US20080256089A1 - Supporting multiple security mechanisms in a database driver - Google Patents

Supporting multiple security mechanisms in a database driver Download PDF

Info

Publication number
US20080256089A1
US20080256089A1 US12/144,500 US14450008A US2008256089A1 US 20080256089 A1 US20080256089 A1 US 20080256089A1 US 14450008 A US14450008 A US 14450008A US 2008256089 A1 US2008256089 A1 US 2008256089A1
Authority
US
United States
Prior art keywords
client
security
interface
database server
database
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US12/144,500
Inventor
Huaxin Gao
Bilung Lee
Paul A. Ostler
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Priority to US12/144,500 priority Critical patent/US20080256089A1/en
Assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION reassignment INTERNATIONAL BUSINESS MACHINES CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: OSTLER, PAUL A., GAO, HUAXIN, LEE, BILUNG
Publication of US20080256089A1 publication Critical patent/US20080256089A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication

Definitions

  • the present invention relates generally to database drivers. More particularly, the present invention is directed to support of multiple security mechanisms in a database driver.
  • Database drivers are software modules that enable clients (e.g., applications) to communicate with database servers (e.g., database management systems).
  • database servers e.g., database management systems.
  • a security mechanism is used to ensure communication between a client and a database server is secure.
  • predefined security mechanisms are currently available, ranging from simple user identification and password checking to complex Kerberos authentication.
  • Some clients may want to use a user-defined security mechanism rather than a predefined security mechanism.
  • database servers provide the flexibility to plug in user-defined security mechanisms, database drivers presently do not have the necessary interoperability with user-defined security mechanisms.
  • a computer program product and database driver for connecting a client to a database server are provided.
  • the database driver includes a generic interface operable to interoperate with one or more non-GSSAPI (Generic Security Services Application Programming Interface) compliant security mechanisms and a set of specialized interfaces operable to interoperate with one or more GSSAPI compliant security mechanisms.
  • the database driver is operable to establish a connection between the client and the database server using the generic interface or the set of specialized interfaces depending on a security mechanism used by the client.
  • the security mechanism used by the client is operable to ensure the connection between the client and the database server is established in a secure manner.
  • the database driver also includes a separate interface in communication with the generic interface and the set of specialized interfaces.
  • the separate interface is operable to free up one or more system resources used to establish the connection between the client and the database server and to erase cryptographic information created to establish the connection between the client and the database server.
  • the separate interface may be invoked in response to establishment of the connection between the client and the database server.
  • the generic interface is operable to retrieve security context information created in accordance with the security mechanism used by the client in an embodiment.
  • the security mechanism used by the client is one of the one or more non-GSSAPI compliant security mechanisms.
  • the set of specialized interfaces includes a first interface operable to be utilized by the client to set a principal name in a security module created by the client to encapsulate the security mechanism used by the client, a second interface operable to retrieve the principal name set by the client from the security module, a third interface operable to be utilized by the client to set a credential in the security module, a fourth interface operable to retrieve the credential set by the client from the security module, and a fifth interface operable to retrieve a context from the security module.
  • the context is created by the security module using a combination of the principal name and the credential set by the client.
  • the security mechanism used by the client is one of the one or more GSSAPI compliant security mechanisms.
  • the database driver is operable to invoke the context to obtain security context information created in accordance with the security mechanism used by the client in one embodiment.
  • At least one of the one or more non-GSSAPI compliant security mechanisms is a user-defined security mechanism in one embodiment. In another embodiment, at least one of the one or more GSSAPI compliant security mechanisms is a user-defined security mechanism.
  • the security mechanism used by the client is a user-defined security mechanism is an embodiment.
  • FIG. 1 is a flowchart of a method for connecting a client to a database server according to an embodiment of the invention.
  • FIG. 2 illustrates a system for connecting a client to a database server in accordance with an embodiment of the invention.
  • FIG. 3 depicts a database driver according to an embodiment of the invention.
  • FIG. 4 shows a set of specialized interfaces in accordance with an embodiment of the invention.
  • FIG. 5 illustrates a security module according to an embodiment of the invention.
  • FIGS. 6A-6C is a process flow of a method for connecting a client to a database server in accordance with an embodiment of the invention.
  • FIG. 7 depicts a block diagram of a data processing system with which embodiments of the present invention can be implemented.
  • the present invention relates generally to database drivers and more particularly to support of multiple security mechanisms in a database driver.
  • the following description is presented to enable one of ordinary skill in the art to make and use the invention and is provided in the context of a patent application and its requirements.
  • Various modifications to the preferred implementations and the generic principles and features described herein will be readily apparent to those skilled in the art.
  • the present invention is not intended to be limited to the implementations shown, but is to be accorded the widest scope consistent with the principles and features described herein.
  • a security mechanism may be used.
  • Many predefined security mechanisms are available, such as Kerberos, Simple Public Key Mechanism (SPKM), and Low Infrastructure Public Key Mechanism (LIPKEY).
  • SPKM Simple Public Key Mechanism
  • LIPKEY Low Infrastructure Public Key Mechanism
  • GSSAPI Generic Security Services Application Programming Interface
  • a database driver When a database driver is used to facilitate communications between a client and a database server (e.g., establish connection, transfer data between the client and the database server, etc.), the database driver needs to support the various security mechanisms used by the client and the database server. Due to the number of security mechanisms currently available, it is not practical to include support for every type of security mechanism in the database driver. In addition, some clients and database servers may elect to utilize a user-defined security mechanism rather than a predefined security mechanism. Database drivers, however, do not presently support user-defined security mechanisms.
  • FIG. 1 Depicted in FIG. 1 is a process 100 for connecting a client to a database server through a database driver according to an embodiment of the invention.
  • a generic interface is provided in the database driver.
  • the generic interface is operable to interoperate with one or more non-GSSAPI (Generic Security Services Application Programming Interface) compliant security mechanisms.
  • a set of specialized interfaces is provided in the database driver.
  • the set of specialized interfaces is operable to interoperate with one or more GSSAPI compliant security mechanisms.
  • a connection between the client and the database server is then established using the generic interface or the set of specialized interfaces depending on a security mechanism used by the client ( 106 ).
  • the security mechanism used by the client may be a user-defined or a predefined security mechanism.
  • the security mechanism used by the client is operable to ensure the connection between the client and the database server is established in a secure manner.
  • the database driver is able to interoperate with multiple security mechanisms, including GSSAPI compliant and non-GSSAPI compliant security mechanisms, as well as predefined and user-defined security mechanisms.
  • FIG. 2 illustrates a system 200 in accordance with an embodiment of the invention.
  • System 200 includes a client 202 , a database driver 204 , and a database server 206 .
  • Client 202 may be an application running on a computer and database server 206 may be a database management system (DBMS) running on another computer.
  • client 202 seeks to communicate with database server 206 , which is facilitated by database driver 204 .
