WO2003019442A2 - A system and method for administrating a plurality of computers - Google Patents

A system and method for administrating a plurality of computers Download PDF

Info

Publication number
WO2003019442A2
WO2003019442A2 PCT/IL2002/000696 IL0200696W WO03019442A2 WO 2003019442 A2 WO2003019442 A2 WO 2003019442A2 IL 0200696 W IL0200696 W IL 0200696W WO 03019442 A2 WO03019442 A2 WO 03019442A2
Authority
WO
WIPO (PCT)
Prior art keywords
computer
computers
agent
sysadmin
administration
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/IL2002/000696
Other languages
French (fr)
Other versions
WO2003019442A3 (en
Inventor
Gregory Bondar
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sphera Corp
Original Assignee
Sphera Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from IL14510201A external-priority patent/IL145102A0/en
Priority claimed from IL14798902A external-priority patent/IL147989A0/en
Application filed by Sphera Corp filed Critical Sphera Corp
Priority to AU2002326136A priority Critical patent/AU2002326136A1/en
Publication of WO2003019442A2 publication Critical patent/WO2003019442A2/en
Publication of WO2003019442A3 publication Critical patent/WO2003019442A3/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/22Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/04Network management architectures or arrangements
    • H04L41/046Network management architectures or arrangements comprising network management agents or mobile agents therefor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/40Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates to the field of computer administration. More particularly, the invention relates to a system and method for administrating a plurality of computers.
  • the term computer center refers herein to the administration of a plurality of computers, of possibly differing types and operating systems, which may execute a variety of applications.
  • a centralized administration station upon which a Sysadmin can administrate and perform maintenance activities on a plurahty of computers.
  • a station usually comprises an application being executed on a computer, which is used, or even dedicated, for the purpose of administration.
  • the administration activity cannot continue whenever the computer that hosts the administration application fails.
  • Some management schemes use a central management interface for managing a plurality of computers, and a local management interface for each computer system. In such cases, every update of the administration parameters of a computer should be apphed to both interfaces.
  • the central administration system is oriented towards a specific operating system.
  • data centers usually have computers with various operating systems, and therefore have various administration tools.
  • Each tool may have its own capabilities and methods for performing several tasks, and therefore the administrator's operation involves training and mastery of each tool.
  • the administration activity is performed through a secured communication channel between the central administration station and the administrated computers.
  • the Sysadmin is notified by some distracting messages.
  • the Sysadmin has to install a suitable SSL certificate on each computer.
  • central management systems are usually of the following:
  • the management system should have its own SSL.
  • the system should be available to the Internet, thus requiring an IP address.
  • the system is usually limited to a specific operating system.
  • administration systems are provided as a complementary product of the operating system developer.
  • General-purpose system which uses the 'least common denominator" of all the administrated computer systems.
  • administration features that are not a part of the common denominator have to be carried out by other means, which usually are not provided by the developer of the administration system.
  • each administrated computer system has its own management panel (implemented by the manufacturer), that usually differs from the others. Moreover, there is no simple way to obtain a global report about the administrated computers, as each system enables accessing the same information in another way.
  • the management system acts as a front-panel that upon selecting a computer it redirects the user to the destination computer.
  • the browser warns that the connection is using a computer that differs from the one that the session is performed with (and there are many of such warnings, if the Sysadmin switches between the managed computers).
  • the present invention is directed to a method for administrating by a Sysadmin a group of computers interconnected by a data network, comprising:
  • an agent being a software module having access to the data network and having access to the computer's system utihties / application program, for communicating with the agent of each computer of the group via the network; and for invoking commands to the operating system and/or system utilities;
  • the method may further comprise an administration policy, being the definition of permissions for carrying out the commands of the Sysadmin for each of the computers.
  • the method may further comprise an administration manager, being a software module through which the commands are passed before reaching the destination computer(s), for modifying the commands according to the policy.
  • an administration manager being a software module through which the commands are passed before reaching the destination computer(s), for modifying the commands according to the policy.
  • the user interface is apphed by Web page(s) displayed by a browser to the Sysadmin.
  • the communication between the browser and the gate computer may be carried out via a secured communication channel.
  • the communication between the agents may also be carried out via a secured communication channel.
  • the secured communication channel may be achieved by the means of SSL.
  • one or more of the computer(s) of the group are of different type than the other, and/or one or more of the computer(s) have different configuration(s), and/or one or more of the computers is/are executing different application(s) than the other.
  • One or more of the computers may be virtual dedicated server(s) or used for hosting a plurality of virtual dedicated servers.
  • commands are provided by the Sysadmin in an operating system independent language, and translated to the syntax of the corresponding system utility by the administration agent(s).
  • the data network may be the Internet, the Intranet, and WAN.
  • the present invention is directed to a system for administrating by a Sysadmin a group of computers interconnected by a data network, comprising:
  • memory for each of the computers, memory for storing an agent, being a software module having access to the data network, for communicating between the computers of the group via the network;
  • a Web server for connecting the agent to a Web browser through the data network.
  • a user interface through which the Sysadmin issues commands for administrating the computers.
  • the system may further comprise memory for storing an administration manager, being a software module through which command(s) sent by the Sysadmin are modified to correspond an administration policy before redirecting to the destination computer (s), being the computer(s) on which the command(s) are intended to be carried out.
  • an administration manager being a software module through which command(s) sent by the Sysadmin are modified to correspond an administration policy before redirecting to the destination computer (s), being the computer(s) on which the command(s) are intended to be carried out.
  • the user interface is apphed by Web page(s).
  • Fig. 1 schematically illustrates the data flow in a cluster, according to a preferred embodiment of the invention.
  • Fig. 2 schematically illustrates the components of a system for administrating a plurahty of computers, according to a preferred embodiment of the invention.
  • FIG. 3 schematically illustrates the data flow in a cluster, according to another preferred embodiment of the invention.
  • Fig. 4 schematically illustrates the components of a system for administrating a plurality of computers, according to another preferred embodiment of the invention.
  • HTTP HyperText Transport Protocol
  • Client/server describes the relationship between two computer programs in which one program, the client, requests a service from another program, the server, which fulfills the request.
  • the client/server model provides a convenient way to interconnect programs that are distributed efficiently across different locations.
  • a Web Browser is a software program that allows people to access the World Wide Web.
  • Internet Explorer of Microsoft
  • Netscape Navigator are the two most popular Web browsers.
  • a Web page (document) is a specially formatted document that a user can view in his Web browser.
  • Common languages for Web pages are HTML, JavaScript and Vbscript.
  • An Application program is a program designed to perform a specific function directly for the user or, in some cases, for another application program.
  • Applications use the services of the computer's operating system and other supporting applications.
  • the formal requests and means of communicating with other programs that an application program uses is called the API (Application Program Interface).
  • User interface is the means with which a human being can interact with a system.
  • computer technology it includes a display screen, keyboard, mouse, light pen, the appearance of a desktop, illuminated characters, help messages, how an application program or a Web site invites interaction and responds to it, and so forth.
  • GUI Graphical User Interface
  • icons buttons
  • command lines controlled by a mouse. It is generally regarded as simpler and easier to learn than command line interfaces, where commands have to be typed. Examples include MS WINDOWS for PCs, Open Look, MOTIF, CDE, KDE or GNOME for workstations and OS X for Macintosh.
  • a Web server is a program that, using the client/server model and the HTTP, serves the files that form Web pages to Web users (whose computers contain HTTP clients that forward their requests). Every computer on the Internet that contains a Web site must have a Web server program in order to let other users see that site.
  • a well-known port refers herein to a protocol port that is widely used for a certain type of data on the network.
