公开(公告)号：US07412479B2

公开(公告)日：2008-08-12

申请号：US10042412

申请日：2002-01-07

申请人： James W. Arendt ,  Ching-Yun Chao ,  Rodolfo Ausgusto Mancisidor

发明人： James W. Arendt ,  Ching-Yun Chao ,  Rodolfo Ausgusto Mancisidor

IPC分类号： G06F15/16 ,  G06F15/173

CPC分类号： G06F9/5061 ,  G06F11/1425

摘要： A cluster system is treated as a set of resource groups, each resource group including an highly available application and the resources upon which it depends. A resource group may have between 2 and M data processing systems, where M is small relative to the cluster size N of the total cluster. Configuration and status information for the resource group is fully replicated only on those data processing systems which are members of the resource group. A configuration object/database record for the resource group has an associated owner list identifying the data processing systems which are members of the resource group and which may therefore manage the application. A data processing system may belong to more than one resource group, however, and configuration and status information for the data processing system is replicated to each data processing system which could be affected by failure of the subject data processing system—that is, any data processing system which belongs to at least one resource group also containing the subject data processing system. The partial replication scheme of the present invention allows resource groups to run in parallel, reduces the cost of data replication and access, is highly scalable and applicable to very large clusters, and provides better performance after a catastrophe such as a network partition.

摘要翻译： 集群系统被视为一组资源组，每个资源组包括高度可用的应用程序及其所依赖的资源。 资源组可以具有2和M个数据处理系统，其中M相对于总集群的集群大小N是小的。 资源组的配置和状态信息仅在作为资源组成员的那些数据处理系统上完全复制。 用于资源组的配置对象/数据库记录具有标识作为资源组的成员并且因此可以管理该应用的数据处理系统的关联所有者列表。 然而，数据处理系统可以属于多个资源组，并且数据处理系统的配置和状态信息被复制到可能受主题数据处理系统的故障影响的每个数据处理系统 - 即任何数据 处理系统，其属于还包含对象数据处理系统的至少一个资源组。 本发明的部分复制方案允许资源组并行运行，降低数据复制和访问的成本，是高度可扩展的并且适用于非常大的集群，并且在诸如网络分区的灾难之后提供更好的性能。

公开(公告)号：US20070011723A1

公开(公告)日：2007-01-11

申请号：US11176843

申请日：2005-07-07

申请人： Ching-Yun Chao

发明人： Ching-Yun Chao

IPC分类号： H04L9/00 ,  H04L9/32 ,  G06F17/00 ,  G06K9/00 ,  H04K1/00 ,  G06F17/30 ,  G06F15/16 ,  G06F7/04 ,  G06F7/58 ,  G06K19/00

CPC分类号： G06F21/53 ,  G06F9/445 ,  G06F2221/2113

摘要： Provided is a method for providing Java modularity class loader protection by controlling the visibility of WebSphere, service provider, library and utility code interfaces. Interface access authorization is checked once, during class loading to effectively protect vulnerable programming interfaces, eliminating repeating permission checking during execution. Code in a WebSphere Application server (WAS) computing environment is categorized into a finite number of sets in which one permission zone is assigned to each set and the code in each set runs at the same privilege zone. Each set exposes programming interfaces to provide functional service and code in a particular set can only access code in the same or a lower security zone set. Also provided is a technique for explicitly providing to specific modules in lower security zones access to modules or designated interfaces of modules in higher security zones.

摘要翻译： 提供了一种通过控制WebSphere，服务提供商，库和实用程序代码接口的可见性来提供Java模块化类加载器保护的方法。 接口访问授权在类加载期间被检查一次，以有效保护易受攻击的编程接口，从而消除执行期间的重复权限检查。 WebSphere Application Server（WAS）计算环境中的代码被分为有限数量的集合，其中一个权限区域被分配给每个集合，并且每个集合中的代码在相同的特权区域中运行。 每个集合暴露编程接口以提供功能服务，并且特定集合中的代码只能访问相同或较低安全区域集中的代码。 还提供了一种技术，用于向较低安全区域中的特定模块提供访问更高安全区域中的模块或模块的指定接口的技术。