  • Database driver 204 may be running on the same computer as client 202 , the same computer as database server 206 , or on a completely different computer. Additionally, client 202 and database server 206 may be running on one computer while database driver 202 is running on another computer or all three may be running on the same computer.
  • Database driver 300 includes a generic interface 302 that is operable to interoperate with a non-GSSAPI compliant security mechanism 304 , a set of specialized interfaces 306 that is operable to interoperate with a GSSAPI compliant security mechanism 308 , and a separate interface 310 that is operable to free up one or more system resources used to establish a connection between a client and a database server and to erase cryptographic information (e.g., tickets, keys, etc.) created to establish the connection between the client and the database server.
  • the separate interface is invoked in response to establishment of the connection between the client and the database server.
  • Non-GSSAPI compliant security mechanism 304 may be a user-defined or a predefined security mechanism and GSSAPI compliant security mechanism 308 may be a user-defined or a predefined security mechanism. Although only one non-GSSAPI compliant security mechanism 304 is shown in FIG. 3 , generic interface 302 can interoperate with multiple non-GSSAPI compliant security mechanisms. In addition, even though the set of specialized interfaces 306 is shown as only interoperating with one GSSAPI compliant security mechanism 308 in FIG. 3 , the set of specialized interfaces 306 can interoperate with other GSSAPI compliant security mechanisms.
  • Generic interface 302 is operable to retrieve security context information (e.g., user name and password, key, ticket, credential, etc.) created in accordance with the security mechanism used by the client in one embodiment.
  • security mechanism used by the client is non-GSSAPI compliant security mechanism 304 .
  • FIG. 4 depicts a set of specialized interfaces 400 that is provided in a database driver in accordance with an embodiment of the invention.
  • the set of specialized interfaces 400 includes a principal name storing interface 402 that is operable to be utilized by a client to set a principal name in a security module 404 .
  • Security module 404 is created by the client to encapsulate a security mechanism used by the client.
  • the security mechanism used by the client is a GSSAPI compliant security mechanism, such as GSSAPI compliant security mechanism 308 .
  • the principal name is a unique identifier needed for authentication with a database server.
  • a principal name retrieving interface 406 is also included in the set of specialized interfaces 400 .
  • Principal name retrieving interface 406 is operable to retrieve the principal name set by the client from security module 404 .
  • the set of specialized interfaces 400 further includes a credential storing interface 408 , a credential retrieving interface 410 , and a context retrieving interface 412 .
  • Credential storing interface 408 is operable to be utilized by the client to set a credential in security module 404 . Credentials are used to verify the identity of the client and are sometimes referred to as tickets.
  • Credential retrieving interface 410 is operable to retrieve the credential set by the client from security module 404 .
  • Context retrieving interface 412 is operable to retrieve a context from security module 404 .
  • the context is created by security module 404 using a combination of the principal name and the credential set by the client.
  • the database driver is operable to invoke the context to obtain security context information created in accordance with the security mechanism used by the client.
  • Security module 500 created by a client according to an embodiment of the invention.
  • Security module 500 includes a principal name 502 , a credential 504 , and a context 506 . Additional information (not shown) may be included in security module 500 in other embodiments.
  • Each security module may be unique to a particular client and/or a specific connection.
  • FIGS. 6A-6C show a process 600 for connecting a client to a database server through a database driver in accordance with an embodiment of the invention.
  • a generic interface is provided in the database driver at 602
  • a set of specialized interfaces is provided in the database driver at 604
  • a separate interface is provided in the database driver at 606 .
  • a determination is made as to whether a security mechanism used by the client is a GSSAPI compliant security mechanism.
  • the generic interface is utilized to retrieve security context information created in accordance with the security mechanism used by the client at 610 .
  • the security context information is transferred to the database server.
  • a determination is made at 614 as to whether an authentication failure notice has been received from the database server.
  • An error is reported to the client at 616 responsive to receiving an authentication failure notice.
  • a second interface in the set of specialized interfaces is utilized to retrieve a principal name from a security module at 632 .
  • the security module is created by the client to encapsulate the security mechanism used by the client and the principal name is set by the client in the security module using a first interface in the set of specialized interfaces.
  • a fourth interface in the set of specialized interfaces is utilized to retrieve a credential from the security module created by the client.
  • the credential is set by the client in the security module using a third interface in the set of specialized interfaces.
  • a fifth interface in the set of specialized interfaces is utilized to retrieve a context from the security module at 636 .
  • the context is created by the security module using a combination of the principal name and the credential set by the client.
  • the context is invoked at 638 to obtain security context information created in accordance with the security mechanism used by the client.
  • the security context information, the principal name, and the credential are then transferred to the database server at 640 .
  • a determination is made at 642 as to whether an authentication failure notice has been received from the database server. If an authentication failure notice has been received, an error is reported to the client at 644 .
  • security context information relating to the database server is authenticated at 648 .
  • Process 600 returns to 638 when further authentication is required. Otherwise, a connection between the client and the database server is established at 656 and the separate interface is invoked at 658 .
  • the invention can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment containing both hardware and software elements.
  • the invention is implemented in software, which includes, but is not limited to, firmware, resident software, microcode, etc.
  • the invention can take the form of a computer program product accessible from a computer-usable or computer-readable medium providing program code for use by or in connection with a computer or any instruction execution system.
  • a computer-usable or computer-readable medium can be any apparatus that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
  • the medium can be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system (or apparatus or device) or a propagation medium.
  • Examples of a computer-readable medium include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disk, and an optical disk.
  • Current examples of optical disks include DVD, compact disk-read-only memory (CD-ROM), and compact disk-read/write (CD-R/W).
  • FIG. 7 depicts a data processing system 700 suitable for storing and/or executing program code.
  • Data processing system 700 includes a processor 702 coupled to memory elements 704 a - b through a system bus 706 .
  • data processing system 700 may include more than one processor and each processor may be coupled directly or indirectly to one or more memory elements through a system bus.
  • Memory elements 704 a - b can include local memory employed during actual execution of the program code, bulk storage, and cache memories that provide temporary storage of at least some program code in order to reduce the number of times the code must be retrieved from bulk storage during execution.
  • I/O devices 708 a - b including, but not limited to, keyboards, displays, pointing devices, etc.
  • I/O devices 708 a - b may be coupled to data processing system 700 directly or indirectly through intervening I/O controllers (not shown).
  • a network adapter 710 is coupled to data processing system 700 to enable data processing system 700 to become coupled to other data processing systems or remote printers or storage devices through communication link 712 .
  • Communication link 712 can be a private or public network. Modems, cable modems, and Ethernet cards are just a few of the currently available types of network adapters.
  • a variety of security mechanisms are supported as the database driver is able to utilize the interfaces to retrieve security information that is then authenticated by a database server prior to establishing a connection.
  • the database driver is able to leverage the interfaces to clean up resources used by the security mechanism after the connection is established.
  • a polymorphic model that interoperates well with any predefined and user-defined security mechanism is provided.