  • HTTP is typically assigned port 80
  • FTP transfer is port 20
  • POP3 the port number 110
  • X- Windows 6000 the protocol port that is widely used for a certain type of data on the network.
  • Java is a programming language designed for use in the distributed environment of the Internet. Java can be used to create complete applications that may run on a single computer or to be distributed among servers and clients in a network. It can also be used to build a small application module or applet for use as part of a Web page. An applet can be sent along with a Web page to a user. Java applets can perform interactive animation, immediate calculations, or other simple tasks without having to send a user request back to the server.
  • SSL Secure Sockets Layer
  • TCP Transport Control Protocol
  • SSL is included as part of both the Microsoft and Netscape browsers and most Web server products.
  • SSL uses the public-key and private-key encryption system from RSA, which also includes the use of a digital certificate.
  • Operating System is the master control program that runs the computer. The first program loaded when the computer is turned on, its main part, the kernel, resides in memory at all times. Services provided by an operating system to application programs and users are referred herein as System utilities. For example, file services (such as open, close, retrieve, etc.), communication services, task management, etc.
  • Socket is the mechanism with which a computer system creates a connection to the outside world via a TCP/IP network.
  • a socket is associated with an IP address and a port number.
  • the activity of administrating a computer refers herein to accounts management (i.e., opening accounts, updating the attributes of an account, and deleting accounts), resource management of the computer (such as managing the swap size), resource sharing with other computers (such as disk exporting and importing), security management (for example granting access to some information from other systems), software management (configuring the Web server parameters, or mail software ones), viewing system logs, etc.
  • accounts management i.e., opening accounts, updating the attributes of an account, and deleting accounts
  • resource management of the computer such as managing the swap size
  • resource sharing with other computers such as disk exporting and importing
  • security management for example granting access to some information from other systems
  • software management configuring the Web server parameters, or mail software ones
  • viewing system logs etc.
  • Sysadmin a person called Sysadmin.
  • Cluster refers herein to a group of computers administrated via a single computer.
  • the computer through which the administration is carried out may be one of the computers of said group or another computer that is not a part of said group.
  • the computers within a cluster may be of different operating systems, different configurations, and may run different applications.
  • the roles of the modules involved in administrating a cluster Fig. 1 schematically illustrates the data flow in a cluster, according to a preferred embodiment of the invention.
  • the cluster comprises the computers 11, 12, 13 and 14, which are in communication with the Internet.
  • the Sysadmin carries out the activities of the administration via an Internet browser 60.
  • Administration computer The computer within a cluster that concentrates the administration session is referred herein as Administration computer, and marked in Figs. 1 and 2 as 11.
  • the functions carried out by the administration computer are authenticating the Sysadmin and performing administration activities of that concern the cluster level, such as gathering the information required for reports from the computers participating in the cluster.
  • each of the computers of a cluster might be administrated individually. However, according to this embodiment of the invention, administrating the whole cluster is carried out through the administration computer. Hence, the administration of the cluster is carried out according to an administration policy, which is the protocol for carrying out certain commands by the Sysadmin of the cluster for each of said computers
  • the administration activities in the cluster level can be, for example, obtaining a report regarding the administrated computers of a cluster, copying files from one computer to another computer within a cluster, adding a computer to the cluster, and so forth.
  • the software module that carries out the above-mentioned activities is referred herein as manager program. Actually, the manager program can be executed on every computer of the cluster.
  • the computer within a cluster through which the Sysadmin holds a communication session in order to carry out the administration session is referred herein as the Gate Computer, and marked in Figs. 1 and 2 as 14. Any computer within a cluster may be the gate computer.
  • Destination computer The computer(s) within a cluster to which an administration command is directed is referred herein as Destination computer, and marked in Fig. 2 as 12.
  • the gate computer does not necessarily have to be a computer dedicated only for this purpose, but may be a computer that among its services it is used as a gate computer for the cluster.
  • Fig. 3 schematically illustrates the data flow in a cluster, according to another preferred embodiment of the invention.
  • Fig. 4 schematically illustrates the components of a system for administrating a plurality of computers, according to another preferred embodiment of the invention.
  • the gate computer 14 hosts the manager, hence is used as an administration computer.
  • the computers of a cluster intercommunicate via a software module, referred herein as an administration agent or agent.
  • agents can implement a special protocol, which preferably is not standard.
  • some additional parameter may be used, such as a private key, in order to prevent external programs for using it.
  • each administration command is sent from the Sysadmin's browser 60 to the administration computer 11 via the gate computer 14, regardless of its destination, and from the administration computer 11 to the destination, which in this case is computer 12.
  • the destination computer can be as well the gate computer 14 or the administration computer 11.
  • the security can be improved by enabling communication to take place only between the cluster members and the cluster manager program 41. This option is more secure, as the cluster manager program 41 can monitor every request, and can block an un-authorized request.
  • each computer within a cluster runs a Web server.
  • the communication session between the browser of the Sysadmin and the Web server of the gate computer is carried out via, preferably, secured HTTP over the Internet.
  • the computers participating in a cluster may also intercommunicate via HTTP protocol over the Internet, but, preferably, they intercommunicate in a different protocol, which is not standard. The exact communication protocol and data encoding are kept uniform throughout the server cluster.
  • the commands that are passed between the computers are in an OS- independent language, as explained herinafter.
  • the computers of a cluster can intercommunicate in two ways:
  • Typical operations carried out by administration computers are:
  • Events reporting on events in the cluster (such as a computer that is added to or removed from the cluster).
  • DNS Domain Name Server
  • the encoding scheme should also be carried out by standard security means, such as SSL.
  • standard security means such as SSL.
  • the intercommunication between the computers of a cluster can be carried out by a different security scheme, such as a one-time password, etc. Therefore, a higher security level can be obtained.
  • communication may be enabled only between the cluster members and the computer hosting the manager program 41. This embodiment is more secure, since the manager program 41 can monitor every request, and block un-authorized requests.
  • Intercommunicating between the computers of a cluster may be carried out by the same key.
  • a different key may be used between each two computers in a cluster.
  • Fig. 2 schematically illustrates the components of a system for administrating a plurality of computers, according to a preferred embodiment of the invention.
  • the gate computer 14 comprises a Web server 44 through which the administration computer 11 communicates with the Internet utilizing communication links 50, and an administration agent 31.
  • the administration agent 31 can operate as a server according to the client/server model.
  • a request for service is directed by the Web server 44 to the administration agent 31.
  • the manager program 41 handles the command by analyzing the command in order to detect the destination computer, which in this case is 12, and forwards the request to the administration agent 32 of the destination computer 12.
  • the administration agent 32 invokes the appropriate system utility 42, and the system utility 42 performs the command, with the appropriate parameters.
  • the manager program 41 and the administration agent 31 can be the same software module.
  • the system utility 42 sends a reply / acknowledgment to the administration agent 32 (the caller).
  • the administration agent 32 sends the reply / acknowledgment to the administration agent 31, and the administration agent 31 sends the reply / acknowledgment to the Sysadmin 60 via administration agent 34 and web server 44 of the gate computer 14.
  • the reply / acknowledgment is converted to, or embedded in, an HTML page by the manager program 41, or the administration agents 31 or 32.
  • Java applet that runs in the browser might be involved as well.
  • the communication is not carried out through HTTP, but through a proprietary protocol between the Java applet and the administration agent.
  • the rest of the process (performing locally or passing to the other computer) remains the same.
  • the cluster manager program 44 is actually a program that 'listens" (via the administration agent 31) on port 80, for requests that arrive to the administration computer (typically in a protocol dedicated for this purpose). Generally, it can listen to any port, and meeting any protocol. However, port 80 is preferable, as network security means (such as firewalls) might block any other port number, while port 80 is usually unblocked.
