate). Certificate). When it is determined that the certificate is valid (“OK” in step S64), communication with server application 30 is performed (step S66). At this time, the communication log storage unit 404 stores the current communication log (step S68).

  Next, the communication log output unit 405 determines whether or not a predetermined number or more of communication logs have been saved (step S69). When it is determined that a predetermined number or more of communication logs are stored (“OK” in step S69), the communication log output unit 405 collects a predetermined number or more of communication logs stored in the communication log storage unit 404. It transmits with respect to the server 50 (step S70). When this process ends, the process returns to step S62. On the other hand, when the communication log output unit 405 determines that a predetermined number or more of communication logs are not stored (“NG” in step S69), the communication log output unit 405 performs the step without transmitting the communication log. Returning to S <b> 62, when a predetermined number or more of communication logs are accumulated, the communication logs are collectively transmitted to the log collection server 50. This process enables efficient data communication.

  If it is determined in step S64 that communication is impossible (“NG” in step S64), the communication log is saved without performing communication with the server application 30 (step S68). Also in this case, the saved communication log is transmitted to the log collection server 50 as needed (step 70).

(Operation of log collection server 50)
When the log collection unit 502 of the log collection server 50 acquires a communication log transmitted from the MFP 40 as needed using a communication protocol such as Syslog via the communication unit 501, the log collection unit 502 stores the acquired communication log in the log storage unit 503. Shall.

  FIG. 21 is a flowchart illustrating processing in which the log collection server 50 transmits a communication log.

  Referring to FIG. 21, communication unit 501 receives a request for a communication log between server application 30 and MFP 40 from CA server 20 (step S82). At this time, information for specifying the server application 30 to be determined (for example, a certificate, IP address or MAC address of the server application 30) is also received.

  When receiving the communication log request, the log output unit 504 extracts the communication log between the determination target server application 30 and the MFP 40 from the log storage unit 503 and transmits the extracted communication log to the requesting CA server 20. (Step S84). Note that the communication log to be transmitted to the CA server 20 may be organized and transmitted not only as it is from the log acquired from the MFP 40 but only as data necessary for determining whether or not to issue this operation certificate.

(Processing flow in communication system)
22 and 23 are sequence diagrams showing a flow of processing of the communication system according to Embodiment 1 of the present invention. FIG. 22 shows a flow of processing related to the trial version certificate, and FIG. 23 shows a flow of processing related to the operation certificate.

  Referring to FIG. 22, when a request for issuing a trial version certificate is transmitted from server application 30 to CA server 20 (OP1), CA server 20 generates a trial version certificate (OP2). The generated trial version certificate is transmitted to the server application 30 that has transmitted the issue request (OP3). The server application 30 stores the received trial version certificate (OP4).

  In the communication between the server application 30 and the MFP 40, the MFP 40 requests a certificate from the server application 30 (OP11). At this time, the server application 30 transmits a trial version certificate (OP12). The MFP 40 verifies the transmitted trial version certificate (OP13). Then, the certificate verification result is transmitted to the server application 30 (OP14). If the certificate verification result is that communication is possible, the server application 30 transmits a request such as failure information and usage amount information to the MFP 40 (OP15). The MFP 40 transmits the request result to the server application 30 based on the content of the received request (OP16). In addition, the MFP 40 transmits the communication log of this time to the log collection server 50 (OP17). The log collection server 50 stores the received communication log (OP18).

  Referring to FIG. 23, server application 30 checks the expiration date of the trial version certificate (OP21). In response to the expiration date check result, a request for issuing the operation certificate is transmitted to the CA server 20 (OP22). The CA server 20 that has received the request for issuing the operational certificate requests the communication log from the log collection server 50 (OP23). The log collection server 50 transmits the communication log to the CA server 20 (OP24). The CA server 20 determines whether or not the operation certificate is issued based on the received communication log and the condition determination table 207 (OP25). If it is determined that the certificate can be issued, the operational certificate is generated (OP26). The generated operation certificate is transmitted to the server application 30 (OP27). The server application 30 stores the operation certificate transmitted from the CA server 20 (OP28).

  As described above, according to the present embodiment, the user of the server application 30 can immediately use the trial version certificate as a management server of the MFP 40 without performing complicated procedures when installing the server application. The function can be started. In addition, based on the actual communication log of the server application 30 for which the trial version certificate has been issued, it is determined whether the server application 30 is using the function of the server application and whether or not unauthorized communication is being performed. It is possible to reliably eliminate server applications that have not been made. That is, a server application that is not operated correctly can be invalidated.