Abstract

A computer program product and database driver for connecting a client to a database server are provided. The computer program product and database driver provide for providing a generic interface, the generic interface being operable to interoperate with one or more non-GSSAPI (Generic Security Services Application Programming Interface) compliant security mechanisms, providing a set of specialized interfaces, the set of specialized interface being operable to interoperate with one or more GSSAPI compliant security mechanisms, and establishing a connection between a client and a database server using the generic interface or the set of specialized interfaces depending on a security mechanism used by the client. The one or more non-GSSAPI compliant security mechanisms and the one or more GSSAPI compliant security mechanisms may be predefined or user-defined.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • Under 35 USC § 120, this application is a continuation application and claims the benefit of priority to U.S. patent application Ser. No. 11/538,518, filed Oct. 4, 2006, entitled “SUPPORTING MULTIPLE SECURITY MECHANISMS IN A DATABASE DRIVER”, A portion of which is incorporated herein by reference.
    • FIELD OF THE INVENTION
  • The present invention relates generally to database drivers. More particularly, the present invention is directed to support of multiple security mechanisms in a database driver.
    • BACKGROUND OF THE INVENTION
  • Database drivers are software modules that enable clients (e.g., applications) to communicate with database servers (e.g., database management systems). Typically, a security mechanism is used to ensure communication between a client and a database server is secure. A variety of predefined security mechanisms are currently available, ranging from simple user identification and password checking to complex Kerberos authentication.
  • Multiple types of security mechanisms are usually supported by a database server for authenticating clients seeking to communicate with the database server. Since a database driver relies upon a security mechanism to obtain authorization from the database server before access can be granted to a client, the database driver must be able to interoperate with the security mechanism used by the client. However, it is not practical to include support for every type of security mechanism that may be used by a client in the database driver.
  • In addition, some clients may want to use a user-defined security mechanism rather than a predefined security mechanism. Although some database servers provide the flexibility to plug in user-defined security mechanisms, database drivers presently do not have the necessary interoperability with user-defined security mechanisms.
  • Accordingly, there is a need to provide support for multiple security mechanisms in database drivers.
    • SUMMARY OF THE INVENTION
  • A computer program product and database driver for connecting a client to a database server are provided. The database driver includes a generic interface operable to interoperate with one or more non-GSSAPI (Generic Security Services Application Programming Interface) compliant security mechanisms and a set of specialized interfaces operable to interoperate with one or more GSSAPI compliant security mechanisms. The database driver is operable to establish a connection between the client and the database server using the generic interface or the set of specialized interfaces depending on a security mechanism used by the client. The security mechanism used by the client is operable to ensure the connection between the client and the database server is established in a secure manner.
  • In one embodiment, the database driver also includes a separate interface in communication with the generic interface and the set of specialized interfaces. The separate interface is operable to free up one or more system resources used to establish the connection between the client and the database server and to erase cryptographic information created to establish the connection between the client and the database server. The separate interface may be invoked in response to establishment of the connection between the client and the database server.
  • The generic interface is operable to retrieve security context information created in accordance with the security mechanism used by the client in an embodiment. In the embodiment, the security mechanism used by the client is one of the one or more non-GSSAPI compliant security mechanisms.
  • In an embodiment, the set of specialized interfaces includes a first interface operable to be utilized by the client to set a principal name in a security module created by the client to encapsulate the security mechanism used by the client, a second interface operable to retrieve the principal name set by the client from the security module, a third interface operable to be utilized by the client to set a credential in the security module, a fourth interface operable to retrieve the credential set by the client from the security module, and a fifth interface operable to retrieve a context from the security module. The context is created by the security module using a combination of the principal name and the credential set by the client. In the embodiment, the security mechanism used by the client is one of the one or more GSSAPI compliant security mechanisms. The database driver is operable to invoke the context to obtain security context information created in accordance with the security mechanism used by the client in one embodiment.
  • At least one of the one or more non-GSSAPI compliant security mechanisms is a user-defined security mechanism in one embodiment. In another embodiment, at least one of the one or more GSSAPI compliant security mechanisms is a user-defined security mechanism. The security mechanism used by the client is a user-defined security mechanism is an embodiment.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a flowchart of a method for connecting a client to a database server according to an embodiment of the invention.
  • FIG. 2 illustrates a system for connecting a client to a database server in accordance with an embodiment of the invention.
  • FIG. 3 depicts a database driver according to an embodiment of the invention.
  • FIG. 4 shows a set of specialized interfaces in accordance with an embodiment of the invention.
  • FIG. 5 illustrates a security module according to an embodiment of the invention.
  • FIGS. 6A-6C is a process flow of a method for connecting a client to a database server in accordance with an embodiment of the invention.
  • FIG. 7 depicts a block diagram of a data processing system with which embodiments of the present invention can be implemented.
    •  DETAILED DESCRIPTION
  • The present invention relates generally to database drivers and more particularly to support of multiple security mechanisms in a database driver. The following description is presented to enable one of ordinary skill in the art to make and use the invention and is provided in the context of a patent application and its requirements. Various modifications to the preferred implementations and the generic principles and features described herein will be readily apparent to those skilled in the art. Thus, the present invention is not intended to be limited to the implementations shown, but is to be accorded the widest scope consistent with the principles and features described herein.