  • the cluster manager program 44 can be executed on any of the computers of a cluster, together with the respective administration agent.
  • both the cluster manager program 41 and the Web server 44 use the same socket (e.g., port 80), they cannot use the same IP simultaneously.
  • This obstacle can be overcome by applying a different IP to the cluster manager programs 41 and to the respective administration agent, and by installing them on a machine that comprises two IPs.
  • the cluster manager pro ram 41 can later move the cluster manager pro ram 41 to its own machine together with its IP, in a manner transparent to all the computers in the cluster.
  • the information can be moved to some special "cgi" (Common Gateway Interface) scripts that would manage the communication flow in each case.
  • cgi Common Gateway Interface
  • cgi to manage communication destined to the cluster manger program 41.
  • the Web server 44 passes the information to the respective program utilizing the cgi scripts. This option enables using only one IP, but moving the cluster manager to its own machine would require updates to all the computers in the cluster.
  • the browser connects to the Web server, and loads a Java applet.
  • the browser runs the applet that opens a new socket on the server (this socket is associated with the agent), and from this point on it interacts with the agent over this socket.
  • the applet can also interact with the agent using HTTP requests passed through the Web server, and then to reach the agent.
  • the cluster manager program 41 can also administrate operations that involve more than one computer in a given cluster. These operations can involve running the same command on all of the computers (for example - making a report of all the users that exist on all the computers in the cluster), or performing operations that involve some of the computers (for example - moving a user with all his files from one computer to the other).
  • the request/service loop can also administrate operations that involve more than one computer in a given cluster. These operations can involve running the same command on all of the computers (for example - making a report of all the users that exist on all the computers in the cluster), or performing operations that involve some of the computers (for example - moving a user with all his files from one computer to the other).
  • a request/service loop comprises the following stages (referring to Fig. 2):
  • the Web server 44 sends the command as a client to the administration agent 34 of the gate computer 14.
  • the administration agent 34 forwards the command to the administration agent 31 of the administration computer 11.
  • the administration agent 31 analyzes the command in order to detect the destination computer i.e. the computer on which the administration command should be performed, which in this example is 12.
  • the administration agent 31 initiates a query to the cluster management 41, in order to retrieve the list of computers that it can interact with, and the appropriate method to do it (including IP, authentication information, etc.). Once the administration agent 31 receives the relevant information — it can pass the request to the appropriate computer.
  • the administration agent 31 forwards the command to the administration agent 32 of the destination computer 12.
  • the communication between the administration agents 31 and 32 is typically carried out by a separate socket.
  • the SSL key used for the communication between the administration agents is different than the SSL key used between the Sysadmin's browser 60 and the gate computer 12.
  • the administration agent 32 of the destination computer 12 analyzes the command, and invokes the appropriate system utility 42 of the computer 12.
  • the system utility 42 may be an application, script, and so forth.
  • the system utility 42 replies the answer / acknowledgment to the caller, which in this case is administration agent 32;
  • the administration agent 32 forwards the reply to the administration agent 31.
  • the administration agent 31 sends the reply to the administration agent 34.
  • the administration agent 34 converts the reply to a Web page, and forwards it to Web server 44.
  • the Web server 44 sends the Web page to the browser 60.
  • steps (i) to (xii) can be carried out via the Internet over communication links 50.
  • a Java applet is embedded in the first page sent to the Sysadmin's browser, and from this point on the Java applet communicates with the gate computer 14.
  • This solution is preferable since instead of returning a whole Web page, only the parts to be changed are returned to the browser.
  • the administrator can inform the Java applet about the other computers that exist, and therefore the Java applet can decide what computer to direct the request to, according to the correct source of information. It should be understood that the communication continues to be via the original gate computer 14.
  • the destination computer might be the gate computer as well as any other computer in the cluster.
  • the administration agent on the gate computer invokes its system utihty / program / script rather than directing the request for service to another computer.
  • the cluster enables compiling a common report (like network traffic or disk usage, for example) that covers all the computers within a cluster, regardless of the underlying operating system.
  • the cluster management computer also allows for the performing of operations on several computers, such as a user that communicates with the cluster via more than one computer.
  • requests for an administration service are converted in the request chain to a special command language that the administration agent interprets to suit the destination computer's syntax.
  • the "request chain” in general consists of the Java applet or the administration agent 34 of the gate computer, the administration computer 11 or the destination computer 12. This way, computers of different operating systems can be administrated via a system- independent command language. Using a OS -independent language
  • a request for administration service can be provided by the Sysadmin in a "OS -independent" language (Operating System independent language).
  • OS -independent language Operating System independent language
  • the Sysadmin may issue queries like “what is the disk usage of computer 234", which is interpreted accordingly into a "df command in a Unix -based computer.
  • the administration interface is a Web site.
  • the Sysadmin's browser receives Web pages (and hence Java Applets as well) as input.
  • each computer that is used as a gate computer to the cluster administration has to run a Web server.
  • An application program (usually the administration agent) sends through the Web server the Web pages to the Sysadmin's browser.
  • Web server may be used for Web hosting, as well.
  • the Sysadmin Before entering the administration level, the Sysadmin should be authenticated, thus, a list upon which the authentication will be carried out should be accessible to the GUI application program.
  • the list can be stored in any computer in the cluster since the computers of a cluster interact. However, if the computer that stores the list fails, an administration session may have difficulty in being initiated. In order to prevent this situation, some or all of the computers of a cluster may comprise a copy of the authorization list.
  • Another solution is mamtaining a central directory for the authentication information, which all the computers in a cluster are able to access.
  • This directory might involve a high-availability solution (such as a backup computer) in order to prevent a single point of failure.
  • the authorization list comprises a user name and password for each authorized Sysadmin.
  • the authorization list may comprise additional information upon which the Sysadmin can be authenticated whenever he forgets his password and/or for providing a higher security level. This information can be his driving license number, his pet's name, etc.
  • the authentication can be carried out using any authentication method known in the art.
  • the GUI application permits performing of further administration activities, such as adding new accounts to the computer, and so forth. All these operations are validated according to the relevant user's permissions in the system, as there might be several levels of administration, each with its own allowed activities.
  • VDS Virtual Dedicated Server
  • a group of NDSes can be administrated as a cluster, regardless of whether the VDSes reside on the same computer or not.
  • one agent is active on each computer within the cluster, and this agent manages all the VDSes on that computer, and is also capable of creating new VDSes, and removing existing ones.
  • every computer in the cluster comprises one agent, that manages all the VDSes that reside on the computer. From the cluster's Sysadmin point of view, it is more convenient to administrate the cluster from one computer / VDS than to log-out of one VDS / computer, and log-in to another one whenever he wishes to carry out administration activities on another computer.
  • a VDS may be moved from one computer to another. According to the method described herein, this can be carried out by an appropriate administration command, e.g. "Move VDS 234 from computer X to computer Y".
  • the manager program 44 may be preferable to host the manager program 44 on the gate computer 14, as exemplified in Figs. 3 and 4.
  • the manager program 41 and the Web server 44 operate on the gate computer 14, with the respective administration agent 34. It is also possible, in such a configuration, to enable communication only between the cluster members and the cluster manager program 41.
  • Every computer of a cluster can be a gate computer, whenever a computer within a cluster fails, the Sysadmin can use an alternate computer in the cluster for administration purposes.
  • the SSL certificate can be installed only on some of, rather than on all of, the computers within a cluster. This saves SSL certificates, and consequently it is unnecessary to install and manage the SSL certificates on all the machines. Thus, the system of the invention is simpler and more economical.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Human Computer Interaction (AREA)
  • Computer And Data Communications (AREA)
  • Multi Processors (AREA)

