1. Technical Field
Disclosed systems and methods relate to the use of policy wrappers for computer applications.
2. Description of the Related Art
Traditionally, enterprises or businesses set up their own enterprise network to allow their users to access computer applications, to access the Internet, to communicate with one another, to store and access files from an enterprise storage, to print files, and to share other network resources. An enterprise will often have a main office location and one or more remote office locations. The main office location typically provides the enterprise network. The different remote office locations are able to connect to the enterprise network at the main office location over a public communication network such as the Internet. In addition, users who are working away from the main office location and the different remote office locations can also remotely connect their computers to the enterprise network at the main office location over the Internet.
Security is a major concern for enterprises that allow remote office locations and remote users to connect to the enterprise network at the main office location over the Internet. Enterprises need to be able to provide a secure network in order to keep data that its users generate, send, receive, and/or access confidential. In particular, any data exchanged over the Internet among the main office location, the remote office locations, and the remote users needs to be protected to prevent unauthorized users from intercepting this data.
One known approach to provide an enterprise with a secure network is to use a virtual private network (VPN). The VPN allows remote office locations and remote users to securely connect to, and communicate with, an enterprise network at the main office location. The VPN requires that the remote office locations and remote users be authenticated before connecting to the enterprise network at the main office location. In addition, the VPN provides a firewall and applies encryption techniques to data that is to be exchanged over the Internet. This data is in the form of IP packets. The VPN provides security by re-routing these IP packets through a trusted route over the Internet to the enterprise network.
The VPN has limitations. For an enterprise, implementing the VPN is invasive and difficult to set up correctly. In addition, the VPN only re-routes IP packets. Furthermore, the VPN re-routes IP packets in the same way to the same destination for all computer applications operating on a given computer.
Therefore, there is a need in the art to provide more flexibility in the types of information being securely exchanged over the Internet, and which can be customized for different computer applications. In particular, there is a need in the art to provide systems and methods for the use of policy wrappers for computer applications.
Accordingly, it is desirable to provide methods and systems that overcome these and other deficiencies of the related art.
In accordance with the disclosed subject matter, systems and methods are provided for the use of policy wrappers for computer applications.
Disclosed subject matter includes a non-transitory computer readable medium having executable instructions. The executable instructions are operable to cause a client device to receive an application programming interface (API) call to communicate information from a computer application to an enterprise over a communication network and to determine whether the computer application has associated with it a policy wrapper comprising a policy that specifies how to handle the API call from the computer application. When the computer application has the policy wrapper associated with it, the executable instructions are further operable to cause the client device to retrieve the policy for the policy wrapper associated with the computer application and to implement the API call by securely communicating the information from the computer application to the enterprise over the communication network based on the policy.
Disclosed subject matter includes an apparatus comprising one or more interfaces configured to provide communication with an enterprise via a communication network; and a processor, in communication with the one or more interfaces, and configured to run a module stored in memory. The module is configured to receive an application programming interface (API) call to communicate information from a computer application to the enterprise over the communication network and to determine whether the computer application has associated with it a policy wrapper comprising a policy that specifies how to handle the API call from the computer application. When the computer application has the policy wrapper associated with it, the module is further configured to retrieve the policy for the policy wrapper associated with the computer application and to implement the API call by securely communicating the information from the computer application to the enterprise over the communication network based on the policy.
Disclosed subject matter includes a method comprising receiving an application programming interface (API) call to communicate information from a computer application to an enterprise over a communication network and determining whether the computer application has associated with it a policy wrapper comprising a policy that specifies how to handle the API call from the computer application. When the computer application has the policy wrapper associated with it, the method further comprises retrieving the policy for the policy wrapper associated with the computer application and implementing the API call by securely communicating the information from the computer application to the enterprise over the communication network based on the policy.
There has thus been outlined, rather broadly, the features of the disclosed subject matter in order that the detailed description thereof that follows may be better understood, and in order that the present contribution to the art may be better appreciated. There are, of course, additional features of the disclosed subject matter that will be described hereinafter and which will form the subject matter of the claims appended hereto.
