JP6945498B2 - Network management equipment and network system - Google Patents

Description

The present invention relates to a network management device and a network system, for example, a network management device and a network system having a function of distributing a client certificate.

The certificate issuing device shown in Patent Document 1 transmits a password input screen to the terminal device in response to a certificate acquisition request from the terminal device, and after password authentication, a PKCS # 12 format certificate file is sent to the terminal device. To send. The password is notified to the user of the terminal device online or offline (means such as mail) in advance.

Japanese Unexamined Patent Publication No. 2006-67515

For example, when user authentication or computer authentication is performed using a client certificate in a network system of a company or the like, the client certificate needs to be installed in advance on the user terminal used by each user. Therefore, usually, the network administrator or the like applies to the certificate authority to issue a client certificate, and each PKCS # 12 format file (referred to as a p12 file in the specification) containing the client certificate issued by the certificate authority is provided. Distribute to users (user terminals). Each user installs the client certificate included in the p12 file on his / her own user terminal.

The p12 file is a file having the format specified by the "PKCS # 12 Personal Information Exchange Syntax Standard" standard. The standard defines a format for storing (archiving) a private key and a public key certificate (for example, a client certificate) related thereto as one file. The client certificate and the like are distributed in a state of being archived in the p12 file by the password. When expanding the distributed p12 file to the client certificate and installing it on the user terminal, the password at the time of archiving is required. Therefore, in addition to the work of distributing the p12 file to each user, the network administrator or the like notifies the password of the p12 file in advance by e-mail, a document, or the like as shown in Patent Document 1. Need to be done. As a result, the burden on the network administrator and the like becomes heavy.

The present invention has been made in view of the above, and one of the objects thereof is to provide a network management device and a network system capable of reducing the burden on a network administrator or the like.

The above and other objects and novel features of the present invention will become apparent from the description and accompanying drawings herein.

A brief description of typical embodiments of the inventions disclosed in the present application is as follows.

The network management device according to the present embodiment executes the first and second processes. In the first process, the network management device expands the first file, which is the p12 file received from the certificate authority and in which the client certificate is archived, into the client certificate with the initial password received from the certificate authority. In the second process, the network management device causes the user of the user terminal to enter an arbitrary password in response to the request for obtaining the client certificate from the user terminal, and the expanded client certificate obtained by the first process. Is archived in a second file, which is a p12 file, with the arbitrary password, and then transmitted to the user terminal.

A brief description of the effects obtained by a typical embodiment of the inventions disclosed in the present application makes it possible to reduce the burden on the network administrator and the like.

It is a figure which shows the schematic configuration example of the main part and the schematic operation example at the time of network authentication in the network system according to Embodiment 1 of this invention. It is a sequence diagram which shows an example of the processing content related to the certificate distribution part in FIG. It is the schematic which shows the structural example of the main part of the certificate distribution part in FIG. It is the schematic which shows the structural example of the main part of the network authentication part in FIG. It is a schematic diagram which shows the structural example of the main part of the certificate distribution part in FIG. 1 in the network management apparatus according to Embodiment 2 of this invention. It is a sequence diagram which shows an example of the processing content related to the certificate distribution part of FIG.

In the following embodiments, when necessary for convenience, the description will be divided into a plurality of sections or embodiments, but unless otherwise specified, they are not unrelated to each other, and one is the other. There is a relationship of some or all modifications, details, supplementary explanations, etc. In addition, in the following embodiments, when the number of elements (including the number, numerical value, quantity, range, etc.) is referred to, when it is specified in particular, or when it is clearly limited to a specific number in principle, etc. Except, the number is not limited to the specific number, and may be more than or less than the specific number.

Furthermore, in the following embodiments, the components (including element steps and the like) are not necessarily essential unless otherwise specified or clearly considered to be essential in principle. Needless to say. Similarly, in the following embodiments, when referring to the shape, positional relationship, etc. of a component or the like, the shape is substantially the same unless otherwise specified or when it is considered that it is not apparent in principle. Etc., etc. shall be included. This also applies to the above numerical values and ranges.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. In addition, in all the drawings for explaining the embodiment, in principle, the same members are designated by the same reference numerals, and the repeated description thereof will be omitted.