  Even if it is abused, if a method of issuing a certificate (key, ticket) with a short expiration date for validating the function from the CA server to the server application is adopted. The expiry date can be shortened immediately, eliminating the need to revoke a certificate. However, in such a case, there is an inconvenience that the administrator of the server application needs to update the certificate many times. On the other hand, if the method as in this embodiment is adopted, the trial version certificate is seamlessly updated to the actual operation certificate, so that there is a merit that the administrator of the server application 30 is not required.

<Modification 1>
In the first embodiment, when the operation certificate is issued from the server application, the CA server determines whether the operation certificate can be issued. However, the server application within the validity period of the trial version certificate is determined. Whether to issue the operation certificate may be determined based on information obtained from the communication log.

  FIG. 24 is a block diagram showing a functional configuration of the CA server 20A in the first modification of the first embodiment of the present invention.

  Referring to FIG. 24, CA server 20A further includes a determination start condition table 208 in addition to the configuration shown in FIG. Further, instead of the determination unit 204 and the log collection unit 205, a determination unit 204A and a log collection unit 205A are included.

  FIG. 25 is a diagram showing a data structure example of the determination start condition table 208 in the first modification of the first embodiment of the present invention. The determination start condition table 208 stores in advance a condition for starting determination of whether or not to issue the operation certificate. Specifically, for example, the server application 30 has a cumulative communication count of 100 times or more (condition No. 1), the server application 30 has a total communication data amount of 50 MB or more (condition No. 2), and is connected to the server application 30. The condition that the number of MFPs 40 is 10 or more (condition No. 3) is stored.

The determination start condition table 208 may be included in the hard disk 27 shown in FIG.
In the present modification, the log collection unit 205A acquires a communication log between the server application 30 and the MFP 40 within the expiration date of the trial version certificate from the log collection server 50 at regular intervals (for example, one day). Whether the server application 30 is within the validity period of the trial version certificate can be determined from the certificate management table 206.

  Based on the acquired communication log and the determination start condition table 208, the determination unit 204A determines whether or not to determine whether or not to issue the operation certificate. If the determination start condition is satisfied, whether or not the operation certificate is issued is determined based on the condition determination table 207 and the acquired communication log as described in the first embodiment.

  In this modification as well, as in the processing in the first embodiment, the determination unit 204A also satisfies the condition in the case where the conditions of the determination start condition table 208 are not satisfied by just before the trial period expires. It is desirable to determine whether or not the operation certificate can be issued based on the determination table 207 and the acquired communication log. In this case, the determination may be started upon a request from the server application 30 side, or the determination is started by detecting the expiration date of the trial version certificate in the certificate management table 206 in the CA server 20A. Also good.

  As described above, according to the present modification, if the information obtained from the communication log of the server application 30 satisfies a condition such that it can be estimated that there is a usage record, the operation certificate issuance determination is started. . Therefore, for the server application 30 that is correctly operated, the set trial period can be shortened and the operation can be started.

<Modification 2>
When the server application is reinstalled, or when it becomes necessary to reissue the certificate due to the expiration of this operational certificate, the CA server further determines whether the past operational certificate has been issued. It may be used to determine whether the operation certificate is issued.

  FIG. 26 is a block diagram showing a functional configuration of the CA server 20B in the second modification of the first embodiment of the present invention.

  Referring to FIG. 26, CA server 20B further includes a determination result storage table 209 in addition to the configuration shown in FIG. Further, a determination unit 204B is included instead of the determination unit 204.

  FIG. 27 is a diagram illustrating an example of the data structure of the determination result storage table 209. The determination result storage table 209 stores the determination result in the determination unit 204B. In the determination result storage table 209, each determination result data is assigned a serial number, and includes items of issue destination, issuer, determination date and time, determination result, and reason.

The determination result storage table 209 may be included in the hard disk 27 shown in FIG.
In this modification, when the determination unit 204B determines whether or not the operation certificate can be issued, in addition to the determination based on the condition determination table 207 and the communication log, the past determination stored in the determination result storage table 209 is performed. From the result, it is determined whether or not a certificate can be issued.

  For example, if it has been determined that the server application 30 is determined to be issued three or more times in the past, it is determined that the operation certificate can be issued without making a determination based on the communication log. Alternatively, as shown in serial number 5, if a result that the amount of communication data is too large is recorded as the reason for the determination result NG, it is determined that the operation certificate cannot be issued without determining the communication log. May be.

  As described above, in this modification, it is necessary to make a determination based on the communication log every time even when it is determined whether or not the operation certificate is periodically issued by using the past determination result. Therefore, the communication amount can be reduced and the processing load on the CPU 21 can be reduced.

  In this modification, the determination conditions of the condition determination table 207 can be changed according to the past determination results read from the determination result storage table 209 when determining whether or not a certificate is issued.

  As an example, if the server application is reinstalled, or if it is necessary to reissue a certificate due to the expiration of this operation certificate, relax the criteria if it is determined that it can be issued last time. . Specifically, for example, when the normal (default) determination condition is “the number of communication times of the server application is 10 times or more per day”, if it is determined that the issuance is permitted last time, “the communication number of the server application is 1 Change the conditions to "more than 5 times a day".

  Or, if it is determined that the issuance is rejected last time, the determination condition is tightened. For example, when the normal judgment condition is “the number of MFPs connected to the server application is 5 or more”, if it was judged that the previous issue was rejected, the condition was changed to “the number of MFPs connected to the server application was 10 or more” To do.

  In order to realize such a change, for example, a condition determination table 207 is provided for each server application 30.

  Note that this modification can be used when the validity period of the trial version certificate continues to be judged periodically after the remaining period of validity of the trial version certificate falls below a certain value. You may apply. In such a case, since it is determined whether or not the operation certificate is issued until the expiration date of the trial period, it is possible to exclude server applications that have performed unauthorized communication just before the expiration date.

  Alternatively, as described above, even if it is determined that the operation certificate cannot be issued once, this modification is applied to the case where a new trial version certificate is issued and the progress is observed. May be.

[Embodiment 2]
Next, a second embodiment of the present invention will be described.

  In the first embodiment and the first and second modifications thereof, the restriction on communication with the MFP is changed by issuing two types of certificates, a trial version certificate and a main operation certificate, to the server application. It was a thing. On the other hand, in the present embodiment, only one type of certificate corresponding to the operation certificate is issued to the server application, and the certificate revocation determination is performed later.

Hereinafter, differences from the first embodiment will be described.
FIG. 28 is a block diagram showing a functional configuration of the CA server 20C according to Embodiment 2 of the present invention.

  Referring to FIG. 28, CA server 20C further includes a periodic check unit 210 in addition to the configuration shown in FIG. Further, instead of the certificate issuing unit 202 and the determining unit 204, a certificate issuing unit 202C and a determining unit 204C are included. The function of the periodic check unit 210 may be realized by the CPU 21 shown in FIG.

  When the certificate issuance unit 202C receives a certificate issuance request from the server application 30 for the first time (when the server application is installed), the certificate issuance unit 202C unconditionally issues a normal electronic certificate with no communication restriction set.

  The processing of the periodic check unit 210 and the determination unit 204C will be described with reference to the flowchart of FIG.

  FIG. 29 is a flowchart showing a certificate revocation determination process executed by the CA server 20B in the second embodiment of the present invention.

  With reference to FIG. 29, the periodic check unit 210 checks the number of days elapsed from the certificate issuance date, and determines whether or not a predetermined period (for example, one week) has elapsed from the certificate issuance date (step S102). ). If the specified number of days has elapsed (YES in step S102), periodic check unit 210 instructs determination unit 204C to determine whether or not to expire.

  When the determination unit 204C requests the log collection unit 205 to collect a log, the log collection unit 205 acquires (collects) a communication log between the server application 30 and the MFP 40 from the log collection server 50 via the communication unit 201. (Step S104).

  Based on the conditions recorded in the condition determination table 207 and the acquired communication log, the determination unit 204C determines whether or not the certificate of the server application 30 can be revoked (step S106). Thereby, it is determined whether or not the communication restriction set in the server application 30 is relaxed, that is, whether or not continuous use of the certificate is permitted. The determination method here may be the same as the determination of whether or not the operation certificate is issued in the first embodiment.

  If the determination unit 204C determines that the certificate is rejected (“NG” in step S106), the CRL issuing unit 203 records the revocation information in the certificate management table 206 and generates a CRL (step S110). ). Then, the generated CRL is transmitted to the server application 30 and the MFP 40 via the communication unit 201 (step S112).

  On the other hand, when the determination unit 204C determines that the certificate is permitted to be used (“OK” in step S106), the determination unit 204C sends a certificate usage permission notification via the communication unit 201 to the server application. 30 (step S108).

  As described above, according to the present embodiment, the CA server 20 does not need to generate two types of certificates, that is, the trial version certificate and the main operation certificate. The same effect can be achieved.

[Embodiment 3]
Next, a third embodiment of the present invention will be described.

  In each of the embodiments described above, the CA server that issues the electronic certificate executes the process for eliminating the illegal operation of the server application. On the other hand, in the present embodiment, the server application itself executes a process for eliminating unauthorized operation of the server application. That is, in this embodiment, the server application itself functions as a monitoring device.

Hereinafter, differences from the first embodiment will be described.
(About configuration)
FIG. 30 is a diagram illustrating a configuration example of a communication system according to Embodiment 3 of the present invention.

  Referring to FIG. 30, the communication system according to the present embodiment does not include log collection server 50 as described in the first embodiment. Further, CA server 20 # and server application 30 # are included instead of CA server 20 and server application 30, respectively.

  FIG. 31 is a block diagram showing a functional configuration of CA server 20 # in the third embodiment of the present invention.

  CA server 20 # does not include determination unit 204, log collection unit 205, and condition determination table 207 in the configuration of CA server 20 shown in FIG. Therefore, CA server 20 # includes communication unit 201, certificate issuing unit 202, CRL issuing unit 203, and certificate management table 206.

  FIG. 32 is a block diagram showing a functional configuration of server application 30 # in the third embodiment of the present invention.

  Server application 30 # further includes a communication log acquisition unit 305, a communication log storage unit 306, a certificate issuance determination unit 307, and a condition determination table 308 in addition to the configuration of server application 30 shown in FIG. The function of the communication log acquisition unit 305 corresponds to the function of the log collection unit 502 of the log collection server 50 in the first embodiment. The function of the communication log storage unit 306 corresponds to the function of the log storage unit 503 of the log collection server 50. The function of the certificate issuance determination unit 307 corresponds to the function of the determination unit 204 of the CA server 20. The condition determination table 308 corresponds to the condition determination table 207 of the CA server 20. Therefore, detailed description of these functional units will not be repeated.

  Both the communication log storage unit 306 and the condition determination table 308 may be included in the hard disk 37 shown in FIG. The functions of the communication log acquisition unit 305 and the certificate issuance determination unit 307 may be realized by the CPU 31.

  In the present embodiment, the server application 30 # itself executes a process for eliminating unauthorized operation of the server application, so that the communication log acquisition unit 305, the communication log storage unit 306, and the certificate issuance determination unit 307 are executed. The condition determination table 308 is preferably protected by the protection unit 304. That is, it is desirable that access from outside the protection unit 304 to the inside of the protection unit 304 and modification within the protection unit 304 cannot be performed. For example, the following protection methods can be considered. As a first example, a memory image of a protected part is stored as a hash value. As a second example, the protection unit provides a virtual environment for the protected part. The protection unit 304 is provided with another hardware for the protected part. Further, it is also desirable that a hash value is added to the communication packet or the determination content is encrypted so that the packet itself cannot be falsified so that the determination content is not processed by the communication unit 301.

  In this embodiment, the CPU 31 shown in FIG. 3 may be realized by executing a software program. For example, as described with reference to FIG. 10, similarly to the certificate storage units 302 and 303, a program including modules corresponding to the respective function units in the protection unit 304 may be stored in the hard disk 37. It is possible to realize each function by executing. The hard disk 37 may be stored by, for example, storing software stored in the recording medium 38A by using the media drive 38, or via the Internet 10 from the outside using the communication interface 35. May be installed.

  Further, in order to form the server application 30 #, a module corresponding to each function unit in the protection unit 304 can be incorporated in advance as a tamper-resistant dedicated device, or a USB (Universal Serial Bus) ) The dedicated device may be externally connected using a terminal or the like.

(About operation)
Also in the third embodiment of the present invention, first, the server application 30 # requests a trial version certificate and obtains the trial version certificate. This process is the same as described in FIG. The detailed description thereof will not be repeated.

  FIG. 33 is a flowchart showing processing executed when server application 30 # determines whether to issue the operation certificate in the third embodiment of the present invention.

  Referring to FIG. 33, certificate issuance determination unit 307 checks the expiration date of the trial version certificate stored in its own certificate storage unit 302 and determines whether or not the certificate needs to be updated. (Step S202). The process here may be the same as the process of step S42 shown in FIG.

  If it is determined that the remaining validity period of the trial version certificate is equal to or less than the threshold (NO in step S202), certificate issue determination unit 307 reads the communication log between the MFP and the MFP 40 from communication log storage unit 306 ( Step S204). In the present embodiment, it is assumed that the communication log acquisition unit 305 acquires a communication log every time it communicates with the MFP 40 and stores it in the communication log storage unit 306.

  The certificate issuance determination unit 307 determines whether or not the operation certificate can be issued based on the communication log and the condition determination table 308 (step S206). Here, the determination of availability may be the same as the process shown in step S16 of FIG. When it is determined that the operation certificate can be issued (“OK” in step S206), the certificate issuance determination unit 307 requests the CA server 20 to issue the operation certificate via the communication unit 301 (step S206). S208). Thereafter, the communication unit 301 receives the operation certificate issuance notification from the CA server 20 #, and stores the issued operation certificate in the certificate storage unit 302 (step S210).

  On the other hand, when it is determined that the operation certificate cannot be issued (“NG” in step S206), the certificate issuance determination unit 307 sends the certificate to the CA server 20 # via the communication unit 301. Requesting the revocation of the trial version certificate (step S212). Thereafter, the communication unit 301 receives a trial certificate revocation notification from the CA server 20 # and receives the issued CRL (step S214).

  In the present embodiment, when CA server 20 # receives the issuance request for the operational certificate, certificate issuing unit 202 records it in certificate management table 206 (without determining whether to issue the certificate). Based on the information of the trial version certificate of the server application 30 that has been created, a new operation certificate of the server application 30 is newly generated, and the generated information of the operation certificate is recorded in the certificate management table 206. Certificate issuing unit 202 transmits the operation certificate together with the certificate issuance notification to server application 30 # via communication unit 201.

  When communication unit 201 receives a request for revocation of a trial version certificate from server application 30 #, CRL issuing unit 203 revokes the trial version certificate of server application 30 and generates a CRL. Then, the CRL is transmitted together with the CRL issue notification to the server application 30 # via the communication unit 201.

  As described above, according to the present embodiment, the server application itself can determine the presence or absence of unauthorized operation. Therefore, when there are a plurality of server applications, it is necessary to determine whether or not the operation certificate is issued for each server application in the communication system according to the first embodiment. According to this embodiment, the processing load on the CA server can be reduced.

In addition, you may combine each said embodiment and each modification.
In addition, a method for eliminating an unauthorized operation of a server application performed by the monitoring apparatus (CA server or management server) according to the present embodiment can be provided as a program. Such a program is recorded on a non-transitory recording medium in which the program can be read by a computer. Such “computer-readable recording medium” includes, for example, an optical medium such as a CD-ROM (Compact Disc-ROM), a magnetic recording medium such as a memory card, and the like. Further, such a program can be recorded on a computer-readable recording medium and provided as a program product. A program can also be provided by downloading via a network.

  The program according to the present embodiment is a program module that is provided as a part of a computer operating system (OS) and calls necessary modules in a predetermined arrangement at a predetermined timing to execute processing. There may be. In that case, the program itself does not include the module, and the process is executed in cooperation with the OS. A program that does not include such a module can also be included in the program according to the present embodiment.

  Further, the program according to the present embodiment may be provided by being incorporated in a part of another program. Even in this case, the program itself does not include the module included in the other program, and the process is executed in cooperation with the other program. Such a program incorporated in another program can also be included in the program according to the present embodiment. Note that the program product includes the program itself and a storage medium in which the program is stored.

  The embodiment disclosed this time should be considered as illustrative in all points and not restrictive. The scope of the present invention is defined by the terms of the claims, rather than the description above, and is intended to include any modifications within the scope and meaning equivalent to the terms of the claims.

  10 Internet, 12 Intranet, 20, 20A, 20B, 20C CA server, 21, 31, 51 CPU, 22, 32, 52 RAM, 23, 33, 53 ROM, 24, 34, 54 Input unit, 25, 35, 45 , 55 Communication interface, 26, 36, 56 Monitor, 27, 37, 57 Hard disk, 28, 38, 58 Media drive, 28A, 38A, 58A Recording medium, 30 Server application, 40 MFP, 41 Control unit, 42 Memory unit, 43 image reading unit, 44 printing unit, 46 operation panel unit, 47 storage unit, 50 log collection server, 201, 301, 401, 501 communication unit, 202, 202C certificate issuing unit, 203 CRL issuing unit, 204, 204A, 204B, 204C determination unit, 205, 205A, 5 2 log collection unit, 206 certificate management table, 207 condition determination table, 208 determination start condition table, 209 determination result storage table, 210 periodic check unit, 302, 402 certificate storage unit, 303 certificate request unit, 304 protection unit 305, communication log acquisition unit, 306, 404 communication log storage unit, 307 certificate issuance determination unit, 308 condition determination table, 403 communication determination unit, 405 communication log output unit, 406 determination policy table, 503 log storage unit, 504 log Output unit, 505 management table.

Claims (15)

A monitoring device for monitoring the operation of a server application for managing an image processing device,
Storage means storing determination conditions including at least a first condition indicating the usage frequency of the server application;
An acquisition unit for installing the server application and acquiring a communication history between the management server from which the first certificate is issued and the image processing apparatus;
Judgment means for deciding whether to relax the communication restriction set in the management server by judging the usage record of the management server based on the judgment condition and the communication history. , Monitoring device.   The monitoring apparatus according to claim 1, further comprising issuing means for issuing the first certificate. The first certificate is a trial version certificate;
The monitoring apparatus according to claim 2, wherein the issuing unit issues a second certificate with the communication restriction relaxed when the determining unit determines that there is a usage record.   The monitoring device according to claim 3, wherein the issuing unit rejects the issue of the second certificate when the determining unit determines that there is no usage record.   4. The monitoring according to claim 3, wherein the issuing unit sets the communication restriction level of the second certificate according to the determination condition determined by the determination unit to be satisfied by the management server. apparatus.   The monitoring apparatus according to claim 1, wherein the communication restriction represents a communication possible period with the image processing apparatus.   The monitoring apparatus according to claim 6, wherein the communicable period represents an effective period of an electronic certificate.   The monitoring apparatus according to claim 7, wherein the determination unit determines a usage record of the management server when the remaining validity period of the first certificate is equal to or less than a threshold value. The determination means determines the usage record of the management server when a predetermined period has elapsed since the first certificate was issued;
The system further comprises means for permitting continuous use of the first certificate when it is determined that there is a usage record, and revoking the first certificate when it is determined that there is no use record. The monitoring device according to claim 6.   The determination unit uses the management server when the cumulative number of communication histories, the total amount of communication data, and the number of communicating image processing apparatuses are equal to or greater than a predetermined value. The monitoring device according to claim 1, wherein The determination condition further includes a second condition indicating presence / absence of unauthorized communication of the management server,
The monitoring apparatus according to claim 1, wherein the determination unit further uses a determination result of presence / absence of unauthorized communication of the management server in determining whether to relax the communication restriction of the management server. The storage means further stores past determination results by the determination means,
The monitoring apparatus according to claim 1, wherein the determination unit determines whether to relax a communication restriction set in the management server using the past determination result. The monitoring device is included in the management server,
The monitoring apparatus according to claim 1, further comprising a protection unit for protecting the storage unit, the acquisition unit, and the determination unit. A monitoring method for monitoring the operation of a server application for managing an image processing apparatus,
Installing the server application, obtaining a communication history between the management server from which the first certificate is issued and the image processing apparatus;
Whether or not to relax the communication restriction of the management server by determining the usage record of the management server based on the determination condition including at least the first condition indicating the usage frequency of the server application and the communication history And a step of determining a monitoring method. A monitoring program for monitoring the operation of a server application for managing an image processing apparatus,
Installing the server application, obtaining a communication history between the management server from which the first certificate is issued and the image processing apparatus;
Whether or not to relax the communication restriction of the management server by determining the usage record of the management server based on the determination condition including at least the first condition indicating the usage frequency of the server application and the communication history A monitoring program for causing a computer to execute the step of determining.

Images