CN103853949A - Method for identifying identity of user on heterogeneous computer environment - Google Patents

Abstract

The invention relates to a method for identifying an identity of a user on a heterogeneous computer environment. The method comprises the following steps of defining a group of unique prefixes, and determining one type of user resource base of each prefix; defining a group of abstract resource base names, and enabling the name of each abstract resource base to indicate the address of each user resource base; verifying the user on a heterogeneous computer, and distributing a sequence, wherein the sequence contains one unique prefix, a reference of the name of each abstract resource base, and a unique identifier of each abstract resource base for indicating the user in the resource base.

Description

On the computer environment of an isomery, carry out the method for subscriber authentication

Technical field

The present invention relates to the method for carrying out subscriber authentication on the computer environment of an isomery.

Background technology

If task is authorized operation in the computer environment of isomery, the inconsistency of heterogeneous system will become huge problem.For this reason, the authentication information of known users must be by transmitting someway.The method makes the system receiving must recognize these authentication informations.Therefore, it must with other people more specific authentication information, these authentication informations must be significant, instead of data just.Only understand authentication information recipient, he just can take further subscriber authorisation action.Shining upon a user ID (a computer environment part wherein) can only partly deal with problems to another user ID, because each mapping process can cause the loss of information,, wherein user may authenticate oneself once in the global context of computing machine.Therefore, In view of the foregoing, the certification that improves user in the urgent need to.

Typical computer system needs user oneself to carry out authentication to system conventionally.Authentication is the technical condition precedent that user carries out any mandate.The network that only has computer system or be made up of computer system can carry out authentication to user, determines his identity, and user just can be authorized to carry out some operation, as added on network, and amendment or deletion data.Internet era before, user's identity is only for the space limited, normally single computing machine.For example, in the enough single computer of a user resource base (a, ldap directory), all users carry out authentication.But, along with the development of computer network, only have and use the no longer enough of a single user resource base.Therefore the future development that, concept is also carried out authentication on the whole computer environment toward for being made up of multiple computer systems.One of them example is the model of the current dynamic catalogue of Microsoft, and wherein multiple territories are combined in one " forest ".Under such theory, the domain name before actual user ID is enough to represent a unique mark.

But current most computer environment is not same structure, except using replaceable hardware and software, and these software and hardwares use different certification policys.In dynamic catalogue, be " asia zli " such as, user uses MS program verification oneself.ID on unix system is " en=Zhen Li, ou=users, ou=China, dc=asia, dc=company, dc=com ".Another one example is Windows NT: user is represented by a SID (secure identifier) therein.SID be one

Unique numerical value that can overall authenticated in Windows territory.The form of SID can be identified by the mankind and by the software processing of non-Windows, look similar:zli@myorg.com

And in Lightweight Directory Access Protocol (LDAP), ldap directory is that a centralized service reaching is maintained in the user's entry in other entries.Normally by it, the position in tree-like hierarchical structure represents LDAP object.For example " en=zhenli, ou=userzh=asizdc=mycomp, dc=org "

By the above, clearly, do not have simple method to identify all method for expressing of an actual user.Above-mentioned difficulties, all can occur when access resources in a user or computing machine or application program computer environment at isomery no matter be.

Summary of the invention

On the computer environment of an isomery, carry out the method for subscriber authentication, various embodiment are as follows: the method for carrying out subscriber authentication in the computer environment of an isomery comprises: one, defined one group of unique prefix, each prefix represents the type of a user resource base; Two, defined one group of abstract thesaurus title, each abstract data bank title represents the address of user resource base; Three, verify described user at the computing machine of isomery, by distributing a sequence to contain a unique prefix, the unique identifier of the user in the resources bank of quoting and being pointed to by abstract resource library name of an abstract resources bank title.Therefore, provide a unique authentication or nomenclature scheme, it can identify type and the source of user resource base, and wherein different types can represent different proof rules.Based on the above, this scheme provides a unique authentication scheme, makes the mankind or inhuman user can compare to verify whether certain user is legal identity and the authorized activity of going to carry out request.So can use an identical resources bank, have the entry of ambiguity because all by using definite proof scheme to eliminate.As a concrete user's authentication information was collected together by different verification methods.

