Nothing Special   »   [go: up one dir, main page]

CN115396496B - Tenant password service session affinity method, system, medium and device in cloud environment - Google Patents

Tenant password service session affinity method, system, medium and device in cloud environment Download PDF

Info

Publication number
CN115396496B
CN115396496B CN202211322274.3A CN202211322274A CN115396496B CN 115396496 B CN115396496 B CN 115396496B CN 202211322274 A CN202211322274 A CN 202211322274A CN 115396496 B CN115396496 B CN 115396496B
Authority
CN
China
Prior art keywords
service
password
cryptographic
cipher
micro
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211322274.3A
Other languages
Chinese (zh)
Other versions
CN115396496A (en
Inventor
李宁
张大伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Unita Information Technology Co ltd
Original Assignee
Beijing Unita Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Unita Information Technology Co ltd filed Critical Beijing Unita Information Technology Co ltd
Priority to CN202211322274.3A priority Critical patent/CN115396496B/en
Publication of CN115396496A publication Critical patent/CN115396496A/en
Application granted granted Critical
Publication of CN115396496B publication Critical patent/CN115396496B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • H04L67/1023Server selection for load balancing based on a hash applied to IP addresses or costs

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a tenant password service session affinity method, a system, a medium and equipment in a cloud environment, wherein the system comprises a password application SDK, a password service gateway, a password micro-service and a server password machine; the server cipher machine and the cipher micro-service are in one-to-one binding relationship; and the password application SDK is in communication connection with the server cipher machine through the password service gateway and the password microservice in sequence. The invention relates the context of the cryptographic operation of the tenant by using the cryptographic service and the process of opening the session, and solves the problems that multiple requests of the cryptographic operation service for the same session are randomly scheduled and the load balance cannot be realized.