Abstract

A method and system is disclosed for administrating a group of computers interconnected by a data network. An agent having access to the data network is provided for each of the computers, such that each agent is in communication with the corresponding agent of each computer of the group via the data network and can invoke commands to the operating system and/or system utilities. One or more gate computers are provided with a user interface through which a Sysadmin can interact with the agent associated with a corresponding gate computer. The Sysadmin inputs a command for administrating one or more computers through a user interface of a gate computer and forwards the command by the agent of the gate computer to the agent(s) of the destination computer(s). The agent(s) of said destination computer(s) invokes the system utility / application program that performs the command and accepts a response from the utility / application. The response is then forwarded from the agent of the destination computer to the agent of the gate computer, after which it is presented to the Sysadmin through the user interface of the gate computer.

Description

A SYSTEM AND METHOD FOR ADMINISTRATING A PLURALITY OF COMPUTERS
Field of the Invention
The present invention relates to the field of computer administration. More particularly, the invention relates to a system and method for administrating a plurality of computers.
Background of the Invention
The term computer center refers herein to the administration of a plurality of computers, of possibly differing types and operating systems, which may execute a variety of applications.
The following represent certain aspects to this problem:
Ease of the administration. Due to the variety of computer types, Operating Systems (OS) and applications, a computer center maintaining a plurahty of computers has compound administrative and maintenance difficulties.
Authentication of the Sysadmin. Administration tasks should be performed only by authorized personnel, and hence the authentication mechanism of the Sysadmin (system administrator) should be as secure as possible.
Decentralized administration. Since each computer is an independent entity, a Sysadmin has to interact with the computer from the monitor, the keyboard and the mouse of this computer.
This subject has already been discussed extensively in the prior art. According to the prior art, the solution to the above mentioned problems involves using a centralized administration station, upon which a Sysadmin can administrate and perform maintenance activities on a plurahty of computers. Such a station usually comprises an application being executed on a computer, which is used, or even dedicated, for the purpose of administration. However, the administration activity cannot continue whenever the computer that hosts the administration application fails.
Some management schemes use a central management interface for managing a plurality of computers, and a local management interface for each computer system. In such cases, every update of the administration parameters of a computer should be apphed to both interfaces.
Typically, the central administration system is oriented towards a specific operating system. However, data centers usually have computers with various operating systems, and therefore have various administration tools. Each tool may have its own capabilities and methods for performing several tasks, and therefore the administrator's operation involves training and mastery of each tool.
Usually, the administration activity is performed through a secured communication channel between the central administration station and the administrated computers. Using this type of communication, whenever the central administration application logs on a computer, the Sysadmin is notified by some distracting messages. Moreover, the Sysadmin has to install a suitable SSL certificate on each computer.
In the prior art, central management systems are usually of the following:
Central management system that runs on a central computer, and through which the administration of the rest is carried out. The Sysadmin logs on to this system, and manages through it. This means that:
If the Sysadmin wishes to use a secured connection, the management system should have its own SSL.
The system should be available to the Internet, thus requiring an IP address. The system is usually limited to a specific operating system. Moreover, such administration systems are provided as a complementary product of the operating system developer.
General-purpose system, which uses the 'least common denominator" of all the administrated computer systems. In this case, administration features that are not a part of the common denominator have to be carried out by other means, which usually are not provided by the developer of the administration system.
Plugging-in management extensions. In this case, each administrated computer system has its own management panel (implemented by the manufacturer), that usually differs from the others. Moreover, there is no simple way to obtain a global report about the administrated computers, as each system enables accessing the same information in another way.
Sometimes, the management system acts as a front-panel that upon selecting a computer it redirects the user to the destination computer. However, in this case the browser warns that the connection is using a computer that differs from the one that the session is performed with (and there are many of such warnings, if the Sysadmin switches between the managed computers).
It is therefore an object of the present invention to provide a system and method for administrating a plurality of computers which overcomes the drawbacks of the prior art.
It is another object of the present invention to provide a system and method for administrating a plurality of computers on which the administration activity is simplified in comparison with the prior art.
It is a further object of the present invention to provide a system and method for administrating a plurahty of computers, on which the administration activity can be carried out from a variety of computers and operating systems. It is a still further object of the present invention to provide a system and method for administrating a plurality of computers, on which the administration of all the administrated computers is carried out via the same user interface.
It is a still further object of the present invention to provide a system and method for administrating a plurahty of computers on which a secured communication channel can be held between the central administration station and the administrated computers.
It is a still further object of the present invention to provide a system and method for administrating a plurality of computers, wherein the Sysadmin can access the management functionality from any of the managed computers.
Other objects and advantages of the invention will become apparent as the description proceeds.
Summary of the Invention
In one aspect, the present invention is directed to a method for administrating by a Sysadmin a group of computers interconnected by a data network, comprising:
For each of the computers of the group, providing an agent, being a software module having access to the data network and having access to the computer's system utihties / application program, for communicating with the agent of each computer of the group via the network; and for invoking commands to the operating system and/or system utilities;
Determining one or more gate computer(s), being computer(s) of the group, provided with a user interface through which the Sysadmin can interact with the agent being provided to the computer; Inputting a command for administrating one or more of the computers, by the Sysadmin through the user interface of a gate computer, and forwarding the command by the agent of the gate computer to the agent(s) of the destination computer(s), being the computer(s) on which the command(s) are intended to be carried out;
Invoking by the agent(s) of the destination computer(s), the system utility / application program that performs the command, and accepting a response, being acknowledgment / feedback / output from the utility / application, by the agent;
Forwarding the response from the agent of the destination computer to the agent of the gate computer; and
Presenting to the Sysadmin the response through the user interface of the gate computer.
The method may further comprise an administration policy, being the definition of permissions for carrying out the commands of the Sysadmin for each of the computers.
The method may further comprise an administration manager, being a software module through which the commands are passed before reaching the destination computer(s), for modifying the commands according to the policy.
According to one embodiment of the invention, the user interface is apphed by Web page(s) displayed by a browser to the Sysadmin.
The communication between the browser and the gate computer may be carried out via a secured communication channel. The communication between the agents may also be carried out via a secured communication channel. The secured communication channel may be achieved by the means of SSL. According to one embodiment of the invention, one or more of the computer(s) of the group are of different type than the other, and/or one or more of the computer(s) have different configuration(s), and/or one or more of the computers is/are executing different application(s) than the other.
One or more of the computers may be virtual dedicated server(s) or used for hosting a plurality of virtual dedicated servers.