In addition, can freely exchange because all participants of heterogeneous computer environment are using same language aspect user profile about user's information, want in addition to make the mankind be easier to understand.The latter is very important, because modern communication protocol, as XML (SOAP), needs the form of printing (people are readable) using.

In an embodiment, the prefix that the unique prefix of this group comprises the type that represents at least one user resource base.For example LDAP server (LDAP) Windows active directory server (ADS) security certificate function (SAF), particularly RACF, ACF2 or TopSecret.Also can use arbitrarily

The prefix of the user resource base of one group of unique local operation system increases or replaces.Due to the type of user resource base by prefix only determine, described embodiment can carry out authenticated very neatly, manages by the covert rule of a user resource base being loaded in computer environment.Step 2 may comprise the catalogue that defines an abstract resource library name, and this catalogue mapping refers to the name in actual physical address and abstract resource storehouse.One of this catalogue definition is quoted, the mapping of abstract resource library name and different true address (for example IP address).Multiple true address can have an identical abstract resource library name, for example, if resources bank uses multiple host-host protocols (TCP/IP, SSL, HTTP, HTTPS etc.).

In an embodiment, may there be multiple corresponding abstract resource library names of quoting, if need to be from different access resources storehouses, the network address.Abstract resource library name catalogue can realize by database.Method described here can be carried out enforcement according to the program in computer system stores medium.

Brief description of the drawings

In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.

Fig. 1: the design drawing of the embodiment in a heterogeneous computer environment;

User's authentication string in c:3 heterogeneous computer environment of Fig. 2 a-Fig. 2.

Embodiment

Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiment.Based on the embodiment in the present invention, those of ordinary skill in the art, not making all other embodiment that obtain under creative work prerequisite, belong to the scope of protection of the invention.

Fig. 1 has explained the design drawing of a typical computer environment that comprises 3 user's 1,3,5 access applications 10.In certain embodiments, computer environment is isomery.Such asuser 1,3,5 andapplication program 10 are to operate in different hardware platforms, such as Windows server, unix server or mainframe system, or use identical hardware platform but different operating system.It in some computer environment, may be also homogeneous environment.

User in the system of Fig. 1 perhaps authenticated, can forexample access application 10 of executed activity.In this environment, there are multiple different user resource bases.The example of Fig. 1 has comprised tworesources banks 20,22.User resource base 22 authenticated are in step 102.The computer environment of known Fig. 1 has been simplified in large quantities.In a real computer environment (in the embodiment of anticipation), should there is a large amount of distributed resources banks widely to authenticate a large amount of users.Therefore, embodiment should not be subject to illustrated restriction.

Resources bank 20,22 in Fig. 1 offers each mankind or non-human user, such asclient 1,3,5, is called user principal name (UPN).Perhaps, UPN specifies in a prefix (type), and in lower one deck entry (resources bank of a real user), for the authentication information of authenticated.This verification process hasresources bank 20,22 specific rules separately to carry out.Due to the dirigibility of this invention, there is no need to coordinate the authenticate ruler indifferent resource storehouse 20,22 in isomerous environment here.In addition, new resources bank can join in environment at any time as required.

In order to make to become like this possibility, also need an abstract reference name (ARN) in UPN.This ARN must be unique the each user resource base of certification and the address information being necessary, forresources bank 20,22 communication.If the ARN of two entries is inconsistent, they also may point to the resources bank of same reality.The ARN list storage of all activities, and can be by all entities access in this computer environment in ARN catalogue 30.ARN catalogue 30 can realize back and forth by database 31.As shown in Figure 1,client 1,3,5 andapplication program 10 can access ARN catalogue 30.Thiscatalogue 30 can be by copying to improve the utilization factor of computer environment.

