In a number of distributed computing environments, a challenge has arisen due to the number of times during the course of a day that employees must log into different applications that they use during their work. For example, a customer representative in a brokerage company might need to access five or six different software applications during a course of a typical day (depending on particular circumstances this number could be significantly higher). In addition to needing to access a number of different applications the customer representatives will frequently need to enter and exit a number of the same applications repeatedly during the day. With each time a user exits an application, the system can require that the user go through log in procedures to allow the application to access the underlying data accessed by the application.
An existing system 100 is shown in FIG. 1. The system 100 provides a number of client computers 102 . . . N. In some environments there could be hundreds of client computers. Each of these client computers is then connected to a network 103, such as local area network, wide area network, or other communication network. Also, connected to the network 103 are a number of web servers (105 and 107, 109, 111) on which a variety of different web applications 104-110 are loaded. In some situations, the network 103 might be connected with additional networks (the network also could be considered to be a single network which includes the entirety of the different computers, switches, routers, servers and mainframes etc. which are interconnected) to provide a client computer with a direct connection to a mainframe 114 system.
For purposes of general reference, FIG. 1B is provided which shows the general configuration of a computer. Computer system 150 includes a bus 152 or other communication mechanism for communicating information, and a processor 154 coupled with bus 152 for processing information. Computer system 150 also includes a main memory 156, such as a random access memory (RAM) or other dynamic storage device, coupled to bus 152 for storing information and instructions to be executed by processor 154. Main memory 156 also may be used for storing temporary variables or other intermediate information during execution of instructions to be executed by processor 152. Computer system 150 further includes a read only memory (ROM) 158 or other static storage device coupled to bus 152 for storing static information and instructions for processor 154. A storage device 160, such as a magnetic disk or optical disk, is provided and coupled to bus 152 for storing information and instructions.
A display 162 can be coupled to the bus 152 displaying information to a computer user. As discussed below images shown on the display to convey information to a user can be referred to as screen shot. An input device 164, including alphanumeric and other keys, is coupled to bus 152 for communicating information and command selections to processor 154. Another type of user input device is cursor control 166, such as a mouse, a trackball, or cursor direction keys for communicating direction information and command selections to processor 154 and for controlling cursor movement on display 162. Computer system 150 also includes a communication interface 168 coupled to bus 152. Communication interface 168 provides a two-way data communication coupling to the network 110.
One or more processors in a multi-processing arrangement may also be employed to execute the sequences of instructions contained in main memory 156. In alternative embodiments, hard-wired circuitry may be used in place of, or in combination with, software instructions to implement the invention.
The invention discussed herein is related to use of multiple computer systems coupled together through a network, or networks. In general the client computers can be any of a range of different types of personal computers; one embodiment described herein contemplates a client computer being a personal computer (pc) using a Pentium type or equivalent processor, and client computer being loaded with the Windows operating system from Microsoft, and loaded with a browser application. A browser is an interactive program loaded on the client computer which allows a user to select and view documents (such as HTML) and access files and software related to those documents at different addresses or URLs. Browsers can utilize hyperlinks, which allow users to point and click with a mouse in order to jump from document to document in whatever order they desire. Browser operations can sometimes include executing small programs, such as Java applets or ActiveX controls included by programmers in the documents. Helper applications or plug-ins are required by some Web browsers to accomplish one or more of these tasks.
The discussion herein also contemplates use of web servers. The web servers are computers which generally include the elements described above in connection with FIG. 1B. The processor of a web server (also sometimes referred to as an HTTP server) is programmed to provide for communications and operations in accordance HTTP procedures. The web server can also be loaded with applications which provide for performing different operations, and presenting pages generated by these applications to users of client computers through a browser. The web server can also transmit other information, files and scripts (software code) to client computers. Web servers are frequently used on both internet sites and company, or enterprise, intranets. Generally the web servers will utilize a Unix or Linux type of operating system, but other operating systems could also be used.
A mainframe computer generally includes the components discussed above in connection with FIG. 1B, however, a mainframe computer is typically much more powerful and complex then a web server or a client computer. A mainframe computer in the past might have been programmed with the MVS operating system from IBM, newer mainframe operating systems include zOS from IBM. One new mainframe model available from IBM is the Z990 mainframe computer. The mainframe computer can include multiple processors working in parallel to speed processing of information, and can typically support a large number of users, or operations occurring nearly simultaneously.
One challenge in the operation of system 100 is that many of the applications (such as say for example applications 104 and 106) residing on the web servers 105 and 107 need to access data which resides in mainframe system 114 (the mainframe system can include extensive storage devices for databases, such as IBM's DB2 database). For example, some financial analysis applications can reside on a web server, and a user of the client computer, for example, a brokerage representative in a branch office, may need to use the financial analysis application to provide advice to a brokerage customer; such an analysis application, will typically need to pull up account information for the brokerage client, so that the analysis can take into account the brokerage client's present holdings, and possibly make recommendations as to whether certain assets should be held or sold in the brokerage account.