Optionally, the commands are provided by the Sysadmin in an operating system independent language, and translated to the syntax of the corresponding system utility by the administration agent(s).
The data network may be the Internet, the Intranet, and WAN.
In another aspect, the present invention is directed to a system for administrating by a Sysadmin a group of computers interconnected by a data network, comprising:
For each of the computers, memory for storing an agent, being a software module having access to the data network, for communicating between the computers of the group via the network;
For one or more of the computers, a Web server for connecting the agent to a Web browser through the data network.
A user interface, through which the Sysadmin issues commands for administrating the computers.
The system may further comprise memory for storing an administration manager, being a software module through which command(s) sent by the Sysadmin are modified to correspond an administration policy before redirecting to the destination computer (s), being the computer(s) on which the command(s) are intended to be carried out. According to one embod ment of the invention, the user interface is apphed by Web page(s).
Brief Description of the Drawings
The above and other characteristics and advantages of the invention will be better understood through the following illustrative and non-hmitative detailed description of preferred embodiments thereof, with reference to the appended drawings, wherein:
Fig. 1 schematically illustrates the data flow in a cluster, according to a preferred embodiment of the invention.
Fig. 2 schematically illustrates the components of a system for administrating a plurahty of computers, according to a preferred embodiment of the invention.
Fig. 3 schematically illustrates the data flow in a cluster, according to another preferred embodiment of the invention; and
Fig. 4 schematically illustrates the components of a system for administrating a plurality of computers, according to another preferred embodiment of the invention.
Detailed Description of Preferred Embodiments
In order to facilitate the reading of the description to follow, a number of terms and acronyms are defined below:
HTTP (HyperText Transport Protocol) is the communications protocol used to connect to servers on the World Wide Web. Its primary function is to establish a connection with a Web server and transmit HTML pages to the client browser. Addresses of Web sites begin with an "http:/7" prefix. Client/server describes the relationship between two computer programs in which one program, the client, requests a service from another program, the server, which fulfills the request. In a network, the client/server model provides a convenient way to interconnect programs that are distributed efficiently across different locations.
A Web Browser is a software program that allows people to access the World Wide Web. Internet Explorer (of Microsoft) and Netscape Navigator are the two most popular Web browsers.
A Web page (document) is a specially formatted document that a user can view in his Web browser. Common languages for Web pages are HTML, JavaScript and Vbscript.
An Application program is a program designed to perform a specific function directly for the user or, in some cases, for another application program. Applications use the services of the computer's operating system and other supporting applications. The formal requests and means of communicating with other programs that an application program uses is called the API (Application Program Interface).
User interface is the means with which a human being can interact with a system. In computer technology it includes a display screen, keyboard, mouse, light pen, the appearance of a desktop, illuminated characters, help messages, how an application program or a Web site invites interaction and responds to it, and so forth.
Graphical User Interface (GUI) is a user interface for interacting with a computer program which uses pictorial buttons (icons), menus and command lists controlled by a mouse. It is generally regarded as simpler and easier to learn than command line interfaces, where commands have to be typed. Examples include MS WINDOWS for PCs, Open Look, MOTIF, CDE, KDE or GNOME for workstations and OS X for Macintosh.
A Web server is a program that, using the client/server model and the HTTP, serves the files that form Web pages to Web users (whose computers contain HTTP clients that forward their requests). Every computer on the Internet that contains a Web site must have a Web server program in order to let other users see that site.
A well-known port refers herein to a protocol port that is widely used for a certain type of data on the network. For example, HTTP is typically assigned port 80, FTP transfer is port 20, the POP3 the port number 110, and X- Windows 6000.
Java is a programming language designed for use in the distributed environment of the Internet. Java can be used to create complete applications that may run on a single computer or to be distributed among servers and clients in a network. It can also be used to build a small application module or applet for use as part of a Web page. An applet can be sent along with a Web page to a user. Java applets can perform interactive animation, immediate calculations, or other simple tasks without having to send a user request back to the server.
Secure Sockets Layer (SSL) is a commonly used protocol for managing the security of a message transmission over the Internet. SSL uses a program layer located between the HTTP and Transport Control Protocol (TCP) layers. Currently, SSL is included as part of both the Microsoft and Netscape browsers and most Web server products. SSL uses the public-key and private-key encryption system from RSA, which also includes the use of a digital certificate. Operating System is the master control program that runs the computer. The first program loaded when the computer is turned on, its main part, the kernel, resides in memory at all times. Services provided by an operating system to application programs and users are referred herein as System utilities. For example, file services (such as open, close, retrieve, etc.), communication services, task management, etc.
Socket is the mechanism with which a computer system creates a connection to the outside world via a TCP/IP network. A socket is associated with an IP address and a port number.
The activity of administrating a computer refers herein to accounts management (i.e., opening accounts, updating the attributes of an account, and deleting accounts), resource management of the computer (such as managing the swap size), resource sharing with other computers (such as disk exporting and importing), security management (for example granting access to some information from other systems), software management (configuring the Web server parameters, or mail software ones), viewing system logs, etc. The administration activity is carried out by a person called Sysadmin.
The cluster
The term Cluster refers herein to a group of computers administrated via a single computer. The computer through which the administration is carried out may be one of the computers of said group or another computer that is not a part of said group. The computers within a cluster may be of different operating systems, different configurations, and may run different applications. The roles of the modules involved in administrating a cluster Fig. 1 schematically illustrates the data flow in a cluster, according to a preferred embodiment of the invention. The cluster comprises the computers 11, 12, 13 and 14, which are in communication with the Internet. The Sysadmin carries out the activities of the administration via an Internet browser 60.
The computer within a cluster that concentrates the administration session is referred herein as Administration computer, and marked in Figs. 1 and 2 as 11.
The functions carried out by the administration computer are authenticating the Sysadmin and performing administration activities of that concern the cluster level, such as gathering the information required for reports from the computers participating in the cluster.
It should be noted that each of the computers of a cluster might be administrated individually. However, according to this embodiment of the invention, administrating the whole cluster is carried out through the administration computer. Hence, the administration of the cluster is carried out according to an administration policy, which is the protocol for carrying out certain commands by the Sysadmin of the cluster for each of said computers
The administration activities in the cluster level can be, for example, obtaining a report regarding the administrated computers of a cluster, copying files from one computer to another computer within a cluster, adding a computer to the cluster, and so forth. The software module that carries out the above-mentioned activities is referred herein as manager program. Actually, the manager program can be executed on every computer of the cluster.
The computer within a cluster through which the Sysadmin holds a communication session in order to carry out the administration session is referred herein as the Gate Computer, and marked in Figs. 1 and 2 as 14. Any computer within a cluster may be the gate computer.
The computer(s) within a cluster to which an administration command is directed is referred herein as Destination computer, and marked in Fig. 2 as 12.
Actually, the gate computer does not necessarily have to be a computer dedicated only for this purpose, but may be a computer that among its services it is used as a gate computer for the cluster.
