1. Field of the Invention
The present invention relates to a server for performing a data supplying service safely in a network such as internet, which is used and accessed by a third party. Particularly, the server of the present invention shares a data in the network which must be protected from accessing by the third party.
2. Background Art
Recently, the internet is becoming even more widespread. Applications such as WWW (World Wide Web) and E-mail have become a standard practice in the internet. It is now possible for the third party to use the internet to refer to various information supplied by organizations or educational institutions, as well as to use the internet for communication purposes.
When one is connected to the internet, one can have a free access to any sites on the internet as long as they are also connected to the internet. However, such conveniences do have a pitfall as laying oneself to attack by a malicious third party.
Organizations in general protect their local network systems from attacks coming via the internet by using a mechanism called firewall. The internet access possible sites within an organization""s local network system are limited, and from these limited sites the internet is accessed via the firewall which only allows a specific communication to pass through. A safety of the local network system owned by the organization is more important in general than the conveniences that may be brought up by the internet connection. Most of the organizations design their local network system to have configuration which only allows an extremely limited communication such as SMTP (simple mail transfer protocol) message, which is a communication protocol of the E-mail, to pass through the firewall.
In order to reconcile the safety factor and the convenience factor of the internet connection, Japanese unexamined patent publication HEI9-270788 disclose a technique that can respond to various service requests coming from the internet, without having to change a configuration of the firewall. In this document, the communication takes place by a communication packet passing through a specific authentication port. The communication packet is storing a program that can respond to an authentication challenge of the firewall. The technique disclosed in this document guarantees the safety of the organization""s local network system, at the same time, supplies a better and flexible service provided from the organization""s local network to a specific user who is permitted an access to the organization""s local network system.
In cases of utilizing the internet as an inexpensive communication media, a transmission data is encrypted and an encrypted transmission data is transmitted to prevent a data leakage at a communication path. An encryption and decryption of the transmission data are taking place at various levels in a system, for instance, an encryption service is taking place at a communication socket level known as SSL (secure sockets layers). Japanese unexamined patent publication HEI 9-251426 discloses an example of data encryption and decryption at an application level called file system.
In cases of connecting the organization""s local network systems and the internet as described previously, the technique to use the firewall is being adopted to protect the organizations local network system. However, a problem of difficulty in enforcing a data sharing safely by the organization""s local network and the internet remains.
The present invention attempts to resolve disadvantages of the conventional techniques. The aim of the present invention is to supply a data sharing mechanism to safely enforce the data sharing by the organization""s local network and the internet, as well as to supply an application management apparatus and method for the applications that uses a shared data. That is, the present invention aims to supply a configuration where one can access the shared data from a local network side or from an internet side. The present invention also aims to provide a configuration where the application of local network and the application of internet both refer and update the shared data by using the application management method, so that an equivalent service is provided at both sides.
According to another aspect of the present invention, a data sharing computer system comprises a first computer system; a second computer system; a shared data storing unit; and an access control information storing unit, including:
(A) the shared data storing unit includes a plurality of data storing areas, which divides a shared data accessed by the first computer system and the second computer system, and stores the divided shared data to the plurality of data storing areas;
(B) the access control information storing unit stores an access control information which indicates whether each data storing area of the shared data storing unit is accessible or not accessible;
(C) the first computer system includes a first service unit, a first data access unit connected to the shared data storing unit, and a first mutual exclusion unit connected to the access control information storing unit; wherein
(1) the first service unit instructs the first data access unit and the first mutual exclusion unit to access an arbitrary data storing area; and
(2) the first mutual exclusion unit obtains the access control information of the instructed data storing area, decides whether the instructed data storing area is accessible or not accessible, and changes the access control information of the instructed data storing area to not accessible if decided as accessible;
(3) the first data access unit accesses the instructed data storing area after the first mutual exclusion unit decides that the instructed data storing area is accessible and changes the access control information to not accessible; and
(4) the first mutual exclusion unit changes the access control information of the instructed data storing area to accessible after the first data access unit accesses the instructed data storing area.
(D) the second computer system includes a second service unit, a second data access unit connected to the shared data storing unit, and a second mutual exclusion unit connected to the access control information storing unit; wherein
(1) the second service unit instructs the second data access unit and the second mutual exclusion unit to access an arbitrary data storing area;
(2) the second mutual exclusion unit obtains the access control information of the instructed data storing area, decides whether the instructed data storing area is accessible or not accessible, and changes the access control information of the instructed data storing area to not accessible if decided as accessible;
(3) the second data access unit accesses the instructed data storing area after the second mutual exclusion unit decides that the instructed data storing area is accessible and changes the access control information to not accessible; and
(4) the second mutual exclusion unit changes the access control information of the instructed data storing area to accessible after the second data access unit accesses the instructed data storing area.
According to another aspect of the present invention, the data sharing computer system comprises the first computer system which is connected to a first network system having a third computer system. The first service unit supplies a first service to the third computer system via the first network system. The second computer system is connected to a second network system having a fourth computer system. The second service unit supplies a second service to the fourth computer system via the second network system.
According to another aspect of the present invention, the data sharing computer system comprises the second service unit which supplies the second service to the fourth computer system via the second network system which is equivalent to the first service supplied by the first service unit to the third computer system via the first network system.
According to another aspect of the present invention, the data sharing computer system comprises the first mutual exclusion unit which is connected to the access control information storing unit by a bus having bus lock function. The first mutual exclusion unit locks the bus while obtaining the access control information of the instructed data storing area, deciding whether the instructed data storing area is accessible or not accessible, and updating the access control information of the instructed data storing area to not accessible if decided as accessible. The first mutual exclusion unit locks the bus while the access control information of the instructed data storing area is being changed to access possible. The second mutual exclusion unit is connected to the access control information storing unit by the bus having bus lock function. The second mutual exclusion unit locks the bus while obtaining the access control information of the instructed data storing area, deciding whether the instructed data storing area is accessible or not accessible, and updating the access control information of the instructed data storing area to not accessible if decided as accessible. The second mutual exclusion unit locks the bus while the access control information of the instructed data storing area is being changed to access possible.
According to another aspect of the present invention, the data sharing computer system comprises the first mutual exclusion unit executes a series of operation which includes obtaining of the access control information of the instructed data storing area, deciding whether the instructed data storing area is accessible or not accessible, and updating of the access control information of the instructed data storing area to not accessible if decided as accessible, wherein the series of operation is executed using a single command; and the second mutual exclusion unit which executes a series of operation which includes obtaining of the access control information of the instructed data storing area, deciding whether the instructed data storing area is accessible or not accessible, and updating of the access control information of the instructed data storing area to not accessible if decided as accessible, wherein the series of operation is executed using a single command.
According to another aspect of the present invention, the data sharing computer system comprises the first computer system, including:
(1) a data-encrypting key storing unit for storing a data-encrypting key used for encrypting and decrypting;
(2) a data encryption and decryption executing unit for encrypting by using a specified data-encrypting key when an encryption is instructed by specifying the data-encrypting key, and for decrypting by using a specified cipher key when a decryption is instructed by specifying the data-encrypting key;
(3) a data-encrypting key re-setting unit for changing the data-encrypting key stored in the data-encrypting key storing unit; and
(4) a data re-encrypting unit for instructing the first data access unit to read an encrypted data from the data storing area, for instructing the data encryption and decryption executing unit to decrypt the encrypted data read from the data storing area by specifying the data-encrypting key before changing the data-encrypting key, for instructing the data encryption and decryption executing unit to re-encrypt the decrypted data by specifying a new data-encrypting key after changing the data-encrypting key, and for instructing the first data access unit to write a re-encrypted data to an original data storing area.
According to another aspect of the present invention, a client connected to a network system comprises:
(1) a shared data transmitting and receiving unit for transmitting and receiving a shared data to and from a first computer system sharing the data with a second computer system, wherein the first computer system is connected to the network system;
(2) a data encrypting unit for encrypting the shared data transmitted from the shared data transmitting and receiving unit; and
(3) a data decryption unit for decrypting the shared data received at the shared data transmitting and receiving unit.
According to another aspect of the present invention, the data sharing computer system 1 further comprises a third computer system. The third computer system and the first computer system are connected to a first network system. The first service unit supplies a service to the third computer system via the first network system. The third computer system includes a shared data cache unit for caching the shared data accessed by the service supplied by the first service unit.
According to another aspect of the present invention, the data sharing computer system comprises the first service unit which operates using a configuration information; the shared data storing unit which stores the configuration information used by the first service unit; and the second computer system which includes another storing unit; the second computer system which includes a configuration information replicating unit for reading the configuration information stored in the shared data storing unit, and for writing the configuration information read to the another storing units; and the second service unit which updates the first configuration information written to the another storing unit, and operates by using the updated configuration information.
According to another aspect of the present invention, the data sharing computer system comprises the computer system, including:
(1) an authentication method managing unit for storing an authentication method used in a user authentication by the first computer system;
(2) an authentication and permission database managing unit for previously storing a data used for the user authentication;
(3) an authenticating function unit receiving a data requiring the user authentication and an authentication request, and by using the previously stored data used for the user authentication in the authentication and permission database managing unit and the data requiring the user authentication, based on the authentication method stored in the authentication method managing unit.
According to another aspect of the present invention, the data sharing computer system comprises the data sharing computer system which is a shared memory type parallel computer comprising a bus; and the shared memory type parallel computer which includes the first computer system; the second computer system; the shared data storing unit; and the access control information storing unit connected via the bus.
Further scope of applicability of the present invention will become apparent from the detailed description given hereinafter. However, it should be understood that the detailed description and specific examples, while indicating preferred embodiments of the invention, are given by way of illustration only, since various changes and modifications within the spirit and scope of the invention will become apparent to those skilled in the art from this detailed description.