In the system 100 the brokerage customer account information resides not in the web server application layer, which includes web servers on which web applications 104-110 are loaded, but it instead resides in mainframe environment 114 which is linked to the application layer through middle layer 112, sometimes referred to as middle ware. The middle layer can include a number of computers, such as servers, which are loaded with software which operates to provide an interface between web applications and the mainframe 114. This interface allows the web applications to enter information into databases of the mainframe environment 114, or access information from the databases of the mainframe environment. In one embodiment the middleware 112 includes a number of IBM P680 computers, loaded with a Unix type operating system. The middleware operates to provide a number of functions in the system 100. For example, the middleware can provide for load balancing among a number of different computers of the mainframe environment 114, such that if one computer of the mainframe environment is loaded with particularly high volume of traffic, or computational demands, then the middleware can operate to direct new requests to a different computer in the mainframe environment. The middleware can also route certain requests for information to particular components of the mainframe environment to expedite handling of certain requests. Additionally, the middleware operates to provide an interface between the operating environment, operating systems, languages, and protocols of the web application servers, and the mainframe environment 114. The middleware, can also provide for communications between non-web based applications (not shown) and the mainframe environment. For example, a user might access the mainframe 114 through the middleware from a personal computer, rather than through a web based application, or a user might use voice commands to enter certain requests to exchange information with the mainframe computer. Whatever the particular case, the middleware components can be programmed to provide for a broad interface between the mainframe environment and a range of external applications.
It should also be recognized that as shown in system 100 not all web-based applications require access to the mainframe environment. For example, application 108 could be a customer relationship management (CRM) application, such as supplied by Siebel, of San Mateo, Calif., and it could utilize an Oracle database (from Oracle of Redwood Shores, Calif.) which is connected to, or incorporated into the web application server on which application 108 is loaded. For such an application, some of the complexities associated with interfacing with the mainframe environment are alleviated.
Where the web application needs access to data in the mainframe environment, obtaining access to the mainframe system has, in many prior systems, required that the user provide a user id and a password for access to the mainframe. Generally, the user id and password for the mainframe is different than the user id and password for logging onto the client computer. The operation of one such system 200 is described below in connection with FIG. 2. Where the web application does not require access to the mainframe environment, solutions exist which allow access to various web servers and web databases, that do not require that the user enter additional user id and password information. These solutions such as the Netpoint/Oblix software package generally utilizes HTTP cookies where the web server and the web application operate to store necessary security data in HTTP cookies which allows a user access to necessary information. The mainframe environment of system 100 is not able to effectively utilize the HTTP cookie to control access to data in mainframe environment 114.
FIG. 2 shows the operation of the system 100 where a client computer 202 is loaded with a browser 204. In operation the user of the client computer will initially login to the client computer, which for a windows type computer, would require the user inputting his/her Windows user id and password for a client computer. Upon logging in the user could then point the browser 204 to an application 208 loaded on web application server 206. In response to receiving an indication that the browser 204 has been pointed at the application 208, the application invokes security/log on procedures shown as Site Entry Point 209. The log on procedure of the application then forwards 210 a sign on page 211 to the browser, which is shown on a display. The user then inputs his/her mainframe user, or beta, ID, and a mainframe user password, typically using standard input devices such as a mouse and keyboard. This is the user id and password which is provided to a user for gaining access to the mainframe system 215, and generally the mainframe user id and password are different than the local system (client computer) user id and password.
Once the user has input the mainframe user id and the password, the user will click on the submit button on the page 211, and the user id and password will be transmitted to the site entry point 209. The security/log on procedures 209 then calls 214 to the middleware layer which operates to validate the mainframe beta ID and password, and if they are validated, the middleware layer 213 generates a security token which is cached. With the security token a web application server session can be established 216 for the user who has logged client computer 202. Once the session has been established the application can access necessary data from the mainframe environment 215 (through the middleware 213). The mainframe system 215 will store the user id and password for the user who is using the selected application, and will still operate to restrict the user's access to data to which a user has not been granted access. The application 208 will communicate 218 the secure content to the user through the browser 204.
When the user is done with the selected application 208, and points the browser to the address of a different application, the subsequently selected application will present the user with another sign on page 211, and the security/logon procedures will be repeated. This approach requires that each time a user changes applications which accesses information stored in the mainframe environment, the user will have to input login information to a sign on page. Over the course of a day where a user may have to frequently switch between a number of different applications, this repeated inputting of login information can lead to inefficiencies. To deal with this problem a number of different single sign on systems and methods have been developed. However, it is believed that these previous single sign on procedures are not optimal for an environment where a client is accessing web applications through a client computer, and the web application must access data from a mainframe environment.