Fig. 3 schematically illustrates the data flow in a cluster, according to another preferred embodiment of the invention.
Fig. 4 schematically illustrates the components of a system for administrating a plurality of computers, according to another preferred embodiment of the invention.
The gate computer 14 hosts the manager, hence is used as an administration computer.
Intercommunicating between the computers of a cluster
The computers of a cluster intercommunicate via a software module, referred herein as an administration agent or agent. Since the agents have to communicate only with other agents among the group, they can implement a special protocol, which preferably is not standard. In case of a standard protocol, some additional parameter may be used, such as a private key, in order to prevent external programs for using it.
As illustrated in Figs. 1 and 2, each administration command is sent from the Sysadmin's browser 60 to the administration computer 11 via the gate computer 14, regardless of its destination, and from the administration computer 11 to the destination, which in this case is computer 12. Of course, the destination computer can be as well the gate computer 14 or the administration computer 11.
The security can be improved by enabling communication to take place only between the cluster members and the cluster manager program 41. This option is more secure, as the cluster manager program 41 can monitor every request, and can block an un-authorized request.
Typically, each computer within a cluster runs a Web server. The communication session between the browser of the Sysadmin and the Web server of the gate computer is carried out via, preferably, secured HTTP over the Internet. In addition, the computers participating in a cluster may also intercommunicate via HTTP protocol over the Internet, but, preferably, they intercommunicate in a different protocol, which is not standard. The exact communication protocol and data encoding are kept uniform throughout the server cluster.
The commands that are passed between the computers are in an OS- independent language, as explained herinafter.
The computers of a cluster can intercommunicate in two ways:
Via a dedicated socket, and hence make use of any port, rather than a well- known port; Via the HTML socket, which makes use of the well-known port 80.
Typical operations carried out by administration computers are:
Management operations that involve several computers. Unlike reports, which are generated by running the same command on some or all the computers of a cluster, and collecting the information to one screen or printout, the reference here is to operations that involve "non-symmetric" operations, e.g., moving a NDS (the term is explained hereinafter) from one computer to another.
Events reporting on events in the cluster (such as a computer that is added to or removed from the cluster).
Gateway to other services for the computers within the cluster. For example, connection to the DΝS (Domain Name Server). It encapsulates these services in the "OS-independent" format (and product independent format), thus eliminating the need for using the specific language of these tools. For DNS, for example, it is a significant advantage since the DNS is designed to be operated by editing a text file with a complex format.
Secured communication channel
As mentioned above, there are two major communication channels:
Between the Sysadmin's browser and the gate computer; and
Between the computers of a cluster.
Since information exchanged between the Sysadmin's browser and the gate computer is passed through standard HTTP files, the encoding scheme should also be carried out by standard security means, such as SSL. However, the intercommunication between the computers of a cluster can be carried out by a different security scheme, such as a one-time password, etc. Therefore, a higher security level can be obtained.
As was discussed before, communication may be enabled only between the cluster members and the computer hosting the manager program 41. This embodiment is more secure, since the manager program 41 can monitor every request, and block un-authorized requests.
Intercommunicating between the computers of a cluster may be carried out by the same key. Alternatively, a different key may be used between each two computers in a cluster.
The above mentioned examples were only for the sake of brevity. Those skilled in the art will appreciate that a variety of encryption methods and secured communication channels can be implemented for intercommunicating between a cluster.
Embodying the cluster administration concept
Fig. 2 schematically illustrates the components of a system for administrating a plurality of computers, according to a preferred embodiment of the invention. The gate computer 14 comprises a Web server 44 through which the administration computer 11 communicates with the Internet utilizing communication links 50, and an administration agent 31. The administration agent 31 can operate as a server according to the client/server model.
Upon receiving a command from the Sysadmin's browser 60 through Web server 44, a request for service is directed by the Web server 44 to the administration agent 31. The manager program 41 handles the command by analyzing the command in order to detect the destination computer, which in this case is 12, and forwards the request to the administration agent 32 of the destination computer 12. The administration agent 32 invokes the appropriate system utility 42, and the system utility 42 performs the command, with the appropriate parameters. Actually the manager program 41 and the administration agent 31 can be the same software module.
The system utility 42 sends a reply / acknowledgment to the administration agent 32 (the caller). The administration agent 32 sends the reply / acknowledgment to the administration agent 31, and the administration agent 31 sends the reply / acknowledgment to the Sysadmin 60 via administration agent 34 and web server 44 of the gate computer 14. According to a preferred embodiment of the invention the reply / acknowledgment is converted to, or embedded in, an HTML page by the manager program 41, or the administration agents 31 or 32.
It should be noted that a Java applet that runs in the browser might be involved as well. In this case, the communication is not carried out through HTTP, but through a proprietary protocol between the Java applet and the administration agent. However, the rest of the process (performing locally or passing to the other computer) remains the same.
It should be noted that the cluster manager program 44 is actually a program that 'listens" (via the administration agent 31) on port 80, for requests that arrive to the administration computer (typically in a protocol dedicated for this purpose). Generally, it can listen to any port, and meeting any protocol. However, port 80 is preferable, as network security means (such as firewalls) might block any other port number, while port 80 is usually unblocked.
In general, the cluster manager program 44 can be executed on any of the computers of a cluster, together with the respective administration agent. However, since in such scenarios both the cluster manager program 41 and the Web server 44 use the same socket (e.g., port 80), they cannot use the same IP simultaneously. This obstacle can be overcome by applying a different IP to the cluster manager programs 41 and to the respective administration agent, and by installing them on a machine that comprises two IPs.
Moreover, one can later move the cluster manager pro ram 41 to its own machine together with its IP, in a manner transparent to all the computers in the cluster. Alternatively, the information can be moved to some special "cgi" (Common Gateway Interface) scripts that would manage the communication flow in each case. For example, one may use the cgi script http:/ / 1.2.3.4 /cgi- bin/ agent. cgi to manage communication destined to the respective administration agent, and another cgi script http:/ / 1.2.3.4 /cgi-bin/ cluster- manager. cgi to manage communication destined to the cluster manger program 41. In such implementation the Web server 44 passes the information to the respective program utilizing the cgi scripts. This option enables using only one IP, but moving the cluster manager to its own machine would require updates to all the computers in the cluster.
When using the Java solution, the following scenario occurs:
The browser connects to the Web server, and loads a Java applet.
The browser runs the applet that opens a new socket on the server (this socket is associated with the agent), and from this point on it interacts with the agent over this socket.
Of course, in this way the applet can also interact with the agent using HTTP requests passed through the Web server, and then to reach the agent.
The cluster manager program 41 can also administrate operations that involve more than one computer in a given cluster. These operations can involve running the same command on all of the computers (for example - making a report of all the users that exist on all the computers in the cluster), or performing operations that involve some of the computers (for example - moving a user with all his files from one computer to the other). The request/service loop
According to one embodiment of the invention, a request/service loop comprises the following stages (referring to Fig. 2):
a) An administration command sent from the browser 60 of the Sysadmin (in secured HTTP) arrives at the Web server 44 of the gate computer 14.
b) The Web server 44 sends the command as a client to the administration agent 34 of the gate computer 14.