In this respect, before explaining at least one embodiment of the disclosed subject matter in detail, it is to be understood that the disclosed subject matter is not limited in its application to the details of construction and to the arrangements of the components set forth in the following description or illustrated in the drawings. The disclosed subject matter is capable of other embodiments and of being practiced and carried out in various ways. Also, it is to be understood that the phraseology and terminology employed herein are for the purpose of description and should not be regarded as limiting.
As such, those skilled in the art will appreciate that the conception, upon which this disclosure is based, may readily be utilized as a basis for the designing of other structures, methods and systems for carrying out the several purposes of the disclosed subject matter. It is important, therefore, that the claims be regarded as including such equivalent constructions insofar as they do not depart from the spirit and scope of the disclosed subject matter.
These together with the other objects of the disclosed subject matter, along with the various features of novelty which characterize the disclosed subject matter, are pointed out with particularity in the claims annexed to and forming a part of this disclosure. For a better understanding of the disclosed subject matter, its operating advantages and the specific objects attained by its uses, reference should be had to the accompanying drawings and descriptive matter in which there are illustrated preferred embodiments of the disclosed subject matter.
Various objects, features, and advantages of the disclosed subject matter can be more fully appreciated with reference to the following detailed description of the disclosed subject matter when considered in connection with the following drawings, in which like reference numerals identify like elements.
In the following description, numerous specific details are set forth regarding the systems and methods of the disclosed subject matter and the environment in which such systems and methods may operate, etc., in order to provide a thorough understanding of the disclosed subject matter. It will be apparent to one skilled in the art, however, that the disclosed subject matter may be practiced without such specific details, and that certain features, which are well known in the art, are not described in detail in order to avoid complication of the subject matter of the disclosed subject matter. In addition, it will be understood that the examples provided below are exemplary, and that it is contemplated that there are other systems and methods that are within the scope of the disclosed subject matter.
The disclosed subject matter relates to systems and methods for providing policy wrappers to computer applications. An enterprise can apply a policy wrapper to any computer application provided to an enterprise user. A policy wrapper includes a set of policies (e.g., rules, requirements, restrictions, instructions, guidelines, conditions) for how to handle different application programming interface (API) calls from a computer application. The policies can specify requirements for the authentication of an enterprise user, a user's computing device, and/or a remote office location before accessing a computer application and/or implementing an API call from the computer application. The policies can provide a firewall and/or apply encryption techniques to the information from the API calls that is to be communicated over the Internet. The policies can specify how to handle different types of API calls, such as the re-routing, modification, or recording of IP packets, the storage of data, the displaying of data, the printing of data, or any other suitable data and/or actions. The different types of data and/or actions can be treated the same or differently. The policies can further distinguish between a user's enterprise-related information and the user's personal information, and specify the locations to which the information should be directed. The different types of information can be re-routed to the same or different locations. The policies can further specify that any enterprise-related information be re-routed only to an enterprise-authorized resource, such as an enterprise server, client (computing device), storage (e.g., a physical storage medium, cloud storage, database), printer, photocopier, website, or any other suitable network resource or combination of network resources. Any other suitable policy or combination of policies can be provided in the policy wrapper.
In accordance with the disclosed subject matter, the policy wrapper can be specified and/or provided by any suitable party or combination of parties. The party can be an enterprise, an enterprise user, a provider of a computer application, or an authorized third-party. In one embodiment, there can be one policy wrapper associated with a computer application. The policy wrapper can be provided by one party or a combination of different parties. In another embodiment, there can be more than one policy wrapper associated with a computer application. Each policy wrapper can be provided by one party or a combination of parties. One or more policy wrappers may be applied to a computer application, which can depend on the user, the enterprise to which the user desires to communicate with, and/or the type of information to be communicated. In one embodiment, a different policy wrapper or combination of policy wrappers can be applied to different computer applications. In another embodiment, a common policy wrapper or combination of policy wrappers can be applied to different computer applications. In yet another embodiment, a policy wrapper can be applied to a suite of computer applications. In a further embodiment, the same or different policy wrapper can be applied to the same computer application that is installed on different computing devices.