By the above, can there is the corresponding concrete user resource base of multiple reference names.Whether quote identical or different resources bank in order to find out two different reference name, the resource library name being stored in ARN catalogue must can realize comparison mechanism.Utilizing quoting in UPN to be conducive to actual resources bank does not need invalid UPN just can realize change.Therefore, the address of resources bank can not need to coordinate all UPN and just can change, and can also simplify like this management of UPN.Finally, the addressing information of resources bank may not can be directly stored in UPN, but with a name symbol.

As shown in the design drawing of Fig. 1,ARN catalogue 30 is in order to retrieve available another name, andclient 1,3,5 connects (in a series ofstep 104).For example, which is that current main resources bank is for certification? this alias 203 (comparison diagram 2) will be used as the unique main body name of composition.

Then, instep 106, in the time thatclient 1,3,5 sends the request of a concrete action of anapplication program 10,ARN catalogue 30 andapplication program 10 couple together (in step 108), andapplication program 10 is for understanding the user authentication information of sending.More accurately,client 1,3, and 5 may comprise UPN in theirrequest 106, and then this request is employedjourney 10 and identifies, and connectARN catalogue 30 be then theuser resource base 20,22 connecting separately.

A UPN perhaps comprises, except prefix and quoting, and a main identifier.This outstanding feature symbol has been determined mankind or the non-human user in a user resource base uniquely.The syntactic representation of this main identifier is determined according to prefix described above, and wherein prefix table understands the type of user resource base.Coding rule as for outstanding feature symbol can use each user resource base in concrete environment.

Fig. 2 a has shown 3 examples for the UPN character string that authenticates to Fig. 2 c.UPN character string itself, for portability, is encoded by the mode of UTF-8 conventionally.

In the example of Fig. 2 a,prefix 201 represents a LDAP user resource base.Quoting afterwards 203 shows a user resource base " Asia ".Utilize ARN catalogue, all requests all can actual physical address of feedback, makes the user resource base of quoting can be found.Outstanding feature symbol 205 is finally determined concrete user rule according to LDAP resources bank in the resources bank of quoting.

At Fig. 2 b,prefix 201 represents a user resource base of the active directory server of a Microsoft.Quote the user resource base that 203 " AME " represents an ADS type, remainingoutstanding feature symbol 205 represents that a concrete user " ZhenLi " is at the AME of the ADS specifically quoting resources bank.

Finally, the 3rd example represents the UPN of an embodiment, and this embodiment is an invention that has safety certifying method, and the method is used on the mainframe of IBM conventionally.In like manner,prefix 201 represents the type of this resources bank.Quoting afterwards 203 can allow to search user's concrete SAF resources bank, and user " LZL " is wherein certified.

The character string of the sequence of the different elements of the UPN that Fig. 2 a-c represents is only all some of them exemplary.Prefix wherein, quote with outstanding feature symbol and can arrange or separate with suitable separator with different orders.

Obviously Fig. 2 a-c is a wherein part of a large amount of UPN.The principle of this invention is that a user can be confirmed uniquely, does not need to specify a single or limited authentication mechanism.On the contrary, all new user resource base types can be used and be produced corresponding UPN.

Claims (16)

1. the method for carrying out subscriber authentication on the computer environment of an isomery, the method comprises:

Utilize one or more computing machines to carry out following operation:

A. define one group of unique prefix, each prefix identifies a kind of user resource base type.

B. define one group of abstract resource library name, the address of each abstract resource library name mark one user resource base, wherein each resource library name is mapped to a user resources library name and is used for retrieving the address information needing, also, comprised that abstract resource library name catalogue of definition refers to abstract resource library name for mapping and abstract resource library name is mapped to actual physical address;

C. by distributing a sequence to identify user in heterogeneous computer environment.The unique identifier in user resource base of quoting with one that this sequence comprises a unique prefix, an abstract resource library name, wherein this user resource base is shone upon by abstract resource library directory.Wherein quoting of abstract resource library name shone upon abstract resource library name, abstract resource library name is shone upon actual user resource base address, whether the unique identifier of user is determined user uniquely by the rule of one or more user resource bases here, and be legal according to user resource base authentication of users.If resources bank can visit by various protocols, multiple physical addresss can have an identical abstract resource library name, and abstract resource library directory can select suitable physical address to carry out feedback request.