  • In order to ensure that a connection between a client (e.g., an application) and a database server (e.g., a database management system (DBMS)) is established in a secure manner, a security mechanism may be used. Many predefined security mechanisms are available, such as Kerberos, Simple Public Key Mechanism (SPKM), and Low Infrastructure Public Key Mechanism (LIPKEY). Some of the predefined security mechanisms are compliant with the Generic Security Services Application Programming Interface (GSSAPI) standard and others are not. GSSAPI is an application programming interface for providing security services in a generic fashion that was developed by The Open Group.
  • When a database driver is used to facilitate communications between a client and a database server (e.g., establish connection, transfer data between the client and the database server, etc.), the database driver needs to support the various security mechanisms used by the client and the database server. Due to the number of security mechanisms currently available, it is not practical to include support for every type of security mechanism in the database driver. In addition, some clients and database servers may elect to utilize a user-defined security mechanism rather than a predefined security mechanism. Database drivers, however, do not presently support user-defined security mechanisms.
  • Depicted in FIG. 1 is a process 100 for connecting a client to a database server through a database driver according to an embodiment of the invention. At 102, a generic interface is provided in the database driver. The generic interface is operable to interoperate with one or more non-GSSAPI (Generic Security Services Application Programming Interface) compliant security mechanisms. At 104, a set of specialized interfaces is provided in the database driver. The set of specialized interfaces is operable to interoperate with one or more GSSAPI compliant security mechanisms.
  • A connection between the client and the database server is then established using the generic interface or the set of specialized interfaces depending on a security mechanism used by the client (106). The security mechanism used by the client may be a user-defined or a predefined security mechanism. In addition, the security mechanism used by the client is operable to ensure the connection between the client and the database server is established in a secure manner. By including the generic interface and the set of specialized interfaces in the database driver, the database driver is able to interoperate with multiple security mechanisms, including GSSAPI compliant and non-GSSAPI compliant security mechanisms, as well as predefined and user-defined security mechanisms.
  • FIG. 2 illustrates a system 200 in accordance with an embodiment of the invention. System 200 includes a client 202, a database driver 204, and a database server 206. Client 202 may be an application running on a computer and database server 206 may be a database management system (DBMS) running on another computer. In the embodiment, client 202 seeks to communicate with database server 206, which is facilitated by database driver 204. Database driver 204 may be running on the same computer as client 202, the same computer as database server 206, or on a completely different computer. Additionally, client 202 and database server 206 may be running on one computer while database driver 202 is running on another computer or all three may be running on the same computer.
  • Shown in FIG. 3 is a database driver 300 according to an embodiment of the invention. Database driver 300 includes a generic interface 302 that is operable to interoperate with a non-GSSAPI compliant security mechanism 304, a set of specialized interfaces 306 that is operable to interoperate with a GSSAPI compliant security mechanism 308, and a separate interface 310 that is operable to free up one or more system resources used to establish a connection between a client and a database server and to erase cryptographic information (e.g., tickets, keys, etc.) created to establish the connection between the client and the database server. In one embodiment, the separate interface is invoked in response to establishment of the connection between the client and the database server.
  • Non-GSSAPI compliant security mechanism 304 may be a user-defined or a predefined security mechanism and GSSAPI compliant security mechanism 308 may be a user-defined or a predefined security mechanism. Although only one non-GSSAPI compliant security mechanism 304 is shown in FIG. 3, generic interface 302 can interoperate with multiple non-GSSAPI compliant security mechanisms. In addition, even though the set of specialized interfaces 306 is shown as only interoperating with one GSSAPI compliant security mechanism 308 in FIG. 3, the set of specialized interfaces 306 can interoperate with other GSSAPI compliant security mechanisms.
  • Generic interface 302 is operable to retrieve security context information (e.g., user name and password, key, ticket, credential, etc.) created in accordance with the security mechanism used by the client in one embodiment. In the embodiment, the security mechanism used by the client is non-GSSAPI compliant security mechanism 304.
  • FIG. 4 depicts a set of specialized interfaces 400 that is provided in a database driver in accordance with an embodiment of the invention. The set of specialized interfaces 400 includes a principal name storing interface 402 that is operable to be utilized by a client to set a principal name in a security module 404. Security module 404 is created by the client to encapsulate a security mechanism used by the client. In the embodiment, the security mechanism used by the client is a GSSAPI compliant security mechanism, such as GSSAPI compliant security mechanism 308. The principal name is a unique identifier needed for authentication with a database server.
  • A principal name retrieving interface 406 is also included in the set of specialized interfaces 400. Principal name retrieving interface 406 is operable to retrieve the principal name set by the client from security module 404. The set of specialized interfaces 400 further includes a credential storing interface 408, a credential retrieving interface 410, and a context retrieving interface 412. Credential storing interface 408 is operable to be utilized by the client to set a credential in security module 404. Credentials are used to verify the identity of the client and are sometimes referred to as tickets.
  • Credential retrieving interface 410 is operable to retrieve the credential set by the client from security module 404. Context retrieving interface 412 is operable to retrieve a context from security module 404. The context is created by security module 404 using a combination of the principal name and the credential set by the client. In one embodiment, the database driver is operable to invoke the context to obtain security context information created in accordance with the security mechanism used by the client.
  • Illustrated in FIG. 5 is a security module 500 created by a client according to an embodiment of the invention. Security module 500 includes a principal name 502, a credential 504, and a context 506. Additional information (not shown) may be included in security module 500 in other embodiments. Each security module may be unique to a particular client and/or a specific connection.
  • FIGS. 6A-6C show a process 600 for connecting a client to a database server through a database driver in accordance with an embodiment of the invention. A generic interface is provided in the database driver at 602, a set of specialized interfaces is provided in the database driver at 604, and a separate interface is provided in the database driver at 606. At 608, a determination is made as to whether a security mechanism used by the client is a GSSAPI compliant security mechanism.