In accordance with the disclosed subject matter, the policy wrapper can be applied to any suitable computer application or combination of computer applications to which an enterprise provides to a user, allows a user to have access, and/or installs on a user's computing device. For example, the computer application can include any text program (e.g., Microsoft Word), presentation program (e.g., Microsoft PowerPoint), spreadsheet program (e.g., Microsoft Excel), electronic-mail (e-mail) communication program (e.g., Microsoft Outlook), Instant messaging (IM) program, document management system (e.g., iManage, Worksite), application software for files (e.g., Adobe Acrobat), graphics editing program (e.g., Adobe Photoshop), time entry system (e.g., DTE, Carpe Diem), web browser (e.g., Internet Explorer, Safari, Mozilla Firefox), software developer tool, games, mobile application (e.g., Dropbox, Evernote), or any other suitable computer application or combination of computer applications. The computer application can also include any suitable application for a Windows, Mac, Linux, Unix, iOS, Windows Phone, Android-based operating system, or any other suitable operating system. The computer application can also include any suitable application for a desktop computer, mobile computer, tablet computer (e.g., iPad, Android-based tablet, Nook Tablet, Kindle Fire), cellular device (e.g., a smartphone such as a Blackberry, iPhone, Android-based smartphone), or any other suitable computing device. The computer application can further include any suitable application that a user can access through the web browser (e.g., e-mail program such as Gmail).
In accordance with the disclosed subject matter, the enterprise user can be any user or device authorized to access the enterprise network. The authorized user can include an employee, consultant, independent contractor, and third-party service provider. The user can access the enterprise network using a computing device. The computing device can be a work-issued or personal device such as a desktop computer, a mobile computer, a tablet computer, and a cellular device. In order to be able to access a computer application that needs access to the enterprise network, the user may first need to be authenticated. The user may first have to enter log-in credentials, including a user name, password, key, and/or any other suitable information or combination of information. In one embodiment, the user may have to enter log-in credentials once. In another embodiment, the user may have to enter log-in credentials each time the user opens a computer application that has an associated policy wrapper.
In accordance with the disclosed subject matter, a policy wrapper can be applied to any computer application at any time. In one embodiment, a policy wrapper can be applied to a computer application before the computer application is sold or licensed to an enterprise. In another embodiment, a policy wrapper can be applied to a computer application before the computer application is installed on the enterprise network and/or on a user's computing device. In yet another embodiment, a policy wrapper can applied to a computer application after the computer application has been installed on a user's computing device. A software update can be sent, or downloaded, to the user's computer device, which is then installed and associated with a computer application. This can be done automatically, may require a user to authorize the installation, and/or may require an enterprise network administrator to authorize the installation.
In accordance with the disclosed subject matter, a policy wrapper can be software, hardware, or a combination of software and hardware. In one embodiment, the software for the policy wrapper can be integrated with the software for the computer application. In another embodiment, the software for the policy wrapper can be separate from the software for the computer application, but include a link that associates the policy wrapper with the computer application.
The disclosed subject matter provides advantages for enterprises and the enterprise user. The use of policy wrappers for computer applications provides a secure way for remote office locations and remote users to securely communicate with the enterprise network at the main office location or via an enterprise cloud. This approach is less invasive and easier to set up correctly than for the virtual private network (VPN). This approach also provides more flexibility in the types of information that can be securely exchanged over the Internet. For example, this approach allows the re-routing, modification, or recording of IP packets, the storage of data, the displaying of data, the printing of data, or any other suitable data and/or actions. This approach can also be customized for different API calls, for different computer applications, and/or for different computing devices. For example, different computer applications can have different types of information being re-routed to different locations. This approach can also distinguish between a user's enterprise-related information and the user's personal information, and re-route the information to different locations accordingly.
The enterprise main office 100 includes at least one device 102 (e.g., device 102-1, 102-2, . . . 102-N), an enterprise server 104, at least one physical storage medium 106, and a VPN server or appliance 108. In one embodiment, each device 102 can be any suitable client device that allows any enterprise user to directly connect to the enterprise network. Each device 102 can include a desktop computer, a mobile computer, a tablet computer, a cellular device, or any other computing device having a processor and memory. In another embodiment, one or more of the devices 102 can include a network resource to which an enterprise user can connect, including a printer, a photocopier, or any other network resource having a processor and memory.
Each device 102 can communicate with the enterprise server 104 to send data to, and to receive data from, another device 102 and/or other network nodes (including devices at the enterprise remote office 112 and/or device 116) across the communication network 110. Although
The enterprise server 104 is coupled to at least one physical storage medium 106 for the enterprise. Any enterprise user, from enterprise main office 100 (using any device 102), from enterprise remote office 112, and device 116, can store data in, and access data from, the physical storage medium 106 via the enterprise server 104.
The VPN server 108 is coupled to the enterprise server 104 and allows for secure communications between the enterprise main office 100 and the enterprise remote office 112, and between the enterprise main office 100 and any device 116, over the communication network 110. The VPN server 108 provides security by re-routing such communications through a trusted route over the communication network 110. The VPN server 108 can be software, hardware, or a combination of software and hardware.
The communication network 110 can include the Internet, a cellular network, a telephone network, a computer network, a packet switching network, a line switching network, a local area network (LAN), a wide area network (WAN), a global area network, or any number of private networks currently referred to as an Intranet, and/or any other network or combination of networks that can accommodate data communication. Such networks may be implemented with any number of hardware and software components, transmission media and network protocols.
The enterprise remote office 112 can remotely connect to the enterprise main office 100 via the communication network 110. Although not shown, the enterprise remote office 112 can include an arrangement similar to that shown and described in connection with the enterprise main office 100. The enterprise remote office 112 includes at least one device (similar to device 102), an enterprise remote server (similar to enterprise server 104), and a VPN server or appliance 114. The enterprise remote office 112 can have its own physical storage medium (similar to physical storage medium 106) and/or can share the physical storage medium 106 at the enterprise main office 100. The VPN server 114 is coupled to the enterprise remote server and allows for secure communications between the enterprise remote office 112 and the enterprise main office 100, and between the enterprise remote office 112 and any device 116, over the communication network 110. The VPN server 114 is similar to that shown and described in connection with the VPN server 108.
Each device 116 can be any suitable client device that allows any enterprise user to remotely connect to the enterprise main office 100 and/or enterprise remote office 112 via the communication network 110. Each device 116 can include a desktop computer, a mobile computer, a tablet computer, a cellular device, or any other computing device having a processor and memory. Each device 116 can run VPN software, hardware, or a combination of software or hardware, which allows for secure communications between the device 116 and the enterprise main office 100, and between the device 116 and the enterprise remote office 112, over the communication network 110.
The enterprise main office 300 includes at least one device 302 (e.g., device 302-1, 302-2, . . . 302-N), an enterprise server 304, at least one physical storage medium 306, and a cloud storage 308. In one embodiment, each device 302 can be any suitable client device that allows any enterprise user to directly connect to the enterprise network. Each device 302 can include a desktop computer, a mobile computer, a tablet computer, a cellular device, or any other computing device having a processor and memory. In another embodiment, one or more of the devices 302 can include a network resource to which an enterprise user can connect, including a printer, a photocopier, or any other suitable network resource having a processor and memory.
Each device 302 can communicate with the enterprise server 304 to send data to, and to receive data from, another device 302 and/or other network nodes (including devices at the enterprise remote office 312 and/or device 316) across communication network 310. Although
The enterprise server 304 is coupled to at least one physical storage medium 306 for the enterprise. Any enterprise user, from enterprise main office 300 (using any device 302), from enterprise remote office 312, and device 316, can store data in, and access data from, the physical storage medium 306 via the enterprise server 304.
The communication network 310 can include the Internet, a cellular network, a telephone network, a computer network, a packet switching network, a line switching network, a local area network (LAN), a wide area network (WAN), a global area network, or any number of private networks currently referred to as an Intranet, and/or any other network or combination of networks that can accommodate data communication. Such networks may be implemented with any number of hardware and software components, transmission media and network protocols.
The enterprise remote office 312 can remotely connect to the enterprise main office 300 via the communication network 310. Although not shown, the enterprise remote office 312 can include an arrangement similar to that shown and described in connection with the enterprise main office 300. The enterprise remote office 312 includes at least one device (similar to device 302) and an enterprise remote server (similar to enterprise server 304). The enterprise remote office 312 can have its own physical storage medium (similar to physical storage medium 306) and/or can share the physical storage medium 306 at the enterprise main office 300.
Each device 316 can be any suitable client device that allows any enterprise user to remotely connect to the enterprise main office 300 and/or enterprise remote office 312 via the communication network 310. Each device 316 can include a desktop computer, a mobile computer, a tablet computer, a cellular device, or any other computing device having a processor and memory. Each device 316 (in addition to each device 302 at the enterprise main office 300 and device at the enterprise remote office 312) can run one or more computer applications that applies policies from a policy wrapper associated with the computer applications to securely communicate to the enterprise over the communication network 310.
A policy wrapper 410 can be associated with the computer application 402. The policy wrapper 410 can specify how to handle the communication of the different API calls (via APIs 404, 406, and 408) over the communication network. The policy wrapper 410 can include policies that apply the same or different authentication, firewall, and encryption techniques on the different APIs 404, 406 and 408. The policy wrapper 410 can also specify the same or different re-routing, modification, or recording of IP packets, the storage of data, the displaying of data, the printing of data, or any other suitable data and/or actions on the different APIs 404, 406, and 408. The different types of data and/or actions can be treated the same or differently.
In one embodiment, by applying the policies specified in the policy wrapper 410, the computer application 402, through APIs 404, 406, and 408, can be tricked into thinking that the data and/or action is being communicated to one location when the data and/or action is actually being communicated to another location. For example, the computer application 402, through API 404, can be tricked into thinking that the data and/or action is being communicated to location 412, when the data and/or action is actually being communicated to location 414. The computer application 402, through API 406, can be tricked into thinking that the data and/or action is being communicated to location 416, when the data and/or action is actually being communicated to location 418. The computer application 402, through API 408, can be tricked into thinking that the data and/or action is being communicated to location 420, when the data and/or action is actually being communicated to location 422. The policy wrapper 410 provides a secure route for data and/or actions to be communicated over the communication network to one or more locations 414, 418, and 422.
The locations 414, 418, and 422 can be any suitable location or combination of locations The locations 414, 418, and 422 can be the same location or different locations, and can be within or external to the enterprise. For example, the locations 414, 418, and 422 can be any one or more of the devices 102/302, physical storage medium 106/306, or cloud storage 308 within the enterprise main office 100/300, similar components in the enterprise remote office 112/312, cloud storage 314, or any other suitable location or combination of locations.
A policy wrapper can be associated with each computer application 502 and 506. For example, a policy wrapper 504 can be associated with computer application 502 and a policy wrapper 508 can be associated with computer application 506. Each policy wrapper 504 and 508 can specify how to handle the communication of the different API calls for the respective computer applications 502 and 506 over the communication network. The policy wrappers 504 and 508 can be similar to that shown and described in connection with policy wrapper 410 (
In one embodiment, by applying the policies specified in the policy wrappers 504 and 508, the respective computer applications 502 and 506, through their APIs, can be tricked into thinking that the data and/or actions are being communicated to one location when the data and/or actions are actually being communicated to another location. For example, the computer application 502, through its APIs, can be tricked into thinking that the data and/or actions are being communicated to locations 510, 516, and/or 520, when the data and/or actions are actually being communicated to respective locations 512, 518, and 522. The computer application 506, through one of its APIs, can be tricked into thinking that the data and/or action is being communicated to location 510, when the data and/or action is actually being communicated to location 514. In another embodiment, the computer application 506, through another of its APIs, can communicate the data and/or action to location 522. The policy wrappers 504 and 508 can provide a secure route for data and/or actions to be communicated over the communication network to one or more locations 512, 514, 518 and 522. The policy wrapper 508 can also provide an unsecure route for certain data and/or actions to be communicated over the communication network to location 522.
The locations 512, 514, 518, and 522 can be any suitable location or combination of locations In one embodiment, the locations 512, 514, and 518 can be the same location or different locations, and can be within or external to the enterprise. For example, the locations 512, 514, and 518 can be any one or more of the devices 102/302, physical storage medium 106/306, or cloud storage 308 within the enterprise main office 100/300, similar components in the enterprise remote office 112/312, cloud storage 314 designated for the enterprise, or any other suitable location or combination of locations. In another embodiment, the location 522 can be different from locations 512, 514, and 518, and can be external to the enterprise. For example, the location 522 can be cloud storage 314 for public storage.
The policy wrappers 504 and/or 508 can include policies that can distinguish between a user's enterprise-related information and the user's personal information. For example, the policies can specify that certain computer applications provide only enterprise-related information (e.g., an enterprise's data management system, e-mail communication system, time entry system), or that certain data and/or actions within a computer application provide enterprise-related information. Depending on whether the information is enterprise-related or personal, the policy wrapper can decide how to handle the information. For example, enterprise-related information may be securely re-routed to a location within the enterprise while personal information may be unsecurely routed to a location external to the enterprise.
A VPN module 906 is configured to allow an enterprise user at device 900 to remotely connect to the enterprise (e.g., enterprise main office 100/300, enterprise remote office 112/312) over the communication network (e.g., communication network 110/310). The VPN module 906 can further be configured to allow any enterprise user at device 900 to communicate information with device 102/302, server 104/304, physical storage medium 106/306, cloud storage 308, or cloud storage 314 designated for the enterprise.
A computer application module 908 is configured to allow an enterprise user at device 900 to access one or more computer applications. The computer application can require the communication of information local or external to the device 900. The computer application can require the communication of information over the communication network within or external to the enterprise. The computer application can allow the enterprise user to generate and/or access enterprise-related information or personal information.
An API module 910 is configured to allow an enterprise user at device 900 to communicate information from a computer application local or external to the device 900. The API module 910 can support the re-routing, modification, or recording of IP packets, the storage of data, the displaying of data, the printing of data, or any other suitable data and/or actions through one or more APIs associated with each computer application.
A policy wrapper module 912 is configured to associate one or more policy wrappers with one or more computer applications. Each policy wrapper can have associated with it one or more policies that can specify how to handle the communication of the different API calls from different computer applications over the communication network. The policy wrapper module 912 can further be configured to apply the one or more policies to each type or group of API calls for each computer application or group of computer applications. In one embodiment, the policy wrapper module 912 can be configured to perform the steps shown and described in connection with
The VPN module 906, computer application module 908, API module 910, and policy wrapper module 912 can be implemented in software, which may be stored in memory 904.
An interface 914 provides an input and/or output mechanism to communicate over a network. The interface 914 enables communication with servers, as well as other network nodes in the communication network 110/310. The interface 914 is implemented in hardware to send and receive signals in a variety of mediums, such as optical, copper, and wireless, and in a number of different protocols some of which may be non-transient.
The client device 900 can include user equipment of a cellular network. The user equipment communicates with one or more radio access networks and with wired communication networks. The user equipment can be a cellular phone having phonetic communication capabilities. The user equipment can also be a smart phone providing services such as word processing, web browsing, gaming, e-book capabilities, an operating system, and a full keyboard. The user equipment can also be a tablet computer providing network access and most of the services provided by a smart phone. The user equipment operates using an operating system such as Symbian OS, iPhone OS, RIM's Blackberry, Windows Mobile, Linux, HP WebOS, and Android. The screen might be a touch screen that is used to input data to the mobile device, in which case the screen can be used instead of the full keyboard. The user equipment can also keep global positioning coordinates, profile information, or other location information.
The client device 900 also includes any platforms capable of computations and communication. Non-limiting examples can include televisions (TVs), video projectors, set-top boxes or set-top units, digital video recorders (DVR), computers, netbooks, laptops, and any other audio/visual equipment with computation capabilities. The client device 900 is configured with one or more processors 902 that process instructions and run software that may be stored in memory. The processor 902 also communicates with the memory and interfaces to communicate with other devices. The processor 902 can be any applicable processor such as a system-on-a-chip that combines a CPU, an application processor, and flash memory. The client device 900 can also provide a variety of user interfaces such as a keyboard, a touch screen, a trackball, a touch pad, and/or a mouse. The client device 900 may also include speakers and a display device in some embodiments.
The server 104/304 can operate using an operating system (OS) software. In some embodiments, the OS software is based on a Linux software kernel and runs specific applications in the server such as monitoring tasks and providing protocol stacks. The OS software allows server resources to be allocated separately for control and data paths. For example, certain packet accelerator cards and packet services cards are dedicated to performing routing or security control functions, while other packet accelerator cards/packet services cards are dedicated to processing user session traffic. As network requirements change, hardware resources can be dynamically deployed to meet the requirements in some embodiments.
The server's software can be divided into a series of tasks that perform specific functions. These tasks communicate with each other as needed to share control and data information throughout the server 104/304 (in enterprise main office 100/300, and similar server in enterprise remote office 112/312). A task can be a software process that performs a specific function related to system control or session processing. Three types of tasks operate within the server 104/304 in some embodiments: critical tasks, controller tasks, and manager tasks. The critical tasks control functions that relate to the server's ability to process calls such as server initialization, error detection, and recovery tasks. The controller tasks can mask the distributed nature of the software from the user and perform tasks such as monitoring the state of subordinate manager(s), providing for intra-manager communication within the same subsystem, and enabling inter-subsystem communication by communicating with controller(s) belonging to other subsystems. The manager tasks can control system resources and maintain logical mappings between system resources.
Individual tasks that run on processors in the application cards can be divided into subsystems. A subsystem is a software element that either performs a specific task or is a culmination of multiple other tasks. A single subsystem includes critical tasks, controller tasks, and manager tasks. Some of the subsystems that run on the server 104 include a system initiation task subsystem, a high availability task subsystem, a shared configuration task subsystem, and a resource management subsystem.
The system initiation task subsystem is responsible for starting a set of initial tasks at system startup and providing individual tasks as needed. The high availability task subsystem works in conjunction with the recovery control task subsystem to maintain the operational state of the server 104/304 by monitoring the various software and hardware components of the server 104/304. Recovery control task subsystem is responsible for executing a recovery action for failures that occur in the server 104/304 and receives recovery actions from the high availability task subsystem. Processing tasks are distributed into multiple instances running in parallel so if an unrecoverable software fault occurs, the entire processing capabilities for that task are not lost. User session processes can be sub-grouped into collections of sessions so that if a problem is encountered in one sub-group users in another sub-group will not be affected by that problem.
Shared configuration task subsystem can provide the server 104/304 with an ability to set, retrieve, and receive notification of server configuration parameter changes and is responsible for storing configuration data for the applications running within the server 104/304. A resource management subsystem is responsible for assigning resources (e.g., processor and memory capabilities) to tasks and for monitoring the task's use of the resources.
In some embodiments, the server 104/304 can reside in a data center and form a node in a cloud computing infrastructure. The server 104/304 can also provide services on demand. A module hosting a client is capable of migrating from one server to another server seamlessly, without causing program faults or system breakdown. The server 104/304 on the cloud can be managed using a management system.
It is to be understood that the disclosed subject matter is not limited in its application to the details of construction and to the arrangements of the components set forth in the following description or illustrated in the drawings. The disclosed subject matter is capable of other embodiments and of being practiced and carried out in various ways. Also, it is to be understood that the phraseology and terminology employed herein are for the purpose of description and should not be regarded as limiting.
As such, those skilled in the art will appreciate that the conception, upon which this disclosure is based, may readily be utilized as a basis for the designing of other structures, methods, and systems for carrying out the several purposes of the disclosed subject matter. It is important, therefore, that the claims be regarded as including such equivalent constructions insofar as they do not depart from the spirit and scope of the disclosed subject matter.
Although the disclosed subject matter has been described and illustrated in the foregoing exemplary embodiments, it is understood that the present disclosure has been made only by way of example, and that numerous changes in the details of implementation of the disclosed subject matter may be made without departing from the spirit and scope of the disclosed subject matter, which is limited only by the claims which follow.