2. the method in claim 1, one group of unique prefix wherein at least comprises with next user resources type: LDAP server (LDAP); Windows active directory server (ADS); Security certificate function (SAF), comprises RACF, ACF2 or TopSecret.

3. in the method for claim 1, the user resource base that the unique prefix of this group comprises local operation system.

4. in the method for claim 1, can there is multiple quoting to point to a single abstract resource library name.

5. in the method for claim 1, abstract resource library name catalogue is realized by database.

6. in the method for claim 1, further comprise that at least one application program operating on heterogeneous system can access abstract resource library name catalogue, with authenticating users.

7. in the method for claim 1, the abstract resource library name in sequence has identified a user resource base, for the authentication information of authentication of users.

8. in the method for claim 1, sequence is a character string, and form is " prefix: quote: identifier ", and element wherein can change order.

9. a permanent storage medium comprises the programmed instruction that a user under heterogeneous computer environment authenticates.Wherein this instruction is carried out following functions by processor:

A. define one group of unique prefix, the type of a kind of user resource base of each prefix mark;

B. define one group of abstract resource library name, the address of each abstract resource library name mark one user resource base, wherein each resource library name is mapped to a user resources library name and is used for retrieving the address information needing, also, comprised that abstract resource library name catalogue of definition refers to abstract resource library name for mapping and abstract resource library name is mapped to actual physical address;

C. by distributing a sequence to identify user in heterogeneous computer environment.The unique identifier in user resource base of quoting with one that this sequence comprises a unique prefix, an abstract resource library name, wherein this user resource base is shone upon by abstract resource library directory.Wherein quoting of abstract resource library name shone upon abstract resource library name, abstract resource library name is shone upon actual user resource base address, whether the unique identifier of user is determined user uniquely by the rule of one or more user resource bases here, and be legal according to user resource base authentication of users.If resources bank can visit by various protocols, multiple physical addresss can have an identical abstract resource library name, and abstract resource library directory can select suitable physical address to carry out feedback request.

10. the permanent storage media in claim 9, one group of unique prefix wherein at least comprises following user resource base type: LDAP server (LDAP); Windows active directory server (ADS); Security certificate function (SAF), comprises RACF, ACF2 or TopSecret.

Permanent storage media in 11. claims 9, the user resource base that wherein the unique prefix of this group comprises local operation system.

Permanent storage media in 12. claims 9, wherein has multiple quoting and points to a single abstract resource library name.

Permanent storage media in 13. claims 9, abstract resource library name catalogue wherein can realize with database.

Permanent storage media in 14. claims 9, programmed instruction is wherein wanted further to carry out the application program access abstract resource library name catalogue by least one isomerous environment, with authenticated.

Permanent storage media in 15. claims 9, the abstract resource library name in sequence represents a user resource base, with the authentication information of authentication of users.

16. realize the computer system that user authenticates in heterogeneous computer environment, comprising a processor, a storer being connected with processor, this storer comprises programmed instruction: define one group of unique prefix, a kind of user resource base type of each prefix mark; Define one group of abstract resource library name, each abstract resource library name mark one user resource base address.Wherein each resource library name is mapped to a user resources library name and is used for retrieving the address information needing, also, comprised that abstract resource library name catalogue of definition refers to abstract resource library name for mapping and abstract resource library name is mapped to actual physical address; And in heterogeneous computer environment, identify user by distributing a sequence.The unique identifier in user resource base of quoting with one that this sequence comprises a unique prefix, an abstract resource library name, wherein this user resource base is shone upon by abstract resource library directory.Wherein quoting of abstract resource library name shone upon abstract resource library name, abstract resource library name is shone upon actual user resource base address, whether the unique identifier of user is determined user uniquely by the rule of one or more user resource bases here, and be legal according to user resource base authentication of users.If resources bank can visit by various protocols, multiple physical addresss can have an identical abstract resource library name, and abstract resource library directory can select suitable physical address to carry out feedback request.

Images