  • If the security mechanism used by the client is not a GSSAPI compliant security mechanism, i.e., it is a non-GSSAPI compliant security mechanism, the generic interface is utilized to retrieve security context information created in accordance with the security mechanism used by the client at 610. At 612, the security context information is transferred to the database server. A determination is made at 614 as to whether an authentication failure notice has been received from the database server. An error is reported to the client at 616 responsive to receiving an authentication failure notice.
  • A determination is made at 618 as to whether mutual authentication is required when an authentication failure notice has not been received from the database server. If mutual authentication is required, security context information relating to the database server is authenticated at 620. At 622, a determination is made as to whether there has been an authentication failure with respect to the security context information relating to the database server. An error is reported to the database server at 624 responsive to authentication failure of the security context information relating to the database server.
  • When it is determined at 618 that mutual authentication is not required or it is determined at 622 that there has not been an authentication failure, a determination is made at 626 as to whether further authentication is required. If further authentication is required, process 600 returns to 610. If further authentication is not required, a connection between the client and the database server is established at 628 and the separate interface is invoked at 630 to free up one or more system resources used to establish the connection and to erase cryptographic information created to establish the connection.
  • If it is determined at 608 that the security mechanism used by the client is a GSS compliant security mechanism, a second interface in the set of specialized interfaces is utilized to retrieve a principal name from a security module at 632. The security module is created by the client to encapsulate the security mechanism used by the client and the principal name is set by the client in the security module using a first interface in the set of specialized interfaces.
  • At 634, a fourth interface in the set of specialized interfaces is utilized to retrieve a credential from the security module created by the client. The credential is set by the client in the security module using a third interface in the set of specialized interfaces. A fifth interface in the set of specialized interfaces is utilized to retrieve a context from the security module at 636. The context is created by the security module using a combination of the principal name and the credential set by the client.
  • The context is invoked at 638 to obtain security context information created in accordance with the security mechanism used by the client. The security context information, the principal name, and the credential are then transferred to the database server at 640. A determination is made at 642 as to whether an authentication failure notice has been received from the database server. If an authentication failure notice has been received, an error is reported to the client at 644.
  • If no authentication failure notice has been received, a determination is made at 646 as to whether mutual authentication is required. When mutual authentication is required, security context information relating to the database server is authenticated at 648. A determination is then made at 650 as to whether there has been an authentication failure. Error is reported to the database server at 652 if authentication of the security context information relating to the database server has failed.
  • A determination is made at 654 as to whether further authentication is required when it is determined at 646 that mutual authentication is not required or when it is determined at 650 that authentication of the security context information relating to the database server has not failed. Process 600 returns to 638 when further authentication is required. Otherwise, a connection between the client and the database server is established at 656 and the separate interface is invoked at 658.
  • The invention can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment containing both hardware and software elements. In one aspect, the invention is implemented in software, which includes, but is not limited to, firmware, resident software, microcode, etc.
  • Furthermore, the invention can take the form of a computer program product accessible from a computer-usable or computer-readable medium providing program code for use by or in connection with a computer or any instruction execution system. For the purposes of this description, a computer-usable or computer-readable medium can be any apparatus that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
  • The medium can be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system (or apparatus or device) or a propagation medium. Examples of a computer-readable medium include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disk, and an optical disk. Current examples of optical disks include DVD, compact disk-read-only memory (CD-ROM), and compact disk-read/write (CD-R/W).
  • FIG. 7 depicts a data processing system 700 suitable for storing and/or executing program code. Data processing system 700 includes a processor 702 coupled to memory elements 704 a-b through a system bus 706. In other embodiments, data processing system 700 may include more than one processor and each processor may be coupled directly or indirectly to one or more memory elements through a system bus.
  • Memory elements 704 a-b can include local memory employed during actual execution of the program code, bulk storage, and cache memories that provide temporary storage of at least some program code in order to reduce the number of times the code must be retrieved from bulk storage during execution. As shown, input/output or I/O devices 708 a-b (including, but not limited to, keyboards, displays, pointing devices, etc.) are coupled to data processing system 700. I/O devices 708 a-b may be coupled to data processing system 700 directly or indirectly through intervening I/O controllers (not shown).
  • In the embodiment, a network adapter 710 is coupled to data processing system 700 to enable data processing system 700 to become coupled to other data processing systems or remote printers or storage devices through communication link 712. Communication link 712 can be a private or public network. Modems, cable modems, and Ethernet cards are just a few of the currently available types of network adapters.
  • By providing the various interfaces in a database driver, a variety of security mechanisms are supported as the database driver is able to utilize the interfaces to retrieve security information that is then authenticated by a database server prior to establishing a connection. In addition, the database driver is able to leverage the interfaces to clean up resources used by the security mechanism after the connection is established. Thus, a polymorphic model that interoperates well with any predefined and user-defined security mechanism is provided.
  • Various implementations for connecting a client to a database server through a database driver have been described. Nevertheless, one of ordinary skill in the art will readily recognize that various modifications may be made to the implementations, and any variations would be within the spirit and scope of the present invention. For example, the above-described process flows are described with reference to a particular ordering of process actions. However, the ordering of many of the described process actions may be changed without affecting the scope or operation of the invention. Accordingly, many modifications may be made by one of ordinary skill in the art without departing from the spirit and scope of the following claims.

Claims (21)

1. A database driver implemented on a computer system to interoperate with multiple security mechanisms, the database driver comprising:
a generic interface operable to interoperate with one or more non-GSSAPI (Generic Security Services Application Programming Interface) compliant security mechanisms; and
a set of specialized interfaces operable to interoperate with one or more GSSAPI compliant security mechanisms,
wherein the database driver is operable to establish a connection between a client and a database server using one of the generic interface or the set of specialized interfaces in relation to a security mechanism used by the client, and
wherein the security mechanism used by the client is operable to ensure the connection between the client and the database server is established in a secure manner.
2. The database driver of claim 1, further comprising:
a separate interface in communication with the generic interface and the set of specialized interfaces, the separate interface being operable to:
free up one or more system resources used to establish the connection between the client and the database server and
erase cryptographic information created to establish the connection between the client and the database server.
3. The database driver of claim 2, wherein the separate interface is invoked in response to establishment of the connection between the client and the database server.
4. The database driver of claim 1, wherein the generic interface is operable to retrieve security context information created in accordance with the security mechanism used by the client, the security mechanism used by the client being one of the one or more non-GSSAPI compliant security mechanisms.
5. The database driver of claim 1, wherein the set of specialized interfaces comprises:
a first interface operable to be utilized by the client to set a principal name in a security module, the security module being created by the client to encapsulate the security mechanism used by the client;
a second interface operable to retrieve the principal name set by the client from the security module;
a third interface operable to be utilized by the client to set a credential in the security module;
a fourth interface operable to retrieve the credential set by the client from the security module; and
a fifth interface operable to retrieve a context from the security module, the context being created by the security module using a combination of the principal name and the credential set by the client,
wherein the security mechanism used by the client is one of the one or more GSSAPI compliant security mechanisms.
6. The database driver of claim 5, wherein the database driver is operable to invoke the context to obtain security context information created in accordance with the security mechanism used by the client.
7. The database driver of claim 1, wherein at least one of the one or more non-GSSAPI compliant security mechanisms is a user-defined security mechanism.
8. The database driver of claim 1, wherein at least one of the one or more GSSAPI compliant security mechanisms is a user-defined security mechanism.
9. The database driver of claim 1, wherein the security mechanism used by the client is a user-defined security mechanism.
10. A computer program product comprising a computer readable medium, the computer readable medium including a computer readable program for enabling a database driver to interoperate with multiple security mechanisms by providing a connection between a client and a database server through the database driver, wherein the computer readable program when executed on a computer causes the computer to:
provide a generic interface in the database driver, the generic interface being operable to interoperate with one or more non-GSSAPI (Generic Security Services Application Programming Interface) compliant security mechanisms;
provide a set of specialized interfaces in the database driver, the set of specialized interface being operable to interoperate with one or more GSSAPI compliant security mechanisms; and
provide a connection between the client and the database server using one of the generic interface or the set of specialized interfaces in relation to a security mechanism used by the client,
wherein the security mechanism used by the client is operable to ensure the connection between the client and the database server is established in a secure manner.
11. The computer program product of claim 10, wherein the computer readable program when executed on the computer further causes the computer to:
provide a separate interface in the database driver, the separate interface being in communication with the generic interface and the set of specialized interfaces, wherein the separate interface is operable to:
free up one or more system resources used to establish the connection between the client and the database server and
erase cryptographic information created to establish the connection between the client and the database server.
12. The computer program product of claim 11, wherein the computer readable program when executed on the computer further causes the computer to:
invoke the separate interface in response to establishment of the connection between the client and the database server.
13. The computer program product of claim 10, wherein establish a connection between the client and the database server comprises:
utilize the generic interface to retrieve security context information created in accordance with the security mechanism used by the client, wherein the security mechanism used by the client is one of the one or more non-GSSAPI compliant security mechanisms;
transfer the security context information to the database server; and
establish the connection between the client and the database server responsive to the security context information being authenticated by the database server.
14. The computer program product of claim 13, wherein the computer readable program when executed on the computer further causes the computer to:
report an error to the client responsive to receiving an authentication failure notice from the database server.
15. The computer program product of claim 13, wherein the computer readable program when executed on the computer further causes the computer to:
authenticate security context information relating to the database server responsive to mutual authentication being required; and
report an error to the database server responsive to authentication failure.
16. The computer program product of claim 10, wherein establish a connection between the client and the database server comprises:
utilize a second interface in the set of specialized interfaces to retrieve a principal name from a security module, the security module being created by the client to encapsulate the security mechanism used by the client, wherein the principal name is set by the client in the security module using a first interface in the set of specialized interfaces;
utilize a fourth interface in the set of specialized interfaces to retrieve a credential from the security module, the credential being set by the client in the security module using a third interface in the set of specialized interfaces;
utilize a fifth interface in the set of specialized interfaces to retrieve a context from the security module, the context being created by the security module using a combination of the principal name and the credential set by the client;
invoke the context to obtain security context information created in accordance with the security mechanism used by the client;
transfer the security context information, the principal name, and the credential to the database server; and
establish the connection between the client and the database server responsive to the security context information, the principal name, and the credential being authenticated by the database server,
wherein the security mechanism used by the client is one of the one or more GSSAPI compliant security mechanisms.
17. The computer program product of claim 16, wherein the computer readable program when executed on the computer further causes the computer to:
report an error to the client responsive to receiving an authentication failure notice from the database server.
18. The computer program product of claim 16, wherein the computer readable program when executed on the computer further causes the computer to:
authenticate security context information relating to the database server responsive to mutual authentication being required; and
report an error to the database server responsive to authentication failure.
19. The computer program product of claim 10, wherein at least one of the one or more non-GSSAPI compliant security mechanisms is a user-defined security mechanism.
20. The computer program product of claim 10, wherein at least one of the one or more GSSAPI compliant security mechanisms is a user-defined security mechanism.
21. The computer program product of claim 10, wherein the security mechanism used by the client is a user-defined security mechanism.
US12/144,500 2006-10-04 2008-06-23 Supporting multiple security mechanisms in a database driver Abandoned US20080256089A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US12/144,500 US20080256089A1 (en) 2006-10-04 2008-06-23 Supporting multiple security mechanisms in a database driver

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US11/538,518 US7761468B2 (en) 2006-10-04 2006-10-04 Supporting multiple security mechanisms in a database driver
US12/144,500 US20080256089A1 (en) 2006-10-04 2008-06-23 Supporting multiple security mechanisms in a database driver

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US11/538,518 Continuation US7761468B2 (en) 2006-10-04 2006-10-04 Supporting multiple security mechanisms in a database driver

Publications (1)

Publication Number Publication Date
US20080256089A1 true US20080256089A1 (en) 2008-10-16

Family

ID=39275767

Family Applications (2)

Application Number Title Priority Date Filing Date
US11/538,518 Expired - Fee Related US7761468B2 (en) 2006-10-04 2006-10-04 Supporting multiple security mechanisms in a database driver
US12/144,500 Abandoned US20080256089A1 (en) 2006-10-04 2008-06-23 Supporting multiple security mechanisms in a database driver

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US11/538,518 Expired - Fee Related US7761468B2 (en) 2006-10-04 2006-10-04 Supporting multiple security mechanisms in a database driver

Country Status (1)

Country Link
US (2) US7761468B2 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8302154B2 (en) * 2007-11-10 2012-10-30 International Business Machines Corporation Automatic and adjustable system and method for synchronizing security mechanisms in database drivers with database servers
US8284944B2 (en) * 2008-03-13 2012-10-09 International Business Machines Corporation Unified and persistent system and method for automatic configuration of encryption
US8799630B2 (en) * 2008-06-26 2014-08-05 Microsoft Corporation Advanced security negotiation protocol
EP2221694B1 (en) * 2009-02-19 2013-03-27 Siemens Aktiengesellschaft Method for assigning a usage right for a function in an industrial automation system comprising several networked control units and industrial automation system
US9112846B2 (en) * 2013-10-11 2015-08-18 Centrify Corporation Method and apparatus for transmitting additional authorization data via GSSAPI

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5740248A (en) * 1996-11-12 1998-04-14 Cheyenne Property Trust Software level touchpoints for an international cryptography frameworks
US5764949A (en) * 1994-09-29 1998-06-09 International Business Machines Corporation Query pass through in a heterogeneous, distributed database environment
US6144959A (en) * 1997-08-18 2000-11-07 Novell, Inc. System and method for managing user accounts in a communication network
US6292810B1 (en) * 1997-03-03 2001-09-18 Richard Steele Richards Polymorphic enhanced modeling
US6446092B1 (en) * 1996-11-01 2002-09-03 Peerdirect Company Independent distributed database system
US20040141616A1 (en) * 2003-01-17 2004-07-22 Ibm Corporation Security object with encrypted, spread spectrum data communications
US6792113B1 (en) * 1999-12-20 2004-09-14 Microsoft Corporation Adaptable security mechanism for preventing unauthorized access of digital data
US20050005261A1 (en) * 2003-07-02 2005-01-06 Severin William B. Component integration engine
US20050108521A1 (en) * 2003-07-07 2005-05-19 Silhavy James W. Multi-platform single sign-on database driver
US20050198490A1 (en) * 2004-03-02 2005-09-08 Microsoft Corporation Dynamic negotiation of encryption protocols
US20050257051A1 (en) * 2003-08-18 2005-11-17 Philippe Richard Adaptive data transformation engine
US20050278270A1 (en) * 2004-06-14 2005-12-15 Hewlett-Packard Development Company, L.P. Data services handler
US20050289511A1 (en) * 2000-05-12 2005-12-29 David Tucker Information security method and system
US7089584B1 (en) * 2000-05-24 2006-08-08 Sun Microsystems, Inc. Security architecture for integration of enterprise information system with J2EE platform

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6158010A (en) * 1998-10-28 2000-12-05 Crosslogix, Inc. System and method for maintaining security in a distributed computer network
US6687831B1 (en) * 1999-04-29 2004-02-03 International Business Machines Corporation Method and apparatus for multiple security service enablement in a data processing system
EP1067771A1 (en) * 1999-07-05 2001-01-10 CANAL+ Société Anonyme Communications method and apparatus
US6859879B2 (en) * 2000-05-26 2005-02-22 International Business Machine Corporation Method and system for secure pervasive access
US7428752B2 (en) * 2001-06-01 2008-09-23 Applications In Internet Time, Llc Secure data accessing system and method
US8302154B2 (en) * 2007-11-10 2012-10-30 International Business Machines Corporation Automatic and adjustable system and method for synchronizing security mechanisms in database drivers with database servers

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5764949A (en) * 1994-09-29 1998-06-09 International Business Machines Corporation Query pass through in a heterogeneous, distributed database environment
US6446092B1 (en) * 1996-11-01 2002-09-03 Peerdirect Company Independent distributed database system
US5740248A (en) * 1996-11-12 1998-04-14 Cheyenne Property Trust Software level touchpoints for an international cryptography frameworks
US6292810B1 (en) * 1997-03-03 2001-09-18 Richard Steele Richards Polymorphic enhanced modeling
US6144959A (en) * 1997-08-18 2000-11-07 Novell, Inc. System and method for managing user accounts in a communication network
US6792113B1 (en) * 1999-12-20 2004-09-14 Microsoft Corporation Adaptable security mechanism for preventing unauthorized access of digital data
US20050289511A1 (en) * 2000-05-12 2005-12-29 David Tucker Information security method and system
US7089584B1 (en) * 2000-05-24 2006-08-08 Sun Microsystems, Inc. Security architecture for integration of enterprise information system with J2EE platform
US20040141616A1 (en) * 2003-01-17 2004-07-22 Ibm Corporation Security object with encrypted, spread spectrum data communications
US20050005261A1 (en) * 2003-07-02 2005-01-06 Severin William B. Component integration engine
US20050108521A1 (en) * 2003-07-07 2005-05-19 Silhavy James W. Multi-platform single sign-on database driver
US20050257051A1 (en) * 2003-08-18 2005-11-17 Philippe Richard Adaptive data transformation engine
US20050198490A1 (en) * 2004-03-02 2005-09-08 Microsoft Corporation Dynamic negotiation of encryption protocols
US20050278270A1 (en) * 2004-06-14 2005-12-15 Hewlett-Packard Development Company, L.P. Data services handler

Also Published As

Publication number Publication date
US20080086472A1 (en) 2008-04-10
US7761468B2 (en) 2010-07-20

Similar Documents

Publication Publication Date Title
US9288201B2 (en) Disconnected credential validation using pre-fetched service tickets
US20170302656A1 (en) Device-Level Authentication with Unique Device Identifiers
US10750364B2 (en) Single sign-in for IoT devices
US20080141350A1 (en) Authentication for computer system management
AU2018250465A1 (en) Secondary device as key for authorizing access to resources
EP2741214B1 (en) Data storage system and method for security information interaction
US20090031405A1 (en) Authentication system and authentication method
US10795581B2 (en) GPT-based data storage partition securing system
US7540416B2 (en) Smart card authentication system with multiple card and server support
US8284944B2 (en) Unified and persistent system and method for automatic configuration of encryption
US7761468B2 (en) Supporting multiple security mechanisms in a database driver
JP2009258917A (en) Proxy server, authentication server, and communication system
US8176533B1 (en) Complementary client and user authentication scheme
CN1601954B (en) Moving principals across security boundaries without service interruption
CN101714920A (en) Authority management system centralizing a plurality of service account numbers and method thereof
JP4748763B2 (en) Information processing apparatus, control method for information processing apparatus, program, and storage medium
CN105848148A (en) WIFI connection method, terminal and router
US20030101340A1 (en) Interconnecting device, computer readable medium having communication setting program, and communication setting method
US7606917B1 (en) Method, apparatus and system for principle mapping within an application container
US10454920B2 (en) Non-transitory computer-readable recording medium, connection management method, and connection management device
US20240086920A1 (en) Intermediary-enhanced granular consent management
US10936510B2 (en) Locking key secondary access system
US20220337583A1 (en) Authentication system
CN114117373B (en) Equipment authentication system and method based on secret key
CN105262721A (en) Account authentication method and authentication device

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GAO, HUAXIN;LEE, BILUNG;OSTLER, PAUL A.;REEL/FRAME:021137/0610;SIGNING DATES FROM 20060928 TO 20061002

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION