| 发明名称 |
Using key material protocol services transparently |
| 摘要 |
An application that consumes key management information (e.g., keys and certificates) through a conventional keystore API is configured to recognize a new keystore type. In addition, the services of that API are pointed to a management server component associated with a key management protocol (e.g., KMIP), and a client component of the key management protocol is instantiated as a “semi-remote” keystore in association with the application. Once configured to use the new keystore type, the consuming application uses the keystore API in a conventional manner, but calls to the new keystore type are directed to the KMIP client. The client intercepts these calls and then interacts with the KMIP server on behalf of the consuming application, and without the application being aware of the interaction over the KMIP client-server API. This approach enables the consuming application to take advantage of the full benefits provided by the key management protocol transparently. |
| 申请公布号 |
US9553720(B2) |
申请公布日期 |
2017.01.24 |
| 申请号 |
US201314138461 |
申请日期 |
2013.12.23 |
| 申请人 |
International Business Machines Corporation |
发明人 |
Rich Bruce Arland;Arnold Gordon Kent;Benjamin Thomas Harry;Peck John Thomas |
| 分类号 |
H04L29/06;H04L9/08;G06F21/60 |
主分类号 |
H04L29/06 |
| 代理机构 |
|
代理人 |
Zarick Gail H.;Judson David H. |
| 主权项 |
1. A method for managing key material, comprising:
configuring an application that uses a first application programming interface (API) to manage key material to instead use a second application programming interface, the second API associated with a key management protocol having a client component, and a server component, wherein configuring the application augments the first API to include a given keystore type and associates the client component with first API calls directed to the given keystore type; responsive to the application making a call to the given keystore type over the first API to perform a key management operation, intercepting the call to the given keystore type and instead issuing a call from the client component to the server component over the second API, wherein the call to the server component over the second API is carried out transparently to the application; and receiving a response to the second API call to facilitate the key management operation at the application, the response having been generated at least in part using the server component; wherein the executing step is carried out in software executing in a hardware element. |
| 地址 |
Armonk NY US |