(Embodiment 1)
<< Outline configuration of network system >>
FIG. 1 is a diagram showing a schematic configuration example of a main part and a schematic operation example at the time of network authentication in the network system according to the first embodiment of the present invention. The network system shown in FIG. 1 includes a certificate authority CA, an L3 switch L3SW, an L2 switch L2SW1 and L2SW2, a wireless LAN access point AP, a network management device 12, a business server 13, a directory server 14, and a user terminal. 20a and 20b are provided. The L3 switch L3SW performs relay processing based on layer 3 (L3) (that is, IP address) in addition to relay processing based on layer 2 (L2) (that is, MAC address) of the OSI reference model. The L2 switches L2SW1 and L2SW2 perform relay processing based on layer 2 (L2) of the OSI reference model.

In this example, the certificate authority CA and the directory server 14 are connected to the L3 switch L3SW via the IP network 10. The L2 switches L2SW1 and L2SW2, the network management device 12, and the business server 13 are connected to the L3 switch L3SW via a communication line (for example, an Ethernet (registered trademark) cable) 11. The user terminal 20a is used by the user 21a and is connected to the L2 switch L2SW1 via the communication line 11. The user terminal 20b is used by the user 21b and performs wireless communication with the wireless LAN access point AP. The wireless LAN access point AP is connected to the L2 switch L2SW2 via the communication line 11. Further, in this example, the client certificates 25a and 25b are installed on the user terminals 20a and 20b, respectively.

The certificate authority CA issues various digital certificates such as client certificates and server certificates. As is widely known, a digital certificate includes information on a public key, information on its owner, information on an expiration date, and the like, and the certificate authority CA digitally signs these various types of information. The directory server 14 provides a directory service using, for example, LDAP (Lightweight Directory Access Protocol) or the like, and is a server that manages various resources, information, and the like existing on the network. The business server 13 is, for example, a server that provides various information and the like necessary for business to each user 21a and 21b.

The network management device 12 is, for example, a server managed by the network administrator 22, and includes a network authentication unit 15 and a certificate distribution unit 16 implemented by program processing on the server. Here, the network authentication unit 15 and the certificate distribution unit 16 are implemented on the same server, but may be implemented on individual servers. The certificate distribution unit 16 distributes the client certificate to the user terminals 20a and 20b (users 21a and 21b), although the details will be described later. The network authentication unit 15 has a function of an authentication server based on IEEE802.X.

In IEEE802.1X, it is inserted into the communication path between the supplicant, which is the software on the user terminals 20a and 20b, the authentication server (RADIUS server) corresponding to the network authentication unit 15, and the supplicant and the authentication server. Network authentication of the user terminal or user is performed with the authenticator as a component. At this time, an authentication protocol called EAP (Extensible Authentication Protocol) is used. The authenticator corresponds to an IEEE802.X-compatible L2 switch (called an authentication switch) or a wireless LAN access point, and in the example of FIG. 1, it corresponds to the L2 switch L2SW1 and the wireless LAN access point AP.

For example, in the initial state, the L2 switch L2SW1 limits the communication range of the user terminal 20a to the range up to the L2 switch L2SW1. In this state, the user terminal 20a (user 21a) makes an authentication request to the L2 switch L2SW1 (step S101). This authentication request is made using an EAPOL (EAP Over LAN) frame. The 802.1x frame can include the account information (user ID, password, etc.) of the user 21a or the client certificate 25a.

The L2 switch L2SW1 relays the authentication request from the user terminal 20a to the network authentication unit 15 via the L3 switch L3SW (step S102). At this time, the L2 switch L2SW1 converts the EAPOL frame into an EAP packet destined for the IP address of the network authentication unit 15. The network authentication unit 15 determines the success or failure of the authentication in response to the authentication request from the user terminal 20a via the L2 switch L2SW1 and the L3 switch L3SW (step S103).

At this time, when the network authentication unit 15 authenticates with the account information, for example, the network authentication unit 15 verifies the authenticity based on the authentication table in which the valid account information and the like are registered in advance. On the other hand, when the network authentication unit 15 authenticates with the client certificate 25a, the network authentication unit 15 verifies the authenticity based on, for example, the electronic signature of the client certificate 25a, the expiration date, and the like. Further, the network authentication unit 15 may verify the authenticity based on the identity between the client certificate registered in advance and the received client certificate 25a, for example. In verifying the authenticity, the network authentication unit 15 may use not only the registration information such as the authentication table held internally but also the registration information acquired from the directory server 14 by communicating with the directory server 14. good.

