1. Field of the Invention
The present invention relates to distributed computing systems. More specifically, the present invention relates to a method and an apparatus for facilitating single sign-on of an application cluster to multiple server computer systems.
2. Related Art
As distributed computing systems continue to evolve, it is becoming increasingly more common to locate applications on middle-tier systems. These middle-tier systems are accessed by clients and rely on backend servers to provide persistent storage and other services to the applications.
For example, FIG. 1 illustrates a distributed computing system including clients 101, middle-tier systems 103, and backend servers 105. Computer users (not shown) interact with clients 118 and 120 to access the various applications available on the middle-tier systems 103.
Middle-tier systems 103 include application clusters 102, 104, 106, and 108, which each host multiple applications, some of which may be duplicated on multiple application clusters. For example, application clusters 102 and 106 both host applications A1 and A2, while application clusters 102, 104, 106, and 108 all host applications A3 and A4.
Referring to the right-hand side of FIG. 1, databases 110, 112, and 114, and directory service 116 provide persistent storage and other services to application clusters 102, 104, 106, and 108.
Although distributing functionality between middle-tier systems 103 and backend servers 105 in this way has a number of advantages, it can greatly complicate security problems. For example, in FIG. 1 a client 118 can authenticate and access an application A3 in application cluster 102, as is illustrated by line 130. At the same time, client 120 can also access application A3 in application cluster 104 (across line 132).
When application A3 in application cluster 102 requires access to database 112, application A3 authenticates to a database requesting access to a schema associated with database 112, as is illustrated by line 124 in FIG. 1. This authentication process typically involves using a schema name and a password. Application A3 in application cluster 104 can subsequently access the same schema within database 112 using the same schema name and the same password, as is represented by line 126 in FIG. 1. Similarly, application A1 can access a schema within database 110 (across line 122) using a schema name and password for the desired schema. This schema name and password can be different than the schema names and passwords on lines 124 and 126. Application A1 in application cluster 106 can also access directory service 116 (across line 128) possibly using a distinguished name (DN) and a password.
While the mechanisms described above provide the required access to the backend servers, they have several drawbacks. Each application uses the same password to access a given schema, regardless of where the application resides. Additionally, each schema has a unique password. Hence, every application that needs access to multiple schemas must maintain multiple schema/password pairs—one for each schema. This proliferation of passwords creates password distribution and maintenance problems.
For example, updating the password for application A3 to access a given schema on database 112 requires that the password be changed simultaneously at a minimum of five locations—database 112, and application A3 in application clusters 102, 104, 106, and 108. Moreover, storing the same password at multiple application clusters is detrimental to system security, because a security breach at one application cluster potentially allows access to a large number of database schemas, and provides no clues as to which application cluster was compromised. The number of passwords in this example is approximately the number of installations times the number of applications times the number of backend servers. This is an extremely large number of passwords to maintain.
Hence, what is needed is a method and an apparatus that facilitates authenticating applications accessing backend servers without the problems listed above.