This application is not referenced in any microfiche appendix.
The invention relates generally to a data processing system, method and article of manufacture allowing for the dynamic reconfiguration of an input/output device controller. In particular, the present invention relates to a computer-based system, method and article of manufacture which supports and facilitates a remote configuration and utilization of an emulated input/output device controller via encrypted data communication between a plurality of users and said controller.
The present invention provides for secured, real-time, configuration and utilization of an emulated input/output device controller. The instant invention advances the art by allowing its practice to be supported via an encrypted communications protocol interfacing with, and relying upon, the teachings, practices and claims disclosed in co-pending U.S. patent application Ser. Nos. 09/239,425 and 09/255,837 (hereinafter synonymously referred to as xe2x80x9cSecure Agentxe2x80x9d or xe2x80x9cSAxe2x80x9d).
Secure Agent Service Overview
The following overview is provided to facilitate a comprehensive understanding of the teachings of the instant invention. Secure Agent utilizes a secure login sequence wherein a client connects to a Secure Agent server using a key known to both systems and a client connects and presents the server with user identification (as used herein the term xe2x80x9cclientxe2x80x9d refers synonymously to a remote user establishing, and communicating with the instant invention through Secure Agent allocation and encryption processes as taught in the above noted applications). If recognized, the Secure Agent server initiates a protocol whereby the client""s identification is verified and subsequent communication is conducted within a secured (encrypted) construct. For purposes of this overview, the term xe2x80x9cserverxe2x80x9d should be considered a hardware configuration represented as a central processing unit wherein Secure Agent, a Host DLL and driver reside, and are executed. The term xe2x80x9cDLLxe2x80x9d as used herein refers to a Secure Agent host dynamically linked library (a.k.a. Host DLL). The term xe2x80x9cDLLxe2x80x9d or xe2x80x9cdynamically linked libraryxe2x80x9d is used in a manner consistent with that known to those skilled in the art. Specifically, the term xe2x80x9cDLLxe2x80x9d refers to a library of executable functions or data that can be used by a Windows application. As such, the instant invention provides for one or more particular functions and program access to such functions by creating a static or dynamic link to the DLL of reference, with xe2x80x9cstatic linksxe2x80x9d remaining constant during program execution and xe2x80x9cdynamic linksxe2x80x9d created by the program as needed.
The Secure Agent server presents a variable unit of data, such as the time of day, to the client as a challenge. The client must then encrypt that data and supply it back to the server. If the server is able to decrypt the data using the stored client""s key so that the result matches the original unencrypted challenge data, the user is considered authenticated and the connection continue. The key is never passed between the two systems and is therefore never at risk of exposure.
The initial variable unit of data seeds the transmission of subsequent data so that the traffic for each client server session is unique. Further, each byte of data transmitted is influenced by the values of previously sent data. Therefore, the connection is secure across any communication passageway including public networks such as, but not limited to, the Internet. The distance between the client and server is not of consequence but is typically a remote connection. For accountability purposes, the actions of a client may be recorded (logged) to non-volatile storage at almost any detail level desired.
The access rights of each client (what the client is able to accomplish during a session) is governed by data stored on the Secure Agent server to which the client is associated. As an example, such rights might encompass the ability to administer and utilize the services of the server system, which would, in turn, include capabilities such as adding new client users, changing a user""s rights, transferring new code to the server, using a feature (or service) of the server and more.
Consequently, Secure Agent allows for the transmission of new code to the server and for that code to be implemented upon demand by a client. Such dynamic, real-time implementation in turn, allows for the behavior of the server to be modified. It is to this behavior modification the instant invention addresses its teachings, and thereby advances the contemporary art.
As will be readily appreciated by those skilled in the art, though the instant invention utilizes encryption/decryption and code recognition technology associated with Secure Agent, an alternative technology may be employed in support of the instant invention without departing from the disclosure, teachings and claims presented herein.
The present invention is best viewed as comprised of two server components with one or more client subcomponents or sub-processes disclosed in association thereto. It can be further conceptualized that a distinguishable client component exists for each emulated device type recognized by the invention""s server, with an individual client supporting the simultaneous use of a plurality of client-side components. As used throughout the instant invention specification and claims, the term xe2x80x9cserverxe2x80x9d is used synonymously with xe2x80x9cemulated device controllerxe2x80x9d, xe2x80x9cserver central processing unitxe2x80x9d, xe2x80x9cserver CPUxe2x80x9d, and xe2x80x9cremotely configurable input/output device controllerxe2x80x9d and the term xe2x80x9cclientxe2x80x9d is used synonymously with xe2x80x9chost userxe2x80x9d, xe2x80x9cclient central processing unitxe2x80x9d, xe2x80x9cclient CPUxe2x80x9d and xe2x80x9cremote userxe2x80x9d.
The invention""s lower-most server component layer is a device driver to communicate directly with one or more hardware components attached to one or more computer systems, such as, but not limited to, mainframe computers (a.k.a. host processors). The driver controls the hardware in a manner prescribed by its design, causing it to interact with the other computer systems to which it is connected as if it were one or more device types (emulation). The driver additionally acts as a conduit to a higher level server component that governs the overall behavior of the emulated devices. This higher level component primarily supplies the driver with new data to provide through the emulated devices to the other computers to which it is connected and accepts data arriving to the emulated devices carried up by the device driver. Both layers predomoninantly operate on a device by device basis. The higher level server component, in turn, serves as the interface between Secure Agent technology and remotely connected clients allowing for the encrypted transmission of all data external to the server.
Using the example of an IBM 3215 console, a client would connect to a server and request a list of the 3215 devices which shared membership to the user""s security groups. The user would select a device and a logical pathway from the mainframe computer to the client""s system would become established. The client would communicate through the server layers with the end result of messages transported from a mainframe through an emulated device to the client for presentation within a window on a computer screen. Conversely, commands to the mainframe may be issued at the client""s workstation and are transported through to the emulated device then through it to the mainframe.
Just as a client might have the ability to administer users (i.e. add/remove), a client might be able to modify the presence and behavior of emulated devices, via Secure Agent administrative functions as taught by the afore noted pending patent applications. Allowable configuration ranges and values are verified and enforced according to rules by the server. The various data elements that may be controlled are listed at the bottom of this section. The server disallows modification of the active configuration (apart from device names and their security groups) and forces such modifications to be made to an inactive configuration. This inactive configuration may be swapped with the active configuration (thus activating it) upon demand. Thus, a new configuration may be prepared prior to a decision made to put it into effect. Additional control functionality includes but is not limited to the following:
Recycling an adaptor that is connected to an external computer system. This is commonly referred to as a Power On Reset or, more simply, a POR.
Viewing which users are connected to which devices.
Disconnecting a client user from a device to which he is connected.
Activating an inactive configuration.
Copying the active configuration to the inactive configuration in order to make changes based upon the active configuration.
Purging the inactive configuration in order to start fresh.
Consequently it is an object of the instant invention to provide for remote control, operation and use of a server Central Processing Unit (CPU).
A further object of the instant invention is to provide for a secured logon sequence utilizing encrypted data transmission in accordance with the teachings, disclosure and claims of the above noted pending patent applications.
Yet another object of the instant invention is to insure that all data transferred external of the emulated input/output device controller is encrypted in accordance with the teachings of the above noted pending patent applications.
A further object of the instant invention is to provide the ability for an administrator to alter and manage the configuration of emulated mainframe peripheral devices.
A further object of the instant invention is to allow the selective addition or restriction in the presence of devices to one or more host processors such as, but not limited to, mainframe computers.
Another object of the instant invention is to provide for a configuration specification which provides the ability to arbitrarily name each emulated device and assign it to one or more security groups of which a user must be a member in order to access that particular device.
An additional object of the present invention is to provide the capability by which an administrator may add and remove one or more users with respect to emulated input/output device allocation.
Yet another object of the instant invention is to provide a facility by which an administrator may manage the security groups to which a user belongs, thus controlling the access of devices by users at any level desired down to an individual user level.
A further object of the instant invention is to provide the ability for a user to access and operate an emulated input/output device.
Yet another object of the instant invention is to provide the facility by which an administrator may effect/implement new device emulation types.
Another object of the instant invention is to provide support for multiple device types which may be simultaneously supported and operated.
Responsive to the foregoing challenges, the Applicant has developed an innovative system, method and article of manufacture to remotely configure and utilize an emulated device controller via an encrypted validation communication protocol.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only, and are not restrictive of the invention as claimed. The accompanying drawings, which are incorporated herein by reference, and which constitute a part of this specification, illustrate certain embodiments of the invention and, together with the detailed description, serve to explain the principles of the present invention.
In this respect, before explaining at least one embodiment of the invention in detail, it is to be understood that the invention is not limited in this application to the details of construction and to the arrangement so the components set forth in the following description or illustrated in the drawings. The invention is capable of other embodiments and of being practiced and carried out in various ways. Also, it is to be understood that the phraseology and terminology employed herein are for the purpose of description and should not be regarded as limiting. As such, those skilled in the art will appreciate that the conception, upon which this disclosure is based, may readily be utilized as a basis for the designing of other structures, methods and systems for carrying out the several purposes of the present invention. It is important, therefore that the claims be regarded as including such equivalent constructions insofar as they do not depart from the spirit and scope of the present invention.
Additional objects and advantages of the invention are set forth, in part, in the description which follows and, in part, will be apparent to one of ordinary skill in the art from the description and/or from the practice of the invention.
These together with other objects of the invention, along with the various features of novelty which characterize the invention, are pointed out with particularity in the claims annexed to and forming a part of this disclosure. For a better understanding of the invention, its operating advantages and the specific objects attained by its uses, reference would be had to the accompanying drawings, depictions and descriptive matter in which there is illustrated preferred embodiments and results of the invention.