c) The administration agent 34 forwards the command to the administration agent 31 of the administration computer 11.
d) The administration agent 31 analyzes the command in order to detect the destination computer i.e. the computer on which the administration command should be performed, which in this example is 12.
e) If required, the administration agent 31 initiates a query to the cluster management 41, in order to retrieve the list of computers that it can interact with, and the appropriate method to do it (including IP, authentication information, etc.). Once the administration agent 31 receives the relevant information — it can pass the request to the appropriate computer.
f) The administration agent 31 forwards the command to the administration agent 32 of the destination computer 12. The communication between the administration agents 31 and 32 is typically carried out by a separate socket. Also, the SSL key used for the communication between the administration agents is different than the SSL key used between the Sysadmin's browser 60 and the gate computer 12. g) The administration agent 32 of the destination computer 12 analyzes the command, and invokes the appropriate system utility 42 of the computer 12. Of course, the system utility 42 may be an application, script, and so forth.
h) According to the result of the system call, the system utility 42 replies the answer / acknowledgment to the caller, which in this case is administration agent 32;
i) The administration agent 32 forwards the reply to the administration agent 31.
j) The administration agent 31 sends the reply to the administration agent 34.
k) The administration agent 34 converts the reply to a Web page, and forwards it to Web server 44.
1) The Web server 44 sends the Web page to the browser 60.
The communication described in steps (i) to (xii) can be carried out via the Internet over communication links 50.
According to another embodiment of the invention, instead of returning a Web page for each request for service, a Java applet is embedded in the first page sent to the Sysadmin's browser, and from this point on the Java applet communicates with the gate computer 14. This solution is preferable since instead of returning a whole Web page, only the parts to be changed are returned to the browser. In this case, the administrator can inform the Java applet about the other computers that exist, and therefore the Java applet can decide what computer to direct the request to, according to the correct source of information. It should be understood that the communication continues to be via the original gate computer 14.
It should be noted that the destination computer might be the gate computer as well as any other computer in the cluster. Whenever the destination computer is the gate computer, the administration agent on the gate computer invokes its system utihty / program / script rather than directing the request for service to another computer.
The same applies to retrieving information, and thus the cluster enables compiling a common report (like network traffic or disk usage, for example) that covers all the computers within a cluster, regardless of the underlying operating system.
The cluster management computer also allows for the performing of operations on several computers, such as a user that communicates with the cluster via more than one computer.
An Operating system independent command language
According to a preferred embodiment of the invention, requests for an administration service are converted in the request chain to a special command language that the administration agent interprets to suit the destination computer's syntax. The "request chain" in general consists of the Java applet or the administration agent 34 of the gate computer, the administration computer 11 or the destination computer 12. This way, computers of different operating systems can be administrated via a system- independent command language. Using a OS -independent language
According to one embodiment of the invention, a request for administration service can be provided by the Sysadmin in a "OS -independent" language (Operating System independent language). For example, the Sysadmin may issue queries like "what is the disk usage of computer 234", which is interpreted accordingly into a "df command in a Unix -based computer.
The GUI
According to a preferred embodiment of the invention, from the Sysadmin's point of view, the administration interface is a Web site. Thus, the Sysadmin's browser receives Web pages (and hence Java Applets as well) as input.
In order to support this interface, each computer that is used as a gate computer to the cluster administration has to run a Web server. An application program (usually the administration agent) sends through the Web server the Web pages to the Sysadmin's browser.
Of course, the Web server may be used for Web hosting, as well.
Before entering the administration level, the Sysadmin should be authenticated, thus, a list upon which the authentication will be carried out should be accessible to the GUI application program. Of course, the list can be stored in any computer in the cluster since the computers of a cluster interact. However, if the computer that stores the list fails, an administration session may have difficulty in being initiated. In order to prevent this situation, some or all of the computers of a cluster may comprise a copy of the authorization list.
Another solution is mamtaining a central directory for the authentication information, which all the computers in a cluster are able to access. This directory might involve a high-availability solution (such as a backup computer) in order to prevent a single point of failure.
Typically, the authorization list comprises a user name and password for each authorized Sysadmin. The authorization list may comprise additional information upon which the Sysadmin can be authenticated whenever he forgets his password and/or for providing a higher security level. This information can be his driving license number, his pet's name, etc. Of course, the authentication can be carried out using any authentication method known in the art.
After the Sysadmin is authenticated, the GUI application permits performing of further administration activities, such as adding new accounts to the computer, and so forth. All these operations are validated according to the relevant user's permissions in the system, as there might be several levels of administration, each with its own allowed activities.
Implementing the invention for a cluster of NDSes
According to copending Israeli Patent Apphcation No. 147560of the same applicant herein, an emulation of a computer system in which a remote client can access its system utilities and programs is referred to as a Virtual Dedicated Server (VDS).
According to one embodiment of the invention, a group of NDSes can be administrated as a cluster, regardless of whether the VDSes reside on the same computer or not. In such an embodiment, one agent is active on each computer within the cluster, and this agent manages all the VDSes on that computer, and is also capable of creating new VDSes, and removing existing ones. According to another preferred embodiment of the invention, every computer in the cluster comprises one agent, that manages all the VDSes that reside on the computer. From the cluster's Sysadmin point of view, it is more convenient to administrate the cluster from one computer / VDS than to log-out of one VDS / computer, and log-in to another one whenever he wishes to carry out administration activities on another computer. Moreover, due to its nature, a VDS may be moved from one computer to another. According to the method described herein, this can be carried out by an appropriate administration command, e.g. "Move VDS 234 from computer X to computer Y".
In certain configurations it may be preferable to host the manager program 44 on the gate computer 14, as exemplified in Figs. 3 and 4. In such a configuration, the manager program 41 and the Web server 44 operate on the gate computer 14, with the respective administration agent 34. It is also possible, in such a configuration, to enable communication only between the cluster members and the cluster manager program 41.
The benefits of the solution
The benefits obtained by the invention are:
Security: the information exchanged between the Sysadmin's browser and the gate computer, and the information exchanged among the computers within a cluster, can be conveyed over a secured communication channel, and consequently, a higher security level is achieved.
Simple administration: Since the Sysadmin does not have to deal with a variety of operating systems and applications, the training period is shorter than the average period required by the prior art systems.
Quick recovery from a computer fault: Since every computer of a cluster can be a gate computer, whenever a computer within a cluster fails, the Sysadmin can use an alternate computer in the cluster for administration purposes. The SSL certificate can be installed only on some of, rather than on all of, the computers within a cluster. This saves SSL certificates, and consequently it is unnecessary to install and manage the SSL certificates on all the machines. Thus, the system of the invention is simpler and more economical.
The above examples and description have of course been provided only for the purpose of illustration, and are not intended to limit the invention in any way. As will be appreciated by the -skilled person, the invention can be carried out in a great variety of ways, employing more than one technique from those described above, all without exceeding the scope of the invention.