Description

Tenant password service session affinity method, system, medium and device in cloud environment
Technical Field
The invention relates to the technical field of key management, in particular to a tenant cryptographic service session affinity method, a system, a medium and equipment in a cloud environment.
Background
The password is an important component of a network space security system, and is a 'gene' and a key technology of a network space security and trust mechanism. The construction of traditional password application needs to introduce various password devices and password products with different types and a large number to interface various password application services. The direct consequence of this traditional cryptographic application building model is: the equipment is distributed and deployed and is difficult to manage; the password application docking integration is complex; lack of intensive use and scheduling of cryptographic resources; not adapted to a cloud computing environment; the password service is lack of quantification, the password application is lack of supervision, and the requirements of compliance construction are difficult to meet.
In order to solve the problems, a cloud password service technology is promoted, which integrates various password devices and provides password services which are managed uniformly and are convenient to use for users through flexible multi-mode service aggregation capability.
In a cloud password service scenario, a traditional password device mode is no longer applicable, because in the traditional mode, a user of the password device is changed from a device owner to a service renter, and various requirements of multi-tenant such as isolation, authentication, current limiting and the like need to be met. Therefore, the industry standard GMT 0104-2021 cloud server cipher machine technical specification of the cloud server cipher machine recommends using http protocol to provide service, and the invention also uses http as a transmission protocol.
In a cloud password service scene, service resources can be provided for a plurality of tenants for use, the tenants pay for purchasing one or more service resources and create password applications on the basis of the service resources, when most applications use the password services, the operation is not completed at one time, but a plurality of steps of session opening, operation executing, session closing and the like are provided, the steps have context association relations, servers providing the password operation for the same context must be always the same, otherwise, the context state must be synchronized before a plurality of servers, the context state synchronizing can lead to long time consumption of server synchronization waiting, and serious influence can be caused on performance in a high concurrency scene. Another idea is to use a session affinity mechanism to ensure that the backend resources that provide the service are the same when using the same context. Meanwhile, the performance of service resources in a cloud password service scene is not balanced, and due to the large performance difference of password equipment, in order to fully utilize the password equipment resources, a method or a system is needed to ensure that both session affinity and weighted load balance can be realized.
Disclosure of Invention
Therefore, the technical problem to be solved by the invention is to provide a tenant cryptographic service session affinity method, system, medium and device in a cloud environment, which associate the context of cryptographic operation performed by a tenant using a cryptographic service with the process of session opening, and solve the problems that multiple requests of the cryptographic operation service for the same session are randomly scheduled and load balancing cannot be performed.
In order to solve the technical problems, the invention provides the following technical scheme:
the tenant password service affinity method in the cloud environment comprises the following steps:
s1) importing the password micro-service unit through the password service gateway
Figure 828869DEST_PATH_IMAGE001
Address information of
Figure 372108DEST_PATH_IMAGE002
And setting a password micro-service unit
Figure 542058DEST_PATH_IMAGE001
Weight of (2)
Figure 560436DEST_PATH_IMAGE003
Wherein, in the step (A),
Figure 499443DEST_PATH_IMAGE004
=0,1,2,3,…n;
s2) the cryptographic service gateway receives the SDK from the cryptographic application m Obtain a cookie request by weight
Figure 151266DEST_PATH_IMAGE005
The size of the password micro-service unit is random to
Figure 136408DEST_PATH_IMAGE006
Initiating weighted polling, wherein m is an integer greater than zero; wherein the weight is
Figure 224057DEST_PATH_IMAGE005
The probability of the large password micro-service unit obtaining the weight polling is higher, and the weight polling
Figure 220832DEST_PATH_IMAGE007
Small cryptographic microservices have a lower probability of obtaining a weighted poll, i.e., the weight is
Figure 105873DEST_PATH_IMAGE005
The large password micro-service unit has a high probability of preferentially obtaining the weight polling;
s3) when the weight polling of the password service gateway is received, the password micro-service unit
Figure 984836DEST_PATH_IMAGE008
First generation with address information
Figure 672913DEST_PATH_IMAGE002
And a time stamp
Figure 87976DEST_PATH_IMAGE009
Information of (2)
Figure 845717DEST_PATH_IMAGE010
Then according to the information
Figure 303987DEST_PATH_IMAGE010
Generate a corresponding
Figure 969323DEST_PATH_IMAGE011
Then will be
Figure 442155DEST_PATH_IMAGE012
Feeding back to the cryptographic service gateway, wherein,
Figure 901955DEST_PATH_IMAGE012
containing address information
Figure 543063DEST_PATH_IMAGE002
And time stamp
Figure 841451DEST_PATH_IMAGE009
Time stamp
Figure 464062DEST_PATH_IMAGE009
As polled cryptographic microservices
Figure 62140DEST_PATH_IMAGE008
A point in time at which a response is made;
s4) cipher service gateway
Figure 402992DEST_PATH_IMAGE013
Returned to the cryptographic application SDK m
S5) cryptographic application SDK m Issuing a challenge to a cryptographic service gateway
Figure 239492DEST_PATH_IMAGE011
Password clothesService request, password service gateway resolution
Figure 982189DEST_PATH_IMAGE011
Obtaining address information
Figure 751168DEST_PATH_IMAGE002
Then through the password micro-service unit
Figure 579316DEST_PATH_IMAGE008
Server cipher machine for initiating cipher service call
Figure 953928DEST_PATH_IMAGE014
Applying SDK for password m Providing a cryptographic service; wherein, the server cipher machine
Figure 315246DEST_PATH_IMAGE015
Micro service unit with cipher
Figure 756591DEST_PATH_IMAGE008
And (4) correspondingly.
In the tenant password service affinity method in the cloud environment, in step S5), the password applies the SDK m The number of the password service requests sent to the password service gateway at the same time is more than or equal to 1; when the number of simultaneously issued cryptographic service requests is greater than 1, each cryptographic service request carries a unique cookie.
According to the tenant password service affinity method in the cloud environment, before the password service call session is initiated, the password applies the SDK m The cookie is retrieved once again.
In step S5), the tenant password service affinity method in the cloud environment specifically includes:
s5-1) cryptographic application SDK m Issuing a challenge to a cryptographic service gateway
Figure 573500DEST_PATH_IMAGE016
Open password service call session request;
s5-2) cipher service gateway resolution
Figure 250338DEST_PATH_IMAGE017
Obtaining address information
Figure 200583DEST_PATH_IMAGE002
And forwards the request for opening the cryptographic service call session to the address information
Figure 812830DEST_PATH_IMAGE002
Corresponding cipher micro-service unit
Figure 117034DEST_PATH_IMAGE018
S5-3) cipher micro service unit
Figure 361677DEST_PATH_IMAGE018
Responsive to opening the cryptographic service invocation session, the cryptographic microserver unit upon allowing the cryptographic service invocation session to be opened
Figure 871156DEST_PATH_IMAGE018
Execution opening and server cipher machine
Figure 280403DEST_PATH_IMAGE015
A cryptographic service session therebetween;
s5-4) obtaining the password micro-service unit
Figure 570439DEST_PATH_IMAGE018
After allowing the response of the cryptographic service invocation session to open, the cryptographic application SDK m Issuing a challenge to a cryptographic service gateway
Figure 962981DEST_PATH_IMAGE019
To invoke cryptographic services;
s5-5) cipher service gateway parsing
Figure 654862DEST_PATH_IMAGE019
Obtaining address information
Figure 438273DEST_PATH_IMAGE002
And forwards the cryptographic operation request to the address information
Figure 714140DEST_PATH_IMAGE002
Corresponding cipher micro-service unit
Figure 536471DEST_PATH_IMAGE018
S5-6) password micro-service unit
Figure 318745DEST_PATH_IMAGE018
Converting the http or https request in the cryptographic operation request into a custom protocol and sending the custom protocol to the server cryptographic engine
Figure 443695DEST_PATH_IMAGE020
Initiating a cryptographic operation request;
s5-7) server cipher machine
Figure 964717DEST_PATH_IMAGE015
After receiving the password operation request, the password operation is carried out and the operation result is returned to the password micro-service unit
Figure 357783DEST_PATH_IMAGE018
Micro service unit
Figure 696361DEST_PATH_IMAGE018
Returning the operation result to the SDK of the password application through the password service gateway m
In the tenant password service affinity method in the cloud environment, in step S5-3), when the password service call session is allowed to be opened, the tenant password service affinity method in the cloud environment is to be used for providing a password service call session
Figure 553065DEST_PATH_IMAGE021
One-to-one binding with a handle of a cryptographic service invocation session and use in cryptographic operation requests
Figure 367306DEST_PATH_IMAGE022
A handle to a cryptographic service call session.
The tenant password service affinity method in the cloud environment is used when the password operation service is called
Figure 908271DEST_PATH_IMAGE023
A handle to the cryptographic service call session to confirm and distinguish the issuer calling the cryptographic operation service.
Tenant cipher service session affinity system in cloud environment, including:
the password application SDK is used for providing a dynamic function library example for a cloud password service manufacturer and is responsible for converting input parameters into http or https calls for password services;
the password service gateway is a general entrance of the cloud password service and is responsible for processing transmission flow, wherein the processing comprises authentication, current limiting and load balancing;
the password microservice is used for providing a service instance of http or https operation and is responsible for converting parameters in an http or https request into parameters required by a server password machine standard function interface library;
the server cipher machine is a cipher module for really providing cipher operation and is responsible for providing hardware operational capability of a hardware level for the cloud cipher service; the server cipher machine and the cipher micro-service are in one-to-one binding relationship;
and the password application SDK is in communication connection with the server cipher machine through the password service gateway and the password micro-service in sequence.
A computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the tenant cryptographic service affinity method in a cloud environment described above.
The computer device comprises a readable storage medium, a processor and a computer program which is stored on the readable storage medium and can run on the processor, and when the computer program is executed by the processor, the computer program realizes the tenant cryptographic service affinity method in the cloud environment.
The technical scheme of the invention achieves the following beneficial technical effects:
1. support for specifying service weights;
2. the performance is extremely high, the traditional cookie scheme uses a consistent hash algorithm to determine the back-end service, the digest operation needs to be carried out on the cookie, then the back-end service is selected by using the algorithm, the ip address is directly analyzed from the cookie, and the performance is obviously improved;
3. the method can not influence the running business when the new instance is added, and only load the new service instance after the cookie is acquired again.
Drawings
FIG. 1 is a schematic diagram of the operation of a tenant cryptographic service session affinity system in a cloud environment according to the present invention;
FIG. 2 is a flow chart of a cryptographic service call using a tenant cryptographic service session affinity system in a cloud environment;
FIG. 3 is a flow chart of cookie retrieval in the present invention;
FIG. 4 is a flow chart illustrating the use of the get cookie of FIG. 3;
FIG. 5 is a flow chart of a cryptographic service based on a tenant cryptographic service session affinity method in a cloud environment;
FIG. 6 is another flow chart of a cryptographic service based on a session affinity method of a tenant cryptographic service in a cloud environment;
FIG. 7 is a schematic diagram of a tenant application invoking a cryptographic service logic interface;
fig. 8 is a schematic diagram of a computer device capable of performing session affinity processing of tenant cryptographic services in a cloud environment according to the present invention.
Detailed Description
The present invention is further described below with reference to examples.
As shown in fig. 1, the tenant cryptographic service session affinity system in the cloud environment includes a cryptographic application SDK, a cryptographic service gateway, a cryptographic micro-service, and a server cryptographic engine, where the cryptographic application SDK is in communication connection with the server cryptographic engine sequentially through the cryptographic service gateway and the cryptographic micro-service, and the server cryptographic engine and the cryptographic micro-service are in a one-to-one binding relationship. In the practical application process, the server cipher machine can be replaced by other cipher devices, such as a signature verification server, a timestamp server, a virtual server cipher machine and the like.
The password application SDK is a dynamic function library instance provided by a cloud password service manufacturer and is responsible for converting input parameters into http or https calls for the password service; the password service gateway is a general entrance of the cloud password service and is responsible for processing transmission flow, wherein the processing comprises authentication, current limiting and load balancing; the password microservice is used for providing a service instance of http or https operation and is responsible for converting parameters in an http or https request into parameters required by a server password machine standard function interface library; the server cipher machine is a cipher module for really providing cipher operation and is responsible for providing hardware-level hardware operation capability for the cloud cipher service. In fig. 1, arrow 1 indicates a service call of the cryptographic application SDK1, and arrow 2 indicates a service application of the cryptographic application SDK 2.
As shown in fig. 2, when the cryptographic application SDK calls the cryptographic service, the present invention first obtains the cookie, opens the cryptographic service call session, then executes the cryptographic operation by the server cryptographic engine and returns the operation result, and then closes the cryptographic service call session. Only two threads are shown in fig. 2, and in the case of a plurality of threads, the processing flow of the cryptographic application SDK is completely the same as that of the two threads.
As shown in fig. 3 and 4, the cryptographic application SDK obtains a cookie containing an IP address of a device providing cryptographic service or a proxy device and uses the cookie to complete cryptographic service invocation in the process of invoking cryptographic service, thereby implementing cryptographic service session affinity, and specifically includes the following steps:
s1) importing a password micro-service unit through a password service gateway
Figure 163672DEST_PATH_IMAGE018
Address information of
Figure 253594DEST_PATH_IMAGE002
And setting a password micro-service unit
Figure 931963DEST_PATH_IMAGE018
Weight of (2)
Figure 571891DEST_PATH_IMAGE003
Wherein, in the process,
Figure 180334DEST_PATH_IMAGE004
=0,1,2,3, \8230n; wherein, the password micro-service unit
Figure 942622DEST_PATH_IMAGE008
Expressed as the second of n cryptographic microservice units
Figure 639445DEST_PATH_IMAGE004
A password micro-service unit;
s2) the cryptographic service gateway receives the SDK from the cryptographic application m Obtain a cookie request by weight
Figure 83065DEST_PATH_IMAGE005
The size of the password micro-service unit is random to
Figure 749276DEST_PATH_IMAGE006
Initiating weighted polling, wherein m is an integer greater than zero;
s3) when the weight polling of the password service gateway is received, the password micro-service unit
Figure 620149DEST_PATH_IMAGE008
First generates the address information
Figure 866585DEST_PATH_IMAGE002
And time stamp
Figure 612431DEST_PATH_IMAGE009
Information of
Figure 634613DEST_PATH_IMAGE010
Then according toInformation
Figure 177852DEST_PATH_IMAGE010
Generate a corresponding
Figure 675699DEST_PATH_IMAGE024
Then will be
Figure 959656DEST_PATH_IMAGE024
Feeding back to the cryptographic service gateway, wherein,
Figure 836345DEST_PATH_IMAGE022
containing address information
Figure 143961DEST_PATH_IMAGE002
And time stamp
Figure 299742DEST_PATH_IMAGE009
Time stamp
Figure 826539DEST_PATH_IMAGE009
As polled cryptographic microservices
Figure 855937DEST_PATH_IMAGE008
A point in time at which a response is made;
s4) the password service gateway will
Figure 239514DEST_PATH_IMAGE025
Returned to the cryptographic application SDK m
S5) cryptographic application SDK m Issuing a challenge to a cryptographic service gateway
Figure 718529DEST_PATH_IMAGE024
Cryptographic service request, cryptographic service gateway resolution
Figure 908070DEST_PATH_IMAGE022
Obtaining address information
Figure 323133DEST_PATH_IMAGE002
Then, howeverPost-pass password micro-service unit
Figure 80874DEST_PATH_IMAGE001
Initiate cryptographic service call, server cryptographic engine
Figure 945668DEST_PATH_IMAGE020
Applying SDK for password m Providing a cryptographic service; wherein, the server cipher machine
Figure 440366DEST_PATH_IMAGE015
Micro service unit with cipher
Figure 474050DEST_PATH_IMAGE001
Corresponding; cryptographic application SDK m The specific operation of invoking the cryptographic service comprises the following steps:
s5-1) cryptographic application SDK m Issuing a challenge to a cryptographic service gateway
Figure 635647DEST_PATH_IMAGE024
Open password service call session request;
s5-2) cipher service gateway parsing
Figure 754782DEST_PATH_IMAGE026
Obtaining address information
Figure 522012DEST_PATH_IMAGE002
And forwards the request for opening the cryptographic service call session to the address information
Figure 144623DEST_PATH_IMAGE002
Corresponding cipher micro-service unit
Figure 273860DEST_PATH_IMAGE002
S5-3) cipher micro service unit
Figure 709652DEST_PATH_IMAGE001
In response to opening the cryptographic service invocation session, atWhen the password service call session is allowed to be opened, the password micro-service unit
Figure 716791DEST_PATH_IMAGE008
Execution opening and server cipher machine
Figure 692444DEST_PATH_IMAGE015
A cryptographic service session therebetween; when a cryptographic service invocation session is allowed to open, it will
Figure 962888DEST_PATH_IMAGE012
One-to-one binding with a handle of a cryptographic service invocation session and use in cryptographic operation requests
Figure 292500DEST_PATH_IMAGE027
A handle to a cryptographic service call session;
s5-4) obtaining the password micro-service unit
Figure 837751DEST_PATH_IMAGE008
After allowing a response to open the cryptographic service invocation session, the cryptographic application SDK m Issuing a challenge to a cryptographic service gateway
Figure 261386DEST_PATH_IMAGE013
To invoke cryptographic services;
s5-5) cipher service gateway resolution
Figure 702731DEST_PATH_IMAGE013
Obtaining address information
Figure 254061DEST_PATH_IMAGE002
And forwards the cryptographic operation request to the address information
Figure 868582DEST_PATH_IMAGE002
Corresponding cipher micro-service unit
Figure 146723DEST_PATH_IMAGE008
S5-6) password micro-service unit
Figure 322752DEST_PATH_IMAGE008
Converting the http or https request in the cryptographic operation request into a custom protocol and sending the custom protocol to the server cryptographic engine
Figure 328754DEST_PATH_IMAGE028
Initiating a cryptographic operation request;
s5-7) server cipher machine
Figure 42238DEST_PATH_IMAGE015
After receiving the password operation request, the password operation is carried out and the operation result is returned to the password micro-service unit
Figure 614034DEST_PATH_IMAGE008
Micro service unit
Figure 695385DEST_PATH_IMAGE008
Returning the operation result to the SDK of the password application through the password service gateway m . Use in invoking cryptographic operation services
Figure 923104DEST_PATH_IMAGE027
A handle to the cryptographic service call session to confirm and distinguish the issuer calling the cryptographic operation service.
In this embodiment, in step S5), the password applies the SDK m The number of the password service requests sent to the password service gateway at the same time is more than or equal to 1; when the number of the simultaneously sent password service requests is more than 1, each password service request is provided with a unique cookie. And each time before initiating a cryptographic service invocation session, the cryptographic application SDK m The cookie is retrieved once again. Multiple password service requests can be initiated in one password service invoking session, and cookies used by the password service requests initiated in the same password service invoking session are the same cookie. FIGS. 5 and 6 show the whole process of the present invention for the cryptographic application SDK to invoke the cryptographic service, and FIG. 5 showsThe process of (1) adopts the cryptographic microservice unit to perform protocol conversion, and the process shown in fig. 6 adopts the protocol conversion server to perform protocol conversion. As can be seen from the combination of the two flowcharts shown in FIG. 5 and FIG. 6, the load is applied to the server cryptographic engine when the cookie is obtained
Figure 401400DEST_PATH_IMAGE015
Subsequent session opening and cryptographic operation are carried out to the server cipher machine
Figure 391484DEST_PATH_IMAGE015
The effect of session affinity is realized, and when the cookie is acquired, the server cipher machine is loaded
Figure 142271DEST_PATH_IMAGE020
The probability of (A) being specifiable on demand, weight-polled selective server crypto engine
Figure 418138DEST_PATH_IMAGE015
The probability of (c) is:
Figure DEST_PATH_IMAGE029
thus, a session affinity that can be assigned a weight is achieved.
In the invention, the
Figure 476355DEST_PATH_IMAGE019
The one-to-one binding with the handle of the password service calling session can ensure that each password service calling session has one cookie, so that the effect of load balancing can be generated even if only one password application SDK is used.
For example, fig. 7 shows that a tenant application calls a certain cryptographic service logic interface on a public cloud, wherein the cryptographic service is used by the cryptographic application SDK, two cryptographic microservices are provided, and the administrator connects the cryptographic microservices P 1 Weight Q of 1 Set to 6, cryptographic microservice unit P 2 Weight Q of 2 Set to 4.
When the password application SDK calls the password service, 5 password service call sessions are needed, 5 cookies are obtained first, a weight polling strategy is adopted to poll two password micro-service units when the cookies are obtained, the cookies are generated by the polled password micro-service units according to rules, and five cookies are shown in a table 1.
TABLE 1 polled cryptographic microservice generated cookie
Figure 757164DEST_PATH_IMAGE030
Wherein the cookie 1 、cookie 3 And a cookie 4 By cryptographic microservice unit P 1 Generating, cookies 2 And a cookie 5 By cryptographic microservice unit P 2 And (4) generating. Cryptographic microservice unit P 1 The reason why the generated cookies are more is that the password micro service unit P 1 The weight of (c) is relatively high. If the total number of cookies generated by two cryptographic microservices is sufficiently large, the ratio of the number of cookies generated by two cryptographic microservices approaches infinity 6.
After obtaining the cookie, the cryptographic application SDK opens 5 cryptographic service call sessions, when opening the cryptographic service call session, a cookie is introduced into each cryptographic service call request, the cookie in each cryptographic service call request is different from the cookies in the other cryptographic service call requests, and after opening the cryptographic service call session, the handle of the cryptographic service call session and the cookie used by the cryptographic service call session are bound one to one. All cryptographic call service requests in a cryptographic service call session by the cryptographic application SDK use the handle of the cryptographic service call session, which must be brought in with the cookie used by the cryptographic service call session. In the cloud environment, the number of sessions is huge, and thus the load of performing the cryptographic operation per session can be considered to be the same, so in the above example, the load ratio of the cryptographic operation can be considered to be 6.
Based on the above tenant password session affinity method in the cloud environment, correspondingly, a computer readable storage medium storing a computer program is further provided in this example, where the computer program when executed by a processor implements the following steps: the method comprises the steps of obtaining a cookie containing IP address information of a password micro-service unit and time information of the cookie request, calling the password service by using the cookie, carrying out password operation, analyzing the cookie when the password service is called, obtaining the IP address information contained in the cookie, sending a request for calling the password service to the password micro-service unit with the IP address information, calling a server password machine by the password micro-service unit to complete the password operation, and returning a password operation result to a password application SDK.
As shown in fig. 8, based on the tenant cryptographic service session affinity method in the cloud environment and the computer readable storage medium, in this embodiment, a computer device is further provided, which includes a readable storage medium, a processor, and a computer program stored on the readable storage medium and executable on the processor, where the readable storage medium and the processor are both disposed on a bus, and the processor executes the computer program to implement the following steps: the method comprises the steps of obtaining a cookie containing IP address information of a password micro-service unit and time information of the request cookie, calling password service by using the cookie, carrying out password operation, analyzing the cookie when the password service is called, obtaining the IP address information contained in the cookie, sending a request for calling the password service to the password micro-service unit with the IP address information, calling a server cipher machine by the password micro-service unit to complete the password operation, and returning a password operation result to a password application SDK.
It should be understood that the above examples are only for clarity of illustration and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. And obvious variations or modifications are possible which remain within the scope of the appended claims.

Claims (9)

1. The tenant password service affinity method under the cloud environment is characterized by comprising the following steps:
s1) importing the password micro-service unit through the password service gateway
Figure 455639DEST_PATH_IMAGE001
Address information of
Figure DEST_PATH_IMAGE002
And setting a password micro-service unit
Figure 451408DEST_PATH_IMAGE001
Weight of (2)
Figure 27883DEST_PATH_IMAGE003
Wherein, in the step (A),
Figure DEST_PATH_IMAGE004
=0,1,2,3,…n;
s2) the cryptographic service gateway receives the SDK from the cryptographic application m Obtain a cookie request by weight
Figure 6115DEST_PATH_IMAGE005
The size of the password micro-service unit is random to
Figure 289329DEST_PATH_IMAGE001
Initiating weighted polling, wherein m is an integer greater than zero;
s3) when the weight polling of the password service gateway is received, the password micro-service unit
Figure 908529DEST_PATH_IMAGE001
First generates the address information
Figure 519770DEST_PATH_IMAGE002
And time stamp
Figure DEST_PATH_IMAGE006
Information of
Figure 46566DEST_PATH_IMAGE007
Then according to the information
Figure 761450DEST_PATH_IMAGE007
Generate a corresponding
Figure DEST_PATH_IMAGE008
Then will be
Figure 285973DEST_PATH_IMAGE008
Feeding back to the cryptographic service gateway, wherein,
Figure 384510DEST_PATH_IMAGE008
containing address information
Figure 855942DEST_PATH_IMAGE002
And time stamp
Figure 972803DEST_PATH_IMAGE006
Time stamp
Figure 448653DEST_PATH_IMAGE006
As polled cryptographic microservices
Figure 424699DEST_PATH_IMAGE001
A point in time at which a response is made;
s4) cipher service gateway
Figure 293298DEST_PATH_IMAGE008
Returned to the cryptographic application SDK m
S5) cryptographic application SDK m Issuing a challenge to a cryptographic service gateway
Figure 484239DEST_PATH_IMAGE008
Cryptographic service request, cryptographic service gateway resolution
Figure 288247DEST_PATH_IMAGE008
Obtaining address information
Figure 876223DEST_PATH_IMAGE002
Then through the password micro-service unit
Figure 423879DEST_PATH_IMAGE001
Server cipher machine for initiating cipher service call
Figure 967862DEST_PATH_IMAGE009
Applying SDK for password m Providing a cryptographic service; wherein, the server cipher machine
Figure 598563DEST_PATH_IMAGE009
Micro service unit with cipher
Figure 96672DEST_PATH_IMAGE001
And correspondingly.
2. The tenant password service affinity method in the cloud environment of claim 1, wherein in step S5), the password applies SDK m The number of the password service requests sent to the password service gateway at the same time is more than or equal to 1; when the number of the simultaneously sent password service requests is more than 1, each password service request is provided with a unique cookie.
3. The tenant password service affinity method in the cloud environment of claim 1, wherein the password application SDK is applied each time before the password service call session is initiated m The cookie is retrieved once again.
4. The tenant cryptographic service affinity method in the cloud environment according to claim 1, wherein in step S5), the specific operations are:
s5-1) secretCode application SDK m Issuing a challenge to a cryptographic service gateway
Figure 448019DEST_PATH_IMAGE008
Open password service call session request;
s5-2) cipher service gateway parsing
Figure 659557DEST_PATH_IMAGE008
Obtaining address information
Figure 70947DEST_PATH_IMAGE002
And forwards the request for opening the cryptographic service call session to the address information
Figure 572465DEST_PATH_IMAGE002
Corresponding cipher micro service unit
Figure 586557DEST_PATH_IMAGE001
S5-3) cipher micro service unit
Figure 793548DEST_PATH_IMAGE001
Responsive to opening the cryptographic service invocation session, the cryptographic microserver unit upon allowing the cryptographic service invocation session to be opened
Figure 251205DEST_PATH_IMAGE001
Execution opening and server cipher machine
Figure 973173DEST_PATH_IMAGE009
A cryptographic service session therebetween;
s5-4) obtaining the password micro-service unit
Figure 931902DEST_PATH_IMAGE001
After allowing a response to open the cryptographic service invocation session, the cryptographic application SDK m Issuing a challenge to a cryptographic service gateway
Figure 836142DEST_PATH_IMAGE008
To invoke cryptographic services;
s5-5) cipher service gateway resolution
Figure 589334DEST_PATH_IMAGE008
Obtaining address information
Figure 798599DEST_PATH_IMAGE002
And forwards the cryptographic operation request to the address information
Figure 436384DEST_PATH_IMAGE002
Corresponding cipher micro service unit
Figure 86809DEST_PATH_IMAGE001
S5-6) password micro-service unit
Figure 73219DEST_PATH_IMAGE001
The http or https request in the cryptographic operation request is converted into a custom protocol and sent to the server cryptographic engine
Figure 81364DEST_PATH_IMAGE009
Initiating a cryptographic operation request;
s5-7) server cipher machine
Figure 116316DEST_PATH_IMAGE009
After receiving the password operation request, the password operation is carried out and the operation result is returned to the password micro-service unit
Figure 214722DEST_PATH_IMAGE001
Micro service unit
Figure 185084DEST_PATH_IMAGE001
Returning the operation result to the cipher service gatewayTo cryptographic application SDK m
5. The tenant cipher service affinity method in cloud environment of claim 4, wherein in step S5-3), when the opening of the cipher service call session is allowed, the tenant cipher service affinity method is to be used
Figure 368940DEST_PATH_IMAGE008
One-to-one binding with a handle to a cryptographic service call session and use in cryptographic operation requests
Figure 207583DEST_PATH_IMAGE008
A handle to the cryptographic service call session.
6. The tenant cipher service affinity method in cloud environment according to claim 4 or 5, wherein the cipher operation service is called by using
Figure 206501DEST_PATH_IMAGE008
A handle to a cryptographic service call session.
7. The tenant cryptographic service session affinity system in the cloud environment, characterized in that the system is a system for executing the tenant cryptographic service session affinity method in the cloud environment according to claim 1, and comprises:
the password application SDK is used for providing a dynamic function library example for a cloud password service manufacturer and is responsible for converting input parameters into http or https calls for password services;
the password service gateway is a general entrance of the cloud password service and is responsible for processing transmission flow, wherein the processing comprises authentication, current limiting and load balancing;
the password microservice is used for providing a service instance of http or https operation and is responsible for converting parameters in an http or https request into parameters required by a server password machine standard function interface library;
the server cipher machine is a cipher module for really providing cipher operation and is responsible for providing hardware operation capability of hardware level for the cloud cipher service; the server cipher machine and the cipher micro-service are in one-to-one binding relationship;
and the password application SDK is in communication connection with the server cipher machine through the password service gateway and the password micro-service in sequence.
8. A computer-readable storage medium, on which a computer program is stored, wherein the computer program, when executed by a processor, implements the tenant cryptographic service affinity method in a cloud environment according to any one of claims 1 to 7.
9. Computer arrangement comprising a readable storage medium, a processor and a computer program stored on the readable storage medium and executable on the processor, wherein the computer program, when executed by the processor, implements the tenant cryptographic service affinity method in a cloud environment as claimed in any of the claims 1-7.
CN202211322274.3A 2022-10-27 2022-10-27 Tenant password service session affinity method, system, medium and device in cloud environment Active CN115396496B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211322274.3A CN115396496B (en) 2022-10-27 2022-10-27 Tenant password service session affinity method, system, medium and device in cloud environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211322274.3A CN115396496B (en) 2022-10-27 2022-10-27 Tenant password service session affinity method, system, medium and device in cloud environment

