Patent application number | Description | Published |
20080263301 | KEY-CONTROLLED OBJECT-BASED MEMORY PROTECTION - A method, system, and program key-controlled object-based memory protection are provided. A processing unit includes an authority check for controlling access by the processing unit to pages of memory according to whether a hardware protection key set currently loaded in an authority mask register allows access to the pages. In particular, each page of memory is assigned a page key number that indexes into the hardware protection key set. The currently loaded hardware protection key set specifies those page key numbers that are currently accessible to the processing unit for the execution context. Each hardware key within the hardware protection key set may be associated with a particular data object or group of data objects. Thus, effectively, the currently loaded hardware protection key set identifies which data objects or groups of data objects are currently accessible. Software keys are assigned to data objects and dynamically mapped to hardware protection key sets, such that when a module is called, the software keys assigned to that module are mapped to the hardware protection key set to be loaded for controlling current access to memory. | 10-23-2008 |
20080271139 | DETERMINATION OF ACCESS CHECKS IN A MIXED ROLE BASED ACCESS CONTROL AND DISCRETIONARY ACCESS CONTROL ENVIRONMENT - A computer implemented method, apparatus, and computer program product for access control in a mixed discretionary access control and role based access control environment. In one embodiment, an execution access for a command is determined using a set of role based authorizations for a user invoking the command. In response to a determination that the user invoking the command is authorized based on the set of role based authorizations, a privilege in a set of privileges associated with the command is raised. Raising the privilege in the set of privileges bypasses discretionary access control checks. In response to a determination that the user invoking the command is unauthorized based on the set of role based authorizations, an execution access for the command is determined using a set of discretionary access mode bits associated with the command. | 10-30-2008 |
20080289036 | TIME-BASED CONTROL OF USER ACCESS IN A DATA PROCESSING SYSTEM INCORPORATING A ROLE-BASED ACCESS CONTROL MODEL - Computer implemented method, system and computer usable program code for providing time-based control of user access in a data processing system utilizing a Role-Based Access Control model. A computer implemented method for providing time-based control of user access in a data processing system utilizing a Role-Based Access Control model includes providing at least one timing attribute for a role, wherein each at least one timing attribute specifies a timing condition by which a user is enabled to use the role. The user is enabled to use the role pursuant to satisfying the at least one timing attribute. | 11-20-2008 |
20080294592 | FRAMEWORK FOR MANAGING ATTRIBUTES OF OBJECTS - A computer implemented method, computer program product, and system for managing objects. Responsive to receiving a find-rule method, and a path-rule table, wherein the path-rule table contains a set of paths, wherein each path references an object, wherein a file system locates the object using the path, and wherein the object has at least one attribute not known to the file system, a path-rule table identifier is created. The path-rule table is associated with the path-rule table identifier to form an associated path-rule table. The find-rule method is associated with the path-rule table identifier to form an associated find-rule method. The path-rule table identifier, the associated path-rule table, and the associated find-rule method are stored. The path-rule table identifier is returned. | 11-27-2008 |
20080310624 | Encryption Apparatus and Method for Providing an Encrypted File System - An encryption apparatus and method for providing an encrypted file system are provided. The encryption apparatus and method of the illustrative embodiments uses a combination of encryption methodologies so as to reduce the amount of decryption and re-encryption that is necessary to a file in the Encrypted File System in the event that the file needs to be modified. The encryption methodologies are interleaved, or alternated, with regard to each block of plaintext. In one illustrative embodiment, Plaintext Block Chaining (PBC) and Cipher Block Chaining (CBC) encryption methodologies are alternated for encrypting a sequence of blocks of data. The encryption of a block of plaintext is dependent upon the plaintext or a cipher generated for the plaintext of a previous block of data in the sequence of blocks of data so that the encryption is more secure than known Electronic Code Book encryption methodologies. | 12-18-2008 |
20090077661 | Method and Apparatus for the Reliability of Host Data Stored on Fibre Channel Attached Storage Subsystems - A method for improving the reliability of host data stored on Fibre Channel attached storage subsystems by performing end-to-end data integrity checks. When a read or write operation is initiated, an initial checksum for data in the read/write operation is generated and associated with the data, wherein the association exists through a plurality of layers of software and attached storage subsystems. The initial checksum is passed with the data in the read/write path. When a layer of software in the read/write path receives the initial checksum and data, the layer performs an integrity check of the data, which includes generating another checksum and comparing it to the initial checksum. If the checksums do not match, the read/write operation fails and the error is logged. If the checksums match, the integrity check is repeated through each layer in the read/write path to enable detecting data corruption at the point of source. | 03-19-2009 |
20090110198 | METHOD AND APPARATUS FOR RESTORING ENCRYPTED FILES TO AN ENCRYPTING FILE SYSTEM BASED ON DEPRECATED KEYSTORES - The present invention provides a computer implemented method, data processing system, and computer program product to restore an encrypted file. A computer receives a command to restore an encrypted file, wherein the encrypted file was previously backed up. The computer identifies a user associated with the encrypted file. The computer looks up a first keystore of the user based on the user, the first keystore having an active private key. The computer determines that a public key of the encrypted file fails to match an active public key of the first keystore. The computer restores a second keystore of the user to form a restored private key, wherein the second keystore was previously backed up. The computer responsive to a determination that the public key of the encrypted file fails to match the active public key of the first keystore, decrypts the encrypted file encryption key based on the restored private key to form a file encryption key. The computer encrypts the file encryption key with the active private key of the first keystore. | 04-30-2009 |
20090313677 | Mathematical definition of roles and authorizations in RBAC system - A process, apparatus and program product create a new role in a Role Based Access Control (RBAC) system by using mathematical operators with either one or more authorizations, or one or more existing roles, or a combination thereof. | 12-17-2009 |
20100043069 | Authorized Authorization Set in RBAC Model - The Authorized Authorization Set System comprising a modified operating system, a command table containing authorized authorization sets, and a modified RBAC security system, eliminates the need for inherited privileges that must be passed to subcommands in order for the command to run. The modified operating system accesses a table containing authorized authorization sets which identify the privileges for all subcommands within a command. When a user is assigned an accessauth for a command, and a sub-command is a privileged sub-command, the privileged sub-command is only run when the accessauth of the sub-command is included in the authorized authorization set of the command. | 02-18-2010 |
20100095127 | TUNABLE ENCRYPTION SYSTEM - A method, programmed medium and system are provided for enabling a user to choose a user-preferred encryption type from among a plurality of encryption types listed in a user's Kerberos configuration file. During the ticket granting process in a Kerberos system, a user is requested to select a preferred encryption type to be used in the Kerberos communication from among encryption types contained in the user's Kerberos configuration file. The user-selected encryption type is then implemented for use in encrypting a session ticket (as well as generating the session key of user requested encryption type) for use by the user machine in communicating securely with an Kerberized application server when being communicated by that particular user. Thus, the system allows different users to simultaneously communicate with the same Kerberized application server using a supported encryption type of the user's own choice. | 04-15-2010 |
20100325471 | HIGH AVAILABILITY SUPPORT FOR VIRTUAL MACHINES - A computer implemented method, a tangible computer storage medium, and a data processing system provide high availability support for virtual machines in a logical partitioned platform. A monitoring system detect a failure in the virtual machine. Partition management firmware then restarts the virtual machine in a consistency failover image node utilizing a consistency failover image. If a subsequent failure of the virtual machine is detected within a predetermined time, partition management firmware restarts the virtual machine in a boot failover image node utilizing a boot failover image. | 12-23-2010 |
20110154031 | Secure Kerberized Access of Encrypted File System - A file server receives a request from a client to mount an encrypted file system. The file server informs the client that the requested file system is encrypted and, in turn, receives a session ticket from the client that includes a security protocol mounting selection. The file server decrypts the client's user's encrypted private key, and then decrypts the requested encrypted file system using the private key. In turn, the file server sends the decrypted file system to the client over a secure channel, which is based upon the security protocol mounting selection. In one embodiment, a key distribution center server receives a request from the client for the client's user to access the encrypted file system at the file server. The key distribution center server retrieves an intermediate key; includes the intermediate key in a session ticket; and sends the session ticket to the client. | 06-23-2011 |
20120144235 | Reducing Application Downtime During Failover - Reducing application downtime during failover including identifying a critical line in the startup of an application, the critical line comprising the point in the startup of the application in which the application begins to use dependent resources; checkpointing the application at the critical line of startup; identifying a failure in the application; and restarting the application from the checkpointed application at the critical line. | 06-07-2012 |
20120204028 | Secure Kerberized Access of Encrypted File System - A file server receives a request from a client to mount an encrypted file system. The file server informs the client that the requested file system is encrypted and, in turn, receives a session ticket from the client that includes a security protocol mounting selection. The file server decrypts the client's user's encrypted private key, and then decrypts the requested encrypted file system using the private key. In turn, the file server sends the decrypted file system to the client over a secure channel, which is based upon the security protocol mounting selection. In one embodiment, a key distribution center server receives a request from the client for the client's user to access the encrypted file system at the file server. The key distribution center server retrieves an intermediate key; includes the intermediate key in a session ticket; and sends the session ticket to the client. | 08-09-2012 |
20120239975 | Reducing Application Downtime During Failover - Reducing application downtime during failover including identifying a critical line in the startup of an application, the critical line comprising the point in the startup of the application in which the application begins to use dependent resources; checkpointing the application at the critical line of startup; identifying a failure in the application; and restarting the application from the checkpointed application at the critical line. | 09-20-2012 |
20120246474 | SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR PRODUCT LICENSE MANAGEMENT - According to one aspect of the present disclosure, a method and technique for product license management for a clustered environment having a plurality of nodes is disclosed. The method includes unlocking a product on a first node of the plurality of clustered nodes; responsive to unlocking the product on the first node, indicating an unlocked status of the product on a shared storage device accessible to the plurality of clustered nodes; and transmitting a self-unlock message from the first node to remaining nodes of the cluster to enable the remaining nodes of the cluster to self-unlock the product on the respective remaining nodes based on the status indication of the shared storage device. | 09-27-2012 |
20120254607 | System And Method For Security Levels With Cluster Communications - A cluster of computing nodes communicate through an unsecure network by selectively sending information in encrypted and unencrypted formats. Heartbeat packets are sent between the computing nodes to coordinate operation of the computing nodes and using an encrypted format. Messages are selectively sent between the computing nodes with an encrypted or an unencrypted format based upon one or more predetermined factors, such as an end user selection, the type of message or the load at the computing nodes. | 10-04-2012 |
20120272051 | SECURITY KEY DISTRIBUTION IN A CLUSTER - Provided are techniques for the fast and reliable distribution of security keys within a cluster of computing devices, or computers. One embodiment provides a method for secure distribution of encryption keys, comprising generating a symmetric key for the encryption of communication among a plurality of nodes of a cluster of nodes; encrypting the symmetric key with a plurality of public keys, each public key corresponding to a particular node of the plurality of modes, to generate a plurality of encrypted symmetric keys; storing the plurality of encrypted symmetric keys in a central repository; and distributing the encrypted symmetric keys to the nodes such that each particular node receives an encrypted symmetric key corresponding to a corresponding public key of the particular node. | 10-25-2012 |
20120288096 | SECURITY KEY DISTRIBUTION IN A CLUSTER - Provided are techniques for the fast and reliable distribution of security keys within a cluster of computing devices, or computers. One embodiment provides a method for secure distribution of encryption keys, comprising generating a symmetric key for the encryption of communication among a plurality of nodes of a cluster of nodes; encrypting the symmetric key with a plurality of public keys, each public key corresponding to a particular node of the plurality of modes, to generate a plurality of encrypted symmetric keys; storing the plurality of encrypted symmetric keys in a central repository; and distributing the encrypted symmetric keys to the nodes such that each particular node receives an encrypted symmetric key corresponding to a corresponding public key of the particular node. | 11-15-2012 |
20130007504 | HIGH AVAILABILITY DATA STORAGE SYSTEMS AND METHODS - Provided are systems and methods for accessing a storage device from a node when a local connection failure occurs between the node and the storage device. A failure is determined to have occurred at a first node access path between a first node and a storage device that prevents an application at the first node from accessing the storage device from the first node access path. An access request is sent from the first node to a second node. The second node has a second node access path to the storage device. A determination is made that the second node can communicate with the storage device. The storage device is accessed by an application at the first node via the second node access path. | 01-03-2013 |
20130262915 | SYSTEMS AND METHODS FOR OPEN AND EXTENSIBLE INTEGRATION OF MANAGEMENT DOMAINS IN COMPUTATION AND ORCHESTRATION OF RESOURCE PLACEMENT - An aspect of this invention is a method that includes evaluating a computing environment by performing auditing of a fault tolerance ability of the computing environment to tolerate each of a plurality of failure scenarios; constructing a failover plan for each of the plurality of scenarios; identifying one or more physical resource limitations which constrain the fault tolerance ability; and identifying one or more physical resources to be added to the computing environment to tolerate each of the plurality of failure scenarios. | 10-03-2013 |
20140012721 | MANAGING USE OF LEASE RESOURCES ALLOCATED ON FALLOVER IN A HIGH AVAILABILITY COMPUTING ENVIRONMENT - Responsive to a cluster manager for a particular node from among multiple nodes allocating at least one leased resource for a resource group for an application workload on the particular node, on fallover of the resource group from another node to the particular node, setting a timer thread, by the cluster manager for the particular node, to track an amount of time remaining for an initial lease period of the at least one leased resource. Responsive to the timer thread expiring while the resource group is holding the at least one leased resource, maintaining, by the cluster manager for the particular node, the resource group comprising the at least one leased resource for an additional lease period and automatically incurring an additional fee, only if the particular node has the capacity to handle the resource group at a lowest cost from among the nodes. | 01-09-2014 |
20140013153 | MANAGING USE OF LEASE RESOURCES ALLOCATED ON FALLOVER IN A HIGH AVAILABILITY COMPUTING ENVIRONMENT - Responsive to a cluster manager for a particular node from among multiple nodes allocating at least one leased resource for a resource group for an application workload on the particular node, on fallover of the resource group from another node to the particular node, setting a timer thread, by the cluster manager for the particular node, to track an amount of time remaining for an initial lease period of the at least one leased resource. Responsive to the timer thread expiring while the resource group is holding the at least one leased resource, maintaining, by the cluster manager for the particular node, the resource group comprising the at least one leased resource for an additional lease period and automatically incurring an additional fee, only if the particular node has the capacity to handle the resource group at a lowest cost from among the nodes. | 01-09-2014 |
20140222992 | STORAGE SYSTEM BASED HOST COMPUTER MONITORING - The present invention includes establishing, by a storage system coupled to a first host computer via a storage area network (SAN), metrics indicating a status of the first host computer, and storing the indicated metrics to the storage system. A second host computer, coupled to the storage system via the storage area network, determines an availability of the first host computer based on the metrics. | 08-07-2014 |
20140223123 | STORAGE SYSTEM BASED HOST COMPUTER MONITORING - Methods, apparatus and computer program products implement embodiments of the present invention that include establishing, by a storage system coupled to a first host computer via a storage area network (SAN), metrics indicating a status of the first host computer, and storing the indicated metrics to the storage system. A second host computer, coupled to the storage system via the storage area network, determines an availability of the first host computer based on the metrics. | 08-07-2014 |