1. Technical Field of the Invention
This invention pertains to computer networks. More particularly, it pertains to establishing a client to server connection by associating legacy profiles with user certificates to simplify the log-on or sign-on process.
2. Background Art
Referring to FIG. 1, many legacy and current computer systems, such as server system 104 accessed over network (such as an Internet or intranet network) 102, use the concept of user profiles and passwords to establish the identity of a user on that system. In other words, as is represented by lines 107 and 109, a user must submit a profile name 106 and accompanying password 108 to establish that he is an allowed user on this computer 104. This is typically enforced via what is called a Sign-On Panel 100 where, as is represented by line 111, one is prompted by server 104 to enter his profile name 106 and password 108. The user must remember and enter the exact combination of profile (a.k.a., user identifier) 106 and passwords 108, or is denied access to the server 104.
This introduces problems. The user is expected to xe2x80x9cmemorizexe2x80x9d his name 106 and password 108. If the user is a software developer, who is required to work on many different computer systems 104, recalling multiple names and passwords becomes intimidating. This is especially true when passwords 108 can have arcane rules, such as being required to have so many numbers or alphabetic characters, and must be changed periodically. Because the user must remember so many, or because he simply cannot remember any, these user profiles and/or associated passwords are written down on paper, posted on the computer terminal or nearby note board, or put in a desk or other insecure place. Whatever the case, the user has compromised security on the computer system, should someone manage to get this information, not to mention the additional frustration and time it causes the user.
This problem is compounded in networks, where the user may use a client application to connected to a server 104. To sign on to that server, the user must send his profile name 106 and password 108 over the network 102 to server 104. This means that at any point in the network 102, someone can intercept this information before it arrives at the server 104, find out the user""s profile name 106 and password 108, and then use it without his knowledge. Thus, a primary security concern is protecting information being exchanged between clients 100 and servers 104, in particular any server 104 that prompts 111 for a profile and password.
Referring to FIG. 2, protection of data while it traverses the Internet is essential for many companies and their customers. One popular means of securing data is via Secure Sockets Layer (SSL) technology, which uses RSA Data Security techniques to encrypt and decrypt data at each endpoint, foiling attempts to read any data intercepted in transit through network 102. SSL also makes possible exchange of certificates 110, 112, which are a mechanism by which each endpoint 101, 104 (such as a computer node, server 104 or client 101) can validate the identity of the other endpoint. For example, if a user 101 wants to connect and sign-on to a particular web server 104, certificates allow the user to be sure the connection is really to that web server 104, and not some other machine. Likewise, certificates allow the web server 104 to be sure of the identity of a particular user 101. As is represented by lines 113 and 115, after the certificate 110, 112 is used to authenticate the user 101 and server 104, the certificate is no longer needed, and the user 101 is allowed to establish an SSL connection to the web server 104 and proceed to a sign-on panel 100, where he must then enter and communicated via lines 117, 119 and 103, 105, respectively, his traditional user profile 106 and password 108 to server 104 for comparison with profile 114 and password 116.
Since certificates 110, 112 have already validated the client identity, it is redundant to require that the user, or client 101, also sign-on using a profile name 106, 114 and password 108, 116. This profile information is not part of any SSL information exchange, which means that even though the user has already established his identity via SSL 110, 112, he must still prove his identity again, once via SSL and again via sign-on 100 with profile 106 and password 108. This makes it even more difficult for a particular user to manage his profiles and passwords.
User exits enable server administrators a way to provide a program to validate a client identity using the IP address of the connection. This security is very weak, and can be faked, since IP addresses are easily spoofed and cannot be trusted. Alternatively, encrypted passwords may be sent to a Telnet Server, which provides good security.
It is an object of the invention to provide a system and method for bypassing sign-on panels, avoiding double validation for SSL users.
It is an object of the invention to provide a network connection which requires no exchange of profiles and passwords over the network.
It is an object of the invention to eliminate or substantially reduce profile and password management.
It is an object of the invention to provide a system and method for allowing a user, once having created, received or installed a certificate, to log-on to a computer network without further exchange of profiles and passwords.
It is an object of the invention to provide an improved system and method for enabling exchange or initiation of specific actions. Such actions may include initial programs, object access authority, and environment set up.
It is an object of the invention to provide a system and method for boosting performance by turning encryption off after client authentication.
It is an object of the invention to provide a system and method enabling a user to be limited to a pre-defined profile or to the number of sessions simultaneously active.
It is an object of the invention to avoid the use of passwords to sign-on to a server.
In accordance with preferred embodiments of the invention, a system and method are provided for connecting a client system to a server system. A user profile is associated with a user certificate in a client database. Responsive to user input of said profile, the user is authenticated to a certificate in the client database, which certificate is then communicated to the server. The server validates the certificate and upon validation establishes a job session with the client without prompting the user for subsequent input of profile and password.
In accordance with an aspect of the invention, there is provided a computer program product configured to be operable to connect a client to a server system based upon certificates without server prompting for user input of profile and password.
Other features and advantages of this invention will become apparent from the following detailed description of the presently preferred embodiment of the invention, taken in conjunction with the accompanying drawings.