公开(公告)号：US20060136748A1

公开(公告)日：2006-06-22

申请号：US11014559

申请日：2004-12-16

申请人： Steven Bade ,  Ching-Yun Chao

发明人： Steven Bade ,  Ching-Yun Chao

IPC分类号： G06F12/14

CPC分类号： H04L9/3265 ,  G06F21/33 ,  G06F21/34 ,  G06F21/445 ,  H04L9/0897 ,  H04L9/3247 ,  H04L9/3273 ,  H04L2209/805

摘要： A data processing system accepts a removable storage media, which becomes electrically engaged with a system unit within the data processing system, after which the removable storage media and the hardware security unit mutually authenticate themselves. The removable storage media stores a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair that is associated with the hardware security unit, and the hardware security unit stores a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair that is associated with the removable storage media. In response to successfully performing the mutual authentication operation between the removable storage media and the hardware security unit, the system unit is enabled to invoke cryptographic functions on the hardware security unit while the removable storage media remains engaged with the system unit.

摘要翻译： 数据处理系统接受与数据处理系统内的系统单元电接合的可移动存储介质，之后可拆卸存储介质和硬件安全单元相互认证自身。 可移动存储介质存储与硬件安全单元相关联的第一非对称加密密钥对和第二非对称密码密钥对的公钥的私钥，并且硬件安全单元存储第二非对称密码密钥的私钥 对和与可移动存储介质相关联的第一非对称加密密钥对的公开密钥。 响应于成功地执行可移动存储介质和硬件安全单元之间的相互认证操作，系统单元能够在可移动存储介质保持与系统单元接合的同时在硬件安全单元上调用加密功能。

公开(公告)号：US20060005234A1

公开(公告)日：2006-01-05

申请号：US10882118

申请日：2004-06-30

申请人： Peter Birk ,  Ching-Yun Chao ,  Hyen Chung

发明人： Peter Birk ,  Ching-Yun Chao ,  Hyen Chung

IPC分类号： G06F15/16

CPC分类号： H04L63/0815 ,  H04L29/06

摘要： A method, apparatus and computer instructions for handling propagation of custom tokens without using Java™ serialization. A service provider may plug in a first login module to add a marker token to a subject for later use by an application at run time. The marker token is then serialized by the mechanism of the present invention by invoking a get bytes method on the token. The present invention then propagates the token downstream if the token is marked forwardable. At a target server, a second login module may be plugged in to deserialize a byte array from a list of tokens and perform custom operation on the byte array retrieved from a token holder.

摘要翻译： 用于处理自定义令牌的传播而不使用Java（TM）序列化的方法，设备和计算机指令。 服务提供商可以插入第一登录模块以将标记标记添加到主体以供运行时应用程序稍后使用。 然后通过在令牌上调用get bytes方法，通过本发明的机制对标记标记进行序列化。 然后，如果令牌被标记为可向导，则本发明在下游传播令牌。 在目标服务器上，可以插入第二登录模块以反序列化令牌列表中的字节数组，并对从令牌持有者检索的字节数组执行自定义操作。

公开(公告)号：US06950825B2

公开(公告)日：2005-09-27

申请号：US10159482

申请日：2002-05-30

申请人： David Yu Chang ,  Ching-Yun Chao ,  Hyen Vui Chung ,  Carlton Keith Mason ,  Vishwanath Venkataramappa ,  Leigh Allen Williamson

发明人： David Yu Chang ,  Ching-Yun Chao ,  Hyen Vui Chung ,  Carlton Keith Mason ,  Vishwanath Venkataramappa ,  Leigh Allen Williamson

IPC分类号： G06F7/00 ,  G06F17/30 ,  G06F21/00 ,  H04L29/06

CPC分类号： H04L63/102 ,  G06F21/6218 ,  H04L63/08 ,  Y10S707/99939

摘要： A security policy process which provides role-based permissions for hierarchically organized system resources such as domains, clusters, application servers, and resources, as well as topic structures for messaging services. Groups of permissions are assigned to roles, and each user is assigned a role and a level of access within the hierarchy of system resources or topics. Forward or reverse inheritance is applied to each user level-role assignment such that each user is allowed all permissions for ancestors to the assigned level or descendants to the assigned level. This allows simplified security policy definition and maintenance of user permissions as each user's permission list must only be configured and managed at one hierarchical level with one role.

摘要翻译： 为分层组织的系统资源（如域，集群，应用服务器和资源）以及消息传递服务的主题结构提供基于角色的权限的安全策略流程。 将权限组分配给角色，并为系统资源或主题的层次结构中的每个用户分配角色和级别的访问权限。 将向前或反向继承应用于每个用户级别角色分配，以便允许每个用户将祖先的所有权限分配给所分配的级别或后代到所分配的级别。 这允许简化的安全策略定义和维护用户权限，因为每个用户的权限列表只能在一个层次上配置和管理一个角色。

公开(公告)号：US20050154875A1

公开(公告)日：2005-07-14

申请号：US10753820

申请日：2004-01-08

申请人： Ching-Yun Chao

发明人： Ching-Yun Chao

IPC分类号： G06F21/00 ,  H04L9/00

CPC分类号： G06F21/445 ,  G06F21/602 ,  G06F2221/2149 ,  G06F2221/2153

摘要： A mechanism is provided for securing cryptographic functionality within a host system such that it may only be used when a system administrator physically allows it via a hardware security token. In addition, a hardware security unit is integrated into a data processing system, and the hardware security unit acts as a hardware certificate authority. The hardware security unit may be viewed as supporting a trust hierarchy or trust framework within a distributed data processing system. The hardware security unit can sign software that is installed on the machine that contains the hardware security unit. Server processes that use the signed software that is run on the machine can establish mutual trust relationships with the hardware security unit and amongst the other server processes based on their common trust of the hardware security unit.

摘要翻译： 提供了一种用于保护主机系统内的加密功能的机制，使得仅当系统管理员经由硬件安全令牌物理地允许密码功能时才能使用该机制。 此外，硬件安全单元被集成到数据处理系统中，硬件安全单元充当硬件认证机构。 可以将硬件安全单元视为在分布式数据处理系统内支持信任层级或信任框架。 硬件安全单元可以签署安装在包含硬件安全单元的机器上的软件。 使用在机器上运行的签名软件的服务器进程可以基于硬件安全单元的共同信任，建立与硬件安全单元和其他服务器进程之间的相互信任关系。

公开(公告)号：US06529960B2

公开(公告)日：2003-03-04

申请号：US09896393

申请日：2001-06-29

申请人： Ching-Yun Chao ,  Roger Eldred Hough ,  Amal Ahmed Shaheen

发明人： Ching-Yun Chao ,  Roger Eldred Hough ,  Amal Ahmed Shaheen

IPC分类号： G06F1516

CPC分类号： H04L1/1809 ,  H04L1/187 ,  H04L1/1887 ,  H04L67/1002 ,  H04L2001/0093 ,  Y10S707/99952 ,  Y10S707/99953 ,  Y10S707/99954

摘要： A method for replicating data in a distributed computer environment wherein a plurality of servers are configured about one or more central hubs in a hub and spoke arrangement. In each of a plurality of originating nodes, updates and associated origination sequence numbers are sent to the central hub. The hub sends updates and associated distribution sequence numbers to the plurality of originating nodes. The hub tracks acknowledgments sent by nodes for a destination sequence number acknowledged by all nodes. Thereafter, a highest origination sequence number is sent from the central hub back to each originating node.

摘要翻译： 一种用于在分布式计算机环境中复制数据的方法，其中多个服务器被配置为围绕轮毂和轮辐布置的一个或多个中心集线器。 在多个起始节点的每一个中，将更新和相关联的发起序列号发送到中央集线器。 集线器向多个发起节点发送更新和相关分配序列号。 集线器跟踪由节点发送的用于所有节点确认的目的地序列号的确认。 此后，最高始发序列号从中央集线器返回到每个始发节点。

公开(公告)号：US06393485B1

公开(公告)日：2002-05-21

申请号：US09181825

申请日：1998-10-27

申请人： Ching-Yun Chao ,  Patrick M. Goal ,  Richard James McCarty

发明人： Ching-Yun Chao ,  Patrick M. Goal ,  Richard James McCarty

IPC分类号： G06F1300

CPC分类号： G06F11/1482 ,  G06F11/1425 ,  G06F11/183 ,  G06F11/2023 ,  G06F11/2046 ,  H04L29/06 ,  H04L67/1002 ,  H04L67/1029 ,  H04L67/1031 ,  H04L67/1034 ,  H04L69/329

摘要： A clustered computer system provides both speed and reliability advantages. However, when communications between the clustered computers is compromised those same computers can become confused and corrupt database files. The present method and apparatus are used to improve the management of clustered computer systems. Specifically, the system expands the number of nodes available for failover conditions.

摘要翻译： 集群计算机系统提供速度和可靠性的优点。 但是，当集群计算机之间的通信受到威胁时，这些相同的计算机可能会变得混淆和损坏数据库文件。 本方法和装置用于改进集群计算机系统的管理。 具体来说，系统扩展可用于故障切换条件的节点数。

公开(公告)号：US06335937B1

公开(公告)日：2002-01-01

申请号：US09160021

申请日：1998-09-24

申请人： Ching-Yun Chao ,  Roger Eldred Hough ,  Amal Ahmed Shaheen

发明人： Ching-Yun Chao ,  Roger Eldred Hough ,  Amal Ahmed Shaheen

IPC分类号： H04L1228

CPC分类号： H04L69/40

摘要： A node failure recovery mechanism for use in a data replicating system in a distributed computer environment wherein a plurality of servers are configured about one or more central hubs in a hub and spoke arrangement. In each of a plurality of originating nodes, updates and associated origination sequence numbers are sent to the central hub. The hub sends updates and associated distribution sequence numbers to the plurality of originating nodes. The hub tracks acknowledgments sent by nodes for a destination sequence number acknowledged by all nodes. Upon failure of a node, a node failure recovery method may be used to enable a “buddy” node to help the failed node gain readmission to a distribution group.

摘要翻译： 一种用于在分布式计算机环境中的数据复制系统中的节点故障恢复机制，其中多个服务器被配置为关于轮毂和轮辐布置中的一个或多个中心集线器。 在多个起始节点的每一个中，将更新和相关联的发起序列号发送到中央集线器。 集线器向多个发起节点发送更新和相关分配序列号。 集线器跟踪由节点发送的用于所有节点确认的目的地序列号的确认。 当节点故障时，可以使用节点故障恢复方法来使“好友”节点能够帮助故障节点增加到分配组的重新接入。

公开(公告)号：US06314526B1

公开(公告)日：2001-11-06

申请号：US09113674

申请日：1998-07-10

申请人： James W. Arendt ,  Ching-Yun Chao ,  Rodolfo Ausgusto Mancisidor

发明人： James W. Arendt ,  Ching-Yun Chao ,  Rodolfo Ausgusto Mancisidor

IPC分类号： H02H305

CPC分类号： H04L67/1002 ,  G06F11/2041

摘要： A cluster system is treated as a set of resource groups, each resource group including a highly available application and the resources upon which it depends. A resource group may have between 2 and M data processing systems, where M is small relative to the cluster size N of the total cluster. Configuration and status information for the resource group is fully replicated only on those data processing systems which are members of the resource group. In the event of failure of a data processing system within the cluster, only resource groups including the failed data processing system are affected. Each resource group having a quorum of its data processing systems available continues to provide services, allowing many applications within the cluster to continue functioning while the cluster is restored.

摘要翻译： 集群系统被视为一组资源组，每个资源组包括高度可用的应用程序及其所依赖的资源。 资源组可以具有2和M个数据处理系统，其中M相对于总集群的集群大小N是小的。 资源组的配置和状态信息仅在作为资源组成员的那些数据处理系统上完全复制。 在集群内的数据处理系统发生故障的情况下，只有包含故障数据处理系统的资源组受到影响。 具有可用数据处理系统法定数量的每个资源组可继续提供服务，从而允许集群中的许多应用程序在集群恢复时继续运行。