Claims

1. A method for administrating by a Sysadmin a group of computers interconnected by a data network, comprising:
For each of the computers of said group, providing an agent, being a software module having access to said data network and having access to the computer's system utihties / application program, for: a) communicating with the agent of each computer of said group via said network; and b) for invoking commands to said operating system and/or system utilities; Determining one or more gate computer(s), being computer(s) of said group, provided with a user interface through which said Sysadmin can interact with the agent being provided to said computer;
Inputting a command for administrating one or more of said computers, by said Sysadmin through said user interface of a gate computer, and forwarding said command by the agent of said gate computer to the agent(s) of the destination computer(s), being the computer(s) on which said command(s) are intended to be carried out;
Invoking by the agent(s) of said destination computer(s), the system utility / application program that performs said command, and accepting a response, being acknowledgment / feedback / output from said utility / application, by said agent;
Forwarding said response from the agent of said destination computer to the agent of said gate computer; and
Presenting to said Sysadmin said response through the user interface of said gate computer.
2. A method according to claim 1, further comprising an administration pohcy, being the definition of permissions for carrying out said commands of said Sysadmin for each of said computers.
3. A method according to claim 1, further comprising an administration manager, being a software module through which said commands are passed before reaching said destination computer(s), for modifying said commands according to said pohcy, said software being executed on one of the computers of said group.
4. A method according to claim 1, wherein said user interface is applied by Web page(s) displayed by a browser to said Sysadmin.
5. A method according to claim 4, wherein the communication between said browser and said gate computer is carried out via a secured communication channel.
6. A method according to claim 1, wherein the communication between said agents is carried out via a secured communication channel.
7. A method according to claim 5 and/or 6, wherein said secured communication channel is achieved by the means of SSL.
8. A method according to claim 1, wherein one or more of the computer(s) of said group are of different type than the other, and/or one or more of said computer (s) have different configuration(s), and/or one or more of said computers is/are executing different application(s) than the other.
9. A method according to claim 1, wherein one or more of said computers are virtual dedicated server(s) or used for hosting a plurality of virtual dedicated servers.
10. A method according to claim 1, wherein the commands are provided by the Sysadmin in an operating system independent language, and translated to the syntax of the corresponding system utihty by said administration agent(s).
11. A method according to claim 1, wherein said data network is chosen from among the Internet, the Intranet, and WAN.
12. A system for administrating by a Sysadmin a group of computers interconnected by a data network, comprising:
For each of said computers, memory for storing an agent, being a software module having access to said data network, for communicating between the computers of said group via said network;
For one or more of said computers, a Web server for connecting said agent to a Web browser through said data network.
A user interface, through which said Sysadmin issues commands for administrating said computers.
13. A system according to claim 12, further comprising memory for storing an administration manager, being a software module through which command(s) sent by said Sysadmin are modified to correspond an administration policy before redirecting to the destination computer(s), being the computer(s) on which said command(s) are intended to be carried out.
14. A system according to claim 12, wherein said user interface is applied by Web page(s).
PCT/IL2002/000696 2001-08-23 2002-08-22 A system and method for administrating a plurality of computers Ceased WO2003019442A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2002326136A AU2002326136A1 (en) 2001-08-23 2002-08-22 A system and method for administrating a plurality of computers

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
IL14510201A IL145102A0 (en) 2001-08-23 2001-08-23 A system and method for administrating a plurality of computers
IL145102 2001-08-23
IL147989 2002-02-04
IL14798902A IL147989A0 (en) 2002-02-04 2002-02-04 A system and method for administrating a plurality of computers

Publications (2)

Publication Number Publication Date
WO2003019442A2 true WO2003019442A2 (en) 2003-03-06
WO2003019442A3 WO2003019442A3 (en) 2003-11-27

Family

ID=26324039

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2002/000696 Ceased WO2003019442A2 (en) 2001-08-23 2002-08-22 A system and method for administrating a plurality of computers

Country Status (2)

Country Link
AU (1) AU2002326136A1 (en)
WO (1) WO2003019442A2 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8020177B2 (en) 2007-07-27 2011-09-13 Composite Ideas, Llc Contained command invocation middleware framework
CN112839021A (en) * 2019-11-22 2021-05-25 百度(美国)有限责任公司 Key sharing method between accelerators with switch
CN115756890A (en) * 2022-11-18 2023-03-07 中国科学技术大学 Quantum computing cloud platform and quantum computing method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6308205B1 (en) * 1998-10-22 2001-10-23 Canon Kabushiki Kaisha Browser-based network management allowing administrators to use web browser on user's workstation to view and update configuration of network devices

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8020177B2 (en) 2007-07-27 2011-09-13 Composite Ideas, Llc Contained command invocation middleware framework
US8352971B2 (en) 2007-07-27 2013-01-08 Composite Ideas, Llc Contained command invocation framework
US8533748B2 (en) 2007-07-27 2013-09-10 Composite Ideas, Llc Contained command invocation framework
CN112839021A (en) * 2019-11-22 2021-05-25 百度(美国)有限责任公司 Key sharing method between accelerators with switch
CN112839021B (en) * 2019-11-22 2023-04-18 百度(美国)有限责任公司 Method for sharing key between accelerators with switch
CN115756890A (en) * 2022-11-18 2023-03-07 中国科学技术大学 Quantum computing cloud platform and quantum computing method

Also Published As

Publication number Publication date
WO2003019442A3 (en) 2003-11-27
AU2002326136A1 (en) 2003-03-10

Similar Documents

Publication Publication Date Title
US8127019B2 (en) System and program product for session sharing
US8306961B2 (en) System and method for launching a resource in a network
US7627658B2 (en) Presentation service which enables client device to run a network based application
KR100630212B1 (en) Apparatus and method for determining proximity zone programs for client nodes in a client-server network
US9110725B1 (en) User interface for dynamic environment using allocateable resources
US7797372B2 (en) Serving software applications from servers for client computers
US7334039B1 (en) Techniques for generating rules for a dynamic rule-based system that responds to requests for a resource on a network
US20050015491A1 (en) Systems, methods, and articles of manufacture for dynamically providing web services
JP2003525475A (en) Graphical user interface for web-enabled applications
US7243138B1 (en) Techniques for dynamic rule-based response to a request for a resource on a network
WO2005036305A2 (en) Mobility device
US20100077090A1 (en) Fast switching between multiple user sessions
KR102017038B1 (en) An access control system for web applications
US20040148372A1 (en) Web-browser based heterogeneous systems management tool
WO2003019442A2 (en) A system and method for administrating a plurality of computers
GB2395638A (en) Enabling a user on a first network to remotely run an application on a second network, even if the second network is protected by a firewall
CN116661937A (en) Remote control cloud radiotherapy coordination method and system based on guacoammole
KR100678252B1 (en) Apparatus and method for determining proximity zone programs for client nodes in a client-server network
JP2003337767A (en) Basic system for constructing information system
US20110321163A1 (en) Platform for a computer network
Zhumatiy Remote Management
TW202443394A (en) Remote control system
García et al. Web-based service for remote execution: NGI network design application
Bussman Lessons Learned Implementing DOORS in a Citrix Environment
Dunston Encrypted Tunnels using SSH and MindTerm HOWTO

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BY BZ CA CH CN CO CR CU CZ DE DM DZ EC EE ES FI GB GD GE GH HR HU ID IL IN IS JP KE KG KP KR LC LK LR LS LT LU LV MA MD MG MN MW MX MZ NO NZ OM PH PL PT RU SD SE SG SI SK SL TJ TM TN TR TZ UA UG US UZ VC VN YU ZA ZM

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LU MC NL PT SE SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ UG ZM ZW AM AZ BY KG KZ RU TJ TM AT BE BG CH CY CZ DK EE ES FI FR GB GR IE IT LU MC PT SE SK TR BF BJ CF CG CI GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP