In current networks, such as enterprise networks that may communicate through both the world wide web (WWW) and local area networks (LAN), it is common to have a central database and/or one or more central servers. Various remote user devices, or remote clients, may access the central server in order to provide end-users with access to data and services available at or through the server.
For a more complete understanding of examples of the present disclosure, reference is now made to the following descriptions taken in connection with the accompanying drawings in which:
In various examples described herein, various types of security-related data, such as certificates (e.g., root certificate authority (CA) certificates), security preferences, user names and passwords, are synchronized between a remote client and a host server. In one example, synchronization of certificates may be effected by signaling a certificate fetch from the remote client to the host server. In other examples, the signal is a certificate fetch from the host server to the remote client. The certificate fetch causes retrieval, comparison and updating of the certificates to facilitate synchronization. Similar fetch commands may be used for synchronization of various other types of security-related data, for example.
Referring now to
In various examples, the system 100 may include one or more remote terminals, such as the client 110 from which end-users can access data and resources through the host server 120. In other examples, any number of clients may communicate with the host server 120 through the same or different networks, or through a direct connection with the host server 120.
In one example, the client 110 may be a terminal through which a user may form a remote desktop connection to the host server 120. Further, the client 110 may form a connection, through the host server 120, with other entities, such as other servers, other clients, databases or the like. In the example illustrated in
The remote client 110 illustrated in the example of
Certain applications or interactions over, e.g., the Internet, may entail complying with security requirements or measures. Accordingly, the use of certificates, such as certification authority (CA) certificates may be needed. A CA can refer to some entity, such as a third-party verification service, that issues such certificates, and may be considered a trusted entity by a subject or owner of a certificate and a party that relies upon the certificate. These certificates (that may contain a public key and identity of an owner) may be utilized to certify ownership of that public key by a named subject or owner of the certificate. This allows a relying party to rely upon, for example, digital signatures or assertions made by a private key that corresponds to the certified public key. Accordingly, in the example of
The host server 120 may be coupled to various other components, such as a database storing data and/or applications, that may be accessed by various end-users within the system 100. The database may contain server-side resources, such as various application software, programs, which may be pushed to a remote terminal computer in the network, for example. Additionally, remote desktop protocol (RDP) application software, which can be run by the host server 120 in order to allow connection by end-user devices (e.g., remote clients such as client 110) may be stored on the database and run by the host server 120.
In the example of
In various examples, the host server 120 may also be provided with a variety of applications for execution by a processor of the host server 120. As noted above with reference to the client 110, applications provided on the host server 120 may include, for example, a browser application 124 (e.g., Netscape, Internet Explorer, Mozilla, etc.), ID other examples, the host server 120 may include applications such as a word processor (e.g., Microsoft Word), a spreadsheet application (e.g., Excel) or any other such application. The host server 120 may also include its own certificate store 126 similar to the certificate store 116 of the example remote client 110.
Referring now to
The apparatus 200 includes one or more outputs 204 such as a display for displaying a graphical user interface (GUI), one or more input devices 214 such as a keyboard and/or mouse, one or more central processing units (CPUs) 206, one or more communications interfaces 210 such as a wireless interface or an Ethernet or other wired interface, and one or more storage devices 208 such as a computer-readable medium.
The storage devices 208 may include one or more memory devices, such as random access memory (RAM), read only memory (ROM), erasable programmable ROM (EPROM), electrically EPROM (EEPROM), flash memory, or any other non-volatile or volatile memory. The storage devices 208 may store code including instructions for execution by a processor (e.g., CPU 206), For example, the storage devices 208 may store an operating system (OS) of the apparatus 200 and one Or more application software programs, such as the remote desktop protocol for the server or client. The various components may be coupled to each other through a system bus 202, for example.
The various components of the example apparatus 200 of
In various examples, the CPU 206 of the apparatus 200 (e.g., host server) may execute one or more applications, such as a remote desktop application 220. Further, in the example illustrated in
In the context of remote desktop implementations, such as that described above, a virtual desktop infrastructure (VDI) in which desktop operating system instances may be hosted on a server running a hypervisor, or other desktop virtualizations, scenarios can arise where allowing certificates/root certificate bundles to be shared and/or synchronized between a client and server, e.g., the client 110 and the host server 120 of
In one example, the cheat 110 may communicate with the host server 120 to access various applications and/or data on or through the host server 120. However, scenarios may arise where the various applications accessed on or through the host server 120 require a certificate that is maintained on the client 110. Thus, in such an instance, it would be advantageous to synchronize the CA certificates between the client 110 and the host server 120 to allow for seamless operation between therebetween.
In conventional systems, synchronizing certificates may entail a manual import/export process, where a system administrator can manually apply CA certificates to as system update, and subsequently distribute that system update to clients. However, such a manual import/export process requires that a system administrator constantly maintain a CA certificate bundle and also manually distribute it. While modern browsers may support the ability to recognize when a certificate is untrusted, thereby prompting a user to trust that server, the user is pestered every time a certificate is updated, and the user may not be aware of the complexities of certificate management and incorrectly allow a had certificate. Further still, system policies may not allow the user to accept invalid certificates. Still other systems may provide the ability to share, e.g., browser settings, via a cloud profile service, but they do allow for the synchronization of CA certificates in the manner alluded to previously.
Accordingly, various examples o the present disclosure may allow for sharing and/or synchronizing certificates, such as CA certificates, a root CA bundle, etc., between different entities, such as between a host server and client(s), between multiple client(s) or host servers. etc. That is, is synchronization tool (224 in
Referring now to
The secure connection may be a. secure virtual Channel, and may be established through/over a variety of arrangements, including a variety of networks, such as the Internet. As noted above, the establishment of the secure virtual channel (via virtual channel extension) may be performed in conjunction with, or be followed by, the execution of a remote desktop program, such as the Remote Desktop Protocol (RDP), using the remote desktop applications 112, 122 illustrated in
Client certificate identification information may be compared to server certificate identification information associated with the retrieved certificates (block 304). The retrieved certificates are updated (block 306). In various examples, the owner identity associated with the certificates on the host server may be updated to correspond to the remote client, the host server or both. In this regard, various examples may provide that the remote client and the host server each have an identical browser plugin. The browser plugin may identify each field of the certificate store that needs to be synchronized through, for example, one-way hash. The plugin may then perform a read of the field contents and a correspondingly appropriate write of the contents. Both the remote client and the host server may be requested to present field identifiers for one or more relevant fields. The corresponding fields from the remote client and the host server may then be compared by the synchronization requesting entity (e.g., the host server). If any field identifiers in the comparison are different, the corresponding certificate is then synchronized.
In various examples, the updated certificates may be propagated to at least one of the client and the server to synchronize a client certificate store and a server certificate store (block 308). For example, on the client side, the updated certificates may be received and exported to the client via an export plugin that can identify the client CA store in which the updated certificates may be maintained. In various examples, the synchronization utilizes the virtual channel described above in this regard, the fetching of certificates, including the comparison, reading and/or writing of content may be performed via the virtual channel.
As noted above, the example process 300 of
While the above-described examples relate to synchronization of certificates and certificate stores, other examples may similarly be applied for synchronization of various other types of security-related data. For example, in various other examples, security preferences may be similarly synchronized. Other data that may be synchronized may include, but not limited to, secure user names and/or passwords, access history of information (e.g., various windows), etc.
Systems and methods are provided in accordance with various examples that allow for certificate synchronization between at least a client and a server to be accomplished efficiently and automatically. That is, mutual synchronization of certificate stores may ensure that, e.g., manual operations such as browser certificate imports on either side (client or server), need not result in “out of sync” certificate information. Moreover, CA store hosting issues may also be addressed, such as the Institute of Electrical and Electronics Engineers (IEEE) 802 family of standards (e.g., WiFi, WiMAX, etc.) and client wireless configuration, system update authentication, etc., by providing a secure mechanism for synchronizing CA certificates between a plurality of clients.
Various examples described herein are described in the general context of method steps or processes, which may be implemented in one example by a software program product or component, embodied in a machine-readable medium, including executable instructions, such as program code, executed by entities in networked environments. Generally, program modules may include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. Executable instructions, associated data structures, and program modules represent examples of program code for executing steps of the methods disclosed herein. The particular sequence of such executable instructions or associated data structures represents examples of corresponding acts for implementing the functions described in such steps or processes.
The foregoing description of various examples has been presented for purposes of illustration and description. The foregoing description is not intended to be exhaustive or limiting to the precise form disclosed, and modifications and variations are possible in light of the above teachings or may be acquired from practice of various examples. The examples discussed herein were chosen and described in order to explain the principles and the nature of various examples and its practical application to enable one skilled in the art to utilize the various examples and with various modifications as are suited to the particular use contemplated. The features of the examples described herein may be combined in all possible combinations of methods, apparatus, modules, systems and computer program products.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/US2013/024038 | 1/31/2013 | WO | 00 |