The network authentication unit 15 determines the authentication success / failure based on the authenticity verification result, and transmits the authentication result including the authentication success / failure determination result to the L2 switch L2SW1 (step S104). The L2 switch L2SW1 controls the communication range of the user terminal 20a according to the authentication result from the network authentication unit 15. For example, the L2 switch L2SW1 controls not to relay the frame from the user terminal 20a when the authentication result of the authentication failure is received from the network authentication unit 15. Further, when the L2 switch L2SW1 receives the authentication result of successful authentication from the network authentication unit 15, for example, the L2 switch L2SW1 and the business server 13 or the like are based on the information such as the allocated VLAN included in the authentication result (that is, the authentication VLAN function). Control so that a communication path is constructed. The wireless LAN access point AP also performs the same processing as in the case of the L2 switch L2SW1 for the user terminal 20b (user 21b).

Here, when network authentication is performed using the client certificates 25a and 25b as described above, the client certificates 25a and 25b need to be installed in advance on the user terminals 20a and 20b. Therefore, a certificate distribution unit 16 that distributes the client certificate to the user terminal (user) is provided. The client certificate is specifically divided into a user certificate that proves the authenticity of the user and a computer certificate that proves the authenticity of the user terminal, but any of them may be used.

<< Details of Certificate Distribution Department >>
FIG. 2 is a sequence diagram showing an example of processing contents related to the certificate distribution unit in FIG. In FIG. 2, first, the network administrator 22 applies to the certificate authority CA for issuance of a client certificate of the user 21 or the user terminal 20 in response to a request from the user 21 (step S201). The certificate authority CA issues a client certificate in response to the issuance application, and archives the issued client certificate in a p12 file (first file) with the initial password specified by the certificate authority CA, etc. together with the private key, etc. (Step S202). Subsequently, the certificate authority CA sends the p12 file and the initial password to the management terminal 22 (step S203).

Next, the network administrator 22 certifies the p12 file (first file) received from the authentication authority CA and the initial password by associating them with the account information (user account or computer account) of the user 21 or the user terminal 20. Upload to the document distribution unit 16a (step S204). Specifically, the network administrator 22 registers these correspondences in the management table provided in the certificate distribution unit 16a, for example. The certificate distribution unit 16a corresponds to the certificate distribution unit 16 shown in FIG.

Subsequently, the certificate distribution unit 16a expands the p12 file (first file) in which the client certificate is archived into the client certificate with the initial password based on the correspondence registered in step S204 (step). S205). Next, the certificate distribution unit 16a manages the expanded client certificate by associating it with the account information corresponding to the p12 file before expansion, and further manages it in a state where it can be archived in the p12 file with an arbitrary password. (Step S206). As a specific example, for example, the management table holds the correspondence between the p12 file (first file), the initial password, and the account information, as well as the correspondence between the account information and the expanded client certificate. ..

After that, the user 21 logs in to the certificate distribution unit 16a with the predetermined account information (user account or computer account) using the user terminal 20, and transmits a client certificate acquisition request to the certificate distribution unit 16a (step). S207). In response to this, the certificate distribution unit 16a causes the user terminal 20 to display the password input screen (step S208), and causes the user 21 of the user terminal 20 to input an arbitrary password (step S209).

Next, the certificate distribution unit 16a sets the expanded client certificate corresponding to the account information in step S207 as the object of archiving based on the correspondence (management table) in step S206. Then, the certificate distribution unit 16a archives the target expanded client certificate in a p12 file (second file) with an arbitrary password entered in step S209 (step S210). After that, the certificate distribution unit 16a transmits the p12 file to the user terminal 20 (step S211). The user 21 of the user terminal 20 expands the p12 file into a client certificate with an arbitrary password entered in step S209, and installs the p12 file in the user terminal 20 (step S212).

In order for the user terminal 20 (user 21) to log in to the certificate distribution unit 16a in step S207, a communication path between the user terminal 20 and the certificate distribution unit 16a is constructed by network authentication as a prerequisite. You need to be. As described in FIG. 1, for example, when the user 21a performs network authentication with the user account or when the client certificate 25a in the user terminal 20a performs network authentication (for example, the expiration date of the client certificate 25a). At the time of update), the communication path is constructed. However, it may happen that such a method cannot be applied. In this case, for example, the network administrator 22 may use the authentication VLAN function to make settings so that the communication path is constructed when the authentication fails.

By providing the certificate distribution unit 16a as described above, it is possible to reduce the burden on the network administrator 22. That is, the network administrator 22 may perform the work of uploading the p12 file to the certificate distribution unit 16a in step S204, and does not need to perform the work of distributing the p12 file to the user terminal 20 (user 21). Further, the certificate distribution unit 16a causes the user 21 to determine an arbitrary password in step S209, so that the network administrator 22 also notifies the user 21 of the initial password in step S203 as in Patent Document 1. You don't have to do it. Further, by using the mechanism of letting the user 21 decide an arbitrary password in this way, the password is less likely to be leaked as compared with the case where the network administrator 22 notifies each user of the initial password, and the security in the network system Can be improved.

FIG. 3 is a schematic view showing a configuration example of a main part of the certificate distribution part in FIG. The certificate distribution unit 16a shown in FIG. 3 includes a management table 30a, an expansion processing unit 31a, an archive processing unit 32, and a storage unit 33. The management table 30a and the storage unit 33 are mounted in a volatile memory or a non-volatile memory. The expansion processing unit 31a and the archive processing unit 32 are implemented by, for example, program processing using a CPU. In the management table 30a, the correspondence between the account information, the initial password (PW), and the p12 file (pointer thereof) is registered by the process of step S204 of FIG. The actual p12 file 34 is stored in the storage unit 33.

In this example, a user account including a user ID and a password and a computer account including a computer name of a user terminal are registered as account information. However, in some cases, for example, only the user account may be used. As described in step S205 of FIG. 2, the expansion processing unit 31a certifies the p12 file (first file) 34 in the storage unit 33 with the corresponding initial password for each registration entry in the management table 30a. It is expanded into the document 35 and stored in the storage unit 33.

Further, as described in step S206 of FIG. 2, the expansion processing unit 31a manages the expanded client certificate 35 by associating it with the account information corresponding to the unexpanded p12 file (first file) 34. do. In this example, the expansion processing unit 31a registers a pointer to the expanded client certificate 35 in the corresponding registration entry in the management table 30a. When such an expansion process is completed, the expansion processing unit 31a may delete the processed p12 file 34 and the corresponding initial password from the storage unit 33 and the management table 30a.

The archive processing unit 32 searches each registered entry in the management table 30a using the account information 40 in step S207 of FIG. 2 as a search key, and sets the expanded client certificate 35 registered in the hit entry as the target of archiving. stipulate. Then, the archive processing unit 32 archives the target expanded client certificate 35 in the p12 file (second file) 43 with the arbitrary password (PW) 41 entered in step S209, and then the request source. Send to the user terminal.

<< Details of Network Authentication Department >>
FIG. 4 is a schematic view showing a configuration example of a main part of the network authentication unit in FIG. The network authentication unit 15 shown in FIG. 4 includes an authentication table 45, a storage unit 46, and an authentication determination unit 47. The authentication table 45 and the storage unit 46 are mounted in a volatile memory or a non-volatile memory. The authentication determination unit 47 is implemented, for example, by program processing using a CPU or the like.

Each information in the authentication table 45 may be registered in advance by the network administrator 22, or may be acquired by the network authentication unit 15 from the directory server 14 in cooperation with the directory server 14 of FIG. .. Each registration entry in the authentication table 45 holds, for example, a correspondence between the account information for verification and the client certificate (the pointer thereof) and the assigned VLAN. The actual verification client certificate is stored in the storage unit 46. The verification account information includes user accounts and computer accounts.

As described in FIG. 1, the authentication determination unit 47 receives the authentication request 48 including the account information or the client certificate, determines the authentication success or failure of the account information or the client certificate based on the authentication table 45, and authenticates. The result 49 is transmitted. When, for example, the authentication determination unit 47 receives an authentication request 48 including a user account whose user ID and password are "ID [1]" and "PW [1]", the user account is verified in the registration entry [1]. Since it matches the account information for, it is judged that the authentication is successful. Then, the authentication determination unit 47 transmits the authentication success determination result and the allocation VLAN “VNx” registered in the registration entry [1] as the authentication result 49.

On the other hand, when the authentication determination unit 47 receives the authentication request 48 including the client certificate [1], the authentication determination unit 47 verifies the authenticity based on the electronic signature of the client certificate [1], the expiration date, and the like. Further, in the authentication determination unit 47, the correspondence between the user ID or computer account described in the client certificate [1] or received together with the client certificate [1] and the client certificate [1] is displayed in the authentication table 45. Authenticity is verified by determining whether or not it is registered.

Further, in some cases, the authentication determination unit 47 determines the identity between the received client certificate [1] and the verification client certificate [1] registered in the storage unit 46, thereby determining the authenticity. To verify. As a result, when the client certificate [1] is genuine, the authentication determination unit 47 determines that the authentication is successful, and as the authentication result 49, the authentication success determination result and the allocation registered in the registration entry [1]. The VLAN "VNx" is transmitted.

Here, the account information included in the authentication table 45 of FIG. 4 is information for determining the success or failure of authentication in network authentication. On the other hand, the account information included in the management table 30a of FIG. 3 is information for determining whether or not to log in to the certificate distribution unit 16a. Therefore, these account information does not necessarily have to be the same. However, as shown in FIG. 1, in particular, when the same server is provided with the network authentication unit 15 and the certificate distribution unit 16, the efficiency of various resources can be improved by making both account information the same. Can be achieved.

Specifically, if both account information is the same, the correspondence between the account information and the client certificate can be shared in the authentication table 45 of FIG. 4 and the management table 30a of FIG. 3, so that, for example, two It is possible to integrate the tables into one. Further, the network authentication unit 15 in FIG. 4 has a correspondence relationship between the account information and the client certificate generated by the certificate distribution unit 16a in FIG. 3 and the actual data of the client certificate (client after expansion in FIG. 3). Network authentication (for example, identity determination of client certificate) can be performed using the certificate 35).

<< Main effect of Embodiment 1 >>
As described above, by using the network system and the network management device of the first embodiment, it is possible to reduce the burden on the network administrator and the like. In addition, security in the network system can be improved.

(Embodiment 2)
<< Details of the certificate distribution section (variation example) >>
FIG. 5 is a schematic view showing a configuration example of a main part of the certificate distribution part in FIG. 1 in the network management device according to the second embodiment of the present invention. FIG. 6 is a sequence diagram showing an example of processing contents related to the certificate distribution unit of FIG. The certificate distribution unit may not have to leave the expanded client certificate (reference numeral 35 in FIG. 3) in the storage unit 33 after the distribution of the client certificate is completed. Here, an example of such a case will be described.

The certificate distribution unit 16b shown in FIG. 5 corresponds to the certificate distribution unit 16 in FIG. 1, and differs from the configuration example in FIG. 3 in the following points. First, the storage unit 33 does not hold the expanded client certificate (reference numeral 35 in FIG. 3), and accordingly, the management table 30b does not retain the correspondence between the account information and the expanded client certificate. .. Along with this, the expansion processing unit 31b transmits the expanded client certificate to the archive processing unit 32 as it is, instead of storing it in the storage unit 33.

In the sequence shown in FIG. 6, the processing order of steps S205 to S210 in FIG. 2 is changed as compared with the sequence shown in FIG. 2, and the processing of step S206 is deleted. In step S204 of FIG. 6, the network administrator 22 uploads the p12 file (first file) and the initial password to the certificate distribution unit 16b in association with the account information, as in the case of FIG. Unlike the case of FIG. 2, the certificate distribution unit 16b waits for login from the user terminal 20 (user 21) in this state.

When the login from the user terminal 20 (user 21) and the acquisition request of the client certificate occur in this state (step S207), the certificate distribution unit 16b requests the user 21 for the password as in the case of FIG. To enter an arbitrary password (steps S208 and S209). After that, the certificate distribution unit 16b expands the p12 file (first file) corresponding to the account information with the initial password (step S205), and subsequently expands the expanded client certificate with an arbitrary password to the p12 file. Archive to (second file) (step S210). The certificate distribution unit 16b transmits the p12 file to the user terminal 20 (step S211). The certificate distribution unit 16b may reduce the number of registration entries that have completed the process of step S211 including the p12 file 34 in the storage unit 33.

<< Main effect of Embodiment 2 >>
As described above, the same effect as that of the first embodiment can be obtained by using the network system and the network management device of the second embodiment.

Although the invention made by the present inventor has been specifically described above based on the embodiment, the present invention is not limited to the embodiment and can be variously modified without departing from the gist thereof. For example, the above-described embodiments have been described in detail in order to explain the present invention in an easy-to-understand manner, and are not necessarily limited to those having all the described configurations. Further, it is possible to replace a part of the configuration of one embodiment with the configuration of another embodiment, and it is also possible to add the configuration of another embodiment to the configuration of one embodiment. .. Further, it is possible to add / delete / replace other configurations with respect to a part of the configurations of each embodiment.

10 IP network 11 Communication line 12 Network management device 13 Business server 14 Directory server 15 Network authentication unit 16 Certificate distribution unit 20 User terminal 21 User 22 Network administrator 25, 35 Client certificate 30 Management table 31 Deployment processing unit 32 Archive processing Unit 33,46 Storage unit 34,43 p12 file 40 Account information 41 Arbitrary password 45 Authentication table 47 Authentication judgment unit 48 Authentication request 49 Authentication result AP wireless LAN access point CA authentication station L2SW L2 switch L3SW L3 switch

Claims (8)

The first process of expanding the first file, which is a PKCS # 12 format file received from the certificate authority and in which the client certificate is archived, to the client certificate with the initial password received from the certificate authority. ,
In response to the request for obtaining the client certificate from the user terminal, the user of the user terminal is made to enter an arbitrary password, and the expanded client certificate obtained by the first process is used with the arbitrary password. A second process of archiving into a second file in PKCS # 12 format and then sending to the user terminal, and
Equipped with a certificate distribution department to execute
Network management device. In the network management device according to claim 1,
The certificate distribution department
Before SL provided and account information of the user or the user terminal, a management table that holds the correspondence between the client certificate after the deployment,
In the second process, the account information is received from the user terminal, and the expanded client certificate corresponding to the account information is set as the target of the archive based on the management table.
Network management device. In the network management device according to claim 1,
The certificate distribution department
Comprising a front Symbol first file, and the initial password, the management table storing relationships between the user or account information of the user terminal,
In the first process, based on the management table, the first file is expanded to the client certificate with the initial password, and the expanded client certificate is expanded to the account corresponding to the first file. Manage by linking to information,
In the second process, the account information is received from the user terminal, and the expanded client certificate managed in association with the account information based on the management table is set as the target of the archive.
Network management device. In the network management device according to claim 2 or 3 .
A network authentication section determines authentication success in response to the authentication request based on IEEE802.1X from the previous SL user terminal,
The account information held in the management table is the same as the account information to be determined by the network authentication unit for success or failure of authentication.
Network management device. With the user terminal
A network management device including a network authentication unit that determines the success or failure of authentication in response to an authentication request based on IEEE802.1X from the user terminal, and a certificate distribution unit that distributes a client certificate to the user terminal.
It is inserted into the communication path between the user terminal and the network management device, relays the authentication request from the user terminal to the network authentication unit, and responds to the authentication result from the network authentication unit of the user terminal. An authentication switch or wireless LAN access point that controls the communication range,
The certificate authority that issues the client certificate and
It is a network system equipped with
The certificate distribution department
The first file, which is a PKCS # 12 format file received from the certificate authority and in which the client certificate is archived, is expanded into the client certificate with the initial password received from the certificate authority. Processing and
In response to the request for obtaining the client certificate from the user terminal, the user of the user terminal is made to enter an arbitrary password, and the expanded client certificate obtained by the first process is used with the arbitrary password. The second process of archiving in the second file in PKCS # 12 format and then transmitting to the user terminal, and
To execute,
Network system. In the network system according to claim 5,
The certificate distribution department
A management table that holds a correspondence between the account information of the user or the user terminal and the expanded client certificate is provided.
In the second process, the account information is received from the user terminal, and the expanded client certificate corresponding to the account information is set as the target of the archive based on the management table.
Network system. In the network system according to claim 5,
The certificate distribution department
A management table that holds a correspondence between the first file, the initial password, and the account information of the user or the user terminal is provided.
In the first process, based on the management table, the first file is expanded to the client certificate with the initial password, and the expanded client certificate is expanded to the account corresponding to the first file. Manage by linking to information,
In the second process, the account information is received from the user terminal, and the expanded client certificate managed in association with the account information based on the management table is set as the target of the archive.
Network system. In the network system according to claim 6 or 7.
The account information held in the management table is the same as the account information to be determined by the network authentication unit for success or failure of authentication.
Network system.

Images