Publications (2)

Publication Number Publication Date
CN115396496A CN115396496A (en) 2022-11-25
CN115396496B true CN115396496B (en) 2023-01-17

Family

ID=84127606

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211322274.3A Active CN115396496B (en) 2022-10-27 2022-10-27 Tenant password service session affinity method, system, medium and device in cloud environment

Country Status (1)

Country Link
CN (1) CN115396496B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103563294A (en) * 2011-06-30 2014-02-05 国际商业机器公司 Authentication and authorization methods for cloud computing platform security
CN105071936A (en) * 2010-09-20 2015-11-18 安全第一公司 Systems and methods for secure data sharing
CN108701182A (en) * 2016-08-31 2018-10-23 甲骨文国际公司 The data management of multi-tenant identity cloud service
CN109314704A (en) * 2016-09-14 2019-02-05 甲骨文国际公司 Function is nullified for multi-tenant identity and the single-sign-on and single-point of data safety management cloud service
CN109565505A (en) * 2016-08-05 2019-04-02 甲骨文国际公司 Tenant's Self-Service troubleshooting for multi-tenant identity and data safety management cloud service

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10454915B2 (en) * 2017-05-18 2019-10-22 Oracle International Corporation User authentication using kerberos with identity cloud service
CN113821305B (en) * 2021-09-15 2023-02-10 中电信数智科技有限公司 Cloud password service calling method based on Docker and middleware system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105071936A (en) * 2010-09-20 2015-11-18 安全第一公司 Systems and methods for secure data sharing
CN103563294A (en) * 2011-06-30 2014-02-05 国际商业机器公司 Authentication and authorization methods for cloud computing platform security
CN109565505A (en) * 2016-08-05 2019-04-02 甲骨文国际公司 Tenant's Self-Service troubleshooting for multi-tenant identity and data safety management cloud service
CN108701182A (en) * 2016-08-31 2018-10-23 甲骨文国际公司 The data management of multi-tenant identity cloud service
CN109314704A (en) * 2016-09-14 2019-02-05 甲骨文国际公司 Function is nullified for multi-tenant identity and the single-sign-on and single-point of data safety management cloud service

Also Published As

Publication number Publication date
CN115396496A (en) 2022-11-25

Similar Documents

Publication Publication Date Title
US10270734B2 (en) System and method for enabling real-time eventing
CN108306877B (en) NODE JS-based user identity information verification method and device and storage medium
US9215229B2 (en) Systems and methods for establishing cloud-based instances with independent permissions
US8555339B2 (en) Identifying guests in web meetings
US20110296000A1 (en) Systems and methods for exporting usage history data as input to a management platform of a target cloud-based network
US8762544B2 (en) Selectively communicating data of a peripheral device to plural sending computers
CN106357699A (en) Network system, service platform and login method and system of service platform
US8893004B2 (en) User interface proxy method and system
CN106533932A (en) Method and device for pushing instant message
KR102110099B1 (en) System for providing cloud service based on container
CN114338682B (en) Flow identity identification transmission method and device, electronic equipment and storage medium
CN113778499B (en) Method, apparatus, device and computer readable medium for publishing services
CN115396496B (en) Tenant password service session affinity method, system, medium and device in cloud environment
US11683166B2 (en) Secure file modification with supervision
US11489817B2 (en) Computing system with gateway data transfer based upon device data flow characteristics and related methods
CN110351333B (en) Request queue method and system with verification mechanism
CN115222392A (en) Service access method, device, medium and electronic equipment based on block chain
JP2001282737A (en) Job load dispersion system
US11824917B2 (en) Computing system with data transfer based upon device data flow characteristics and related methods
US20230300135A1 (en) Generation of multiple limited-scope access tokens
Boettner et al. Towards policy driven self-configuration of user-centric communication
Kuo et al. Toward High Throughput Backend Provision for Mobile Apps with A Microservice Approach
CN113760395A (en) Method, device, equipment and computer readable medium for interface authentication
Radchenko et al. Providing integration of UNICORE services in private PaaS platform
Khan Decentralized authentication in OpenStack Nova: integration of OpenID

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant