(19)
(11)EP 3 093 789 B1

(12)EUROPEAN PATENT SPECIFICATION

(45)Mention of the grant of the patent:
27.07.2022 Bulletin 2022/30

(21)Application number: 16168056.6

(22)Date of filing:  03.05.2016
(51)International Patent Classification (IPC): 
G06F 21/55(2013.01)
H04L 9/08(2006.01)
G06F 11/30(2006.01)
(52)Cooperative Patent Classification (CPC):
G06F 21/552; G06F 16/2255; G06F 11/3051

(54)

STORING STRUCTURED INFORMATION

SPEICHERUNG STRUKTURIERTER INFORMATIONEN

STOCKAGE D'INFORMATIONS STRUCTURÉES


(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

(30)Priority: 14.05.2015 US 201514711926

(43)Date of publication of application:
16.11.2016 Bulletin 2016/46

(73)Proprietor: SSH Communications Security Oyj
00380 Helsinki (FI)

(72)Inventors:
  • YLÖNEN, Tatu J.
    02650 Espoo (FI)
  • GOLDMAN, Herb
    Bear, DE Delaware 19701 (US)

(74)Representative: Ruuskanen, Juha-Pekka 
Page White & Farrer Bedford House John Street
London WC1N 2BF
London WC1N 2BF (GB)


(56)References cited: : 
WO-A1-2013/093209
US-A1- 2011 252 418
  
      
    Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention).


    Description


    [0001] This disclosure relates to storing of structured information, and more particularly to storing centrally up-to-date structured information for a plurality of hosts.

    [0002] A data network can have a large number of computers and other entities connected therein. Devices such as user terminals and machine type terminals are often called as the host. The hosts can run a large number of various functionalities and features, such as security features that need to be controlled and administered. Various management applications have therefore been developed to provide assistance in operating a data network. A management application typically needs to collect substantial amounts of structured information such as data relating to configurations from a large number of computers and directories.

    [0003] For example, systems for managing keys, for example Secure Shell (SSH) keys, need to collect information about hosts, user accounts on hosts, and keys configured for users on hosts frequently. Information related to authenticators such as SSH keys generally includes information about authentication and mounted file system configuration on a host. Information about local user accounts may also be included. Various configuration information for each user on the host can also be included. This can possibly include users defined in directories such as LDAP (Lightweight Directory Access Protocol) directories or Active Directory. For users, the information typically includes any identity keys and authorized keys configured for each user.

    [0004] Collection of such information may be needed several times per day. Such systems may be used for managing large environments, even with millions of user accounts, including local accounts, and tens of thousands of computers. Thus the database storing this information can become very complex.

    [0005] Often there is no change in the collected configuration information compared to earlier information. The amount of configuration information received from each host can also be substantial.

    [0006] Parsing the configuration information, comparing it to previous information in a database, and updating a complex database to reflect any changes can cause significant load on the database, processor and memory usage. This is exacerbated by the potentially very large number of user accounts, hosts, and keys and/or other authenticators that may be present in large organizations.

    [0007] Reduction in the amount of processing needed when handling new configuration information for hosts stored in a remote location would thus be desired.

    [0008] The volume of data transfer for the configuration information updates can also be substantial. This can be especially the case if new information is obtained from hosts frequently. There can thus also be a desire to reduce the amount of data that needs to be transferred when the configuration information has not changed.

    [0009] It is noted that the above discussed issues are not limited to any particular system and data processing apparatus but may occur in any system where collection and storing of updated structured data may be needed.

    [0010] US20110252418A1 discloses a host controller sending a request for first status information to a host. The host controller receives first status information from the host along with a unique identifier that is associated with the first status information. After a time period, the host controller sends a new request for second status information to the host, the new request including the unique identifier. When second status information and the first status information are associated by the host with the same unique identifier, the host controller receives a response from the host indicating that the second status information is the same as the first status information. When the second status information and first status information are not associated by the host with the same unique identifier, the host controller receives the second status information and a new unique identifier from the host.

    [0011] WO2013/093209 discloses a management system storing configuration files for hosts in a database. Configuration files can be changed (e.g., by the management system, manually, or by using a helper script) to reflect changes in keys. The management system regularly connects a managed host, causing it to report any changes in keys. Full information can be regularly sent from a host to the management system, and the management system compares it with previously sent information to detect changes.

    [0012] Embodiments of the invention aim to address one or several of the above issues.

    [0013] The invention is defined by the appended independent claims. More specific aspects of the invention are defined by the dependent claims.

    [0014] In accordance with an aspect not within the scope of the claims there is provided a method comprising comparing a hash value computed over structured information determined for a host to a hash value computed over a corresponding structured information stored in a remote database for the host, the method further comprising one of causing update of at least a part of the stored structured information in response to determining a difference in the hash values, and keeping the stored structured information in the database in response to determining that the hash values are equal.

    [0015] In accordance with an aspect not within the scope of the claims there is provided an apparatus for controlling a database for storing structured information for a plurality of remote hosts, the apparatus comprising at least one processor, and at least one memory including computer program code, wherein the at least one memory and the computer program code are configured, with the at least one processor, to compare a hash value computed over structured information determined for a host to a hash value computed over a corresponding structured information stored for the host in the database, cause update of at least a part of the stored structured information in the database based on structured information received from the hosts in response to determination of a difference in the hash values, and keep the stored structured information in the database in response to determination that the hash values are equal.

    [0016] In accordance with an aspect not within the scope of the claims there is provided an apparatus in a computer system wherein structured information for a plurality of hosts is stored in a remote database, the apparatus comprising at least one processor, and at least one memory including computer program code, wherein the at least one memory and the computer program code are configured, with the at least one processor, to compare a hash value computed over current structured information for the host to a hash value computed over a corresponding structured information stored for the host in the remote database, and cause, in response to determination of a difference in the hash values, update of at least a part of the stored structured information for the hosts in the database based on said current structured information for the host, and refrain, in response to determination that the hash values are equal, from triggering an update of the stored structured information in the database.

    [0017] In accordance with a more detailed aspect the structured information comprises configuration information. The configuration information can comprise at least one authenticator. The at least one authenticator may comprise a secure shell (SSH) key and the configuration information comprises at least one configuration file for SSH.

    [0018] In accordance with an aspect structured information for the host is received in a data processing unit comprising the database and the hash values of the received and stored structured information are compared at the data processing unit. The hash value of the received structured information may be computed by the host or the data processing unit.

    [0019] New structured information can be determined for the host by the host. The comparing of the hash values of the new and stored structured information can be provided by the host. The host can trigger an update of at least a part of the stored structured information in the database in response to determining a difference in the hash values. The hash value of the stored structured information can be determined by the host. Alternatively, the hash value can be received from the data processing unit comprising the database.

    [0020] In accordance with an aspect the comparing is performed at a node separate from the host and a data processing unit comprising the database. The node can provide an interim node adapted to capture data communicated between the host and the database. The node can retrieve hash values computed based on the stored structured information from the database.

    [0021] The database can be adapted to store hash values computed over structured information in response to determination by the comparison that the hash values differ.

    [0022] A timestamp can be updated to indicate when structured information was last received from the host.

    [0023] The structured information may be fully parsed in the database only if the hash values differ.

    [0024] A hash value can be read from a database and communicated to the host, and the host can generate an indication that the hash values are equal or an indication that the hash values are not equal.

    [0025] A plurality of configuration parameters extracted from the structured information and the hash value computed over at least a part of the structured information can be stored in the database in response to determining difference in the hash values.

    [0026] A previously stored hash value can be communicated from the database to the host and the host can communicate to the database receiving an indication that such hash value for structured information matches a hash value for new structured information. In response to receiving new structured information from the host new parameters extracted from the structured information and a hash value determined for the structured information are stored in the database.

    [0027] In accordance with an aspects a system comprising a plurality of hosts as described herein and at least one remote database as described herein is provided. Computer software products for implementing the disclosed methods in a host, a database node and a node separate from the host and the database node can also be provided.

    [0028] Certain more detailed aspects are evident from the detailed description.

    [0029] Various exemplifying embodiments of the invention are illustrated by the attached drawings. Steps and elements may be reordered, omitted, and combined to form new embodiments, and any step indicated as performed may be caused to be performed by another device or module. In the Figures

    Figure 1 illustrates using hash values over a part of configuration information collected from a host to prevent redundant database update.

    Figure 2 illustrates using hash values over a part of configuration information collected from a host to prevent redundant transmission of information from the host.

    Figure 3 illustrates an apparatus for using hash values to prevent redundant database updates or data transmissions.

    Figure 4 illustrates an example of a computer system where the invention can be embodied.

    Figure 5 illustrates another example of a computer system where the invention can be embodied.

    Figure 6 illustrates a flowchart according to an embodiment.



    [0030] Certain example of methods and apparatuses are presented herein making speeding up handling of structured information possible, in particular making the process of storing of structured information in a central database received from or available at a host more efficient when the information has actually not changed, or avoiding triggering the update altogether. In the examples hash values are used to minimize data processing involved in database updates that need to be performed when the information has not changed or has only partially changed. Various hash functions for accelerating table or database lookup by detecting duplicated records in a large file are known. A hash function applicable in this invention can be any function that can be used to map digital data of arbitrary size to digital data of fixed size. Values returned by a hash function are typically called hash values, hash codes, hash sums, or simply hashes. A hash table can be used for rapid data lookup. Hash functions shall not be often confused with functions such as checksums, check digits, fingerprints, randomization functions, error-correcting codes, and ciphers. Although these concepts may look the same, each has its own uses and requirements and is designed and optimized differently.

    [0031] Transmission of information over a network can be reduced, and in certain scenario avoided altogether when the information has not changed. The process of database updates can be made more efficient by removing or at least reducing redundant database updates and related handling of data.

    [0032] A database update can comprise a specific procedure for determining if existing information needs to be replaced by new information. This reduces the CPU (Central Processing Unit) time required to parse data structures in a database that can sometimes be very complex structures. Concurrence control can also be improved. Concurrency control in the process of database update is often complicated task including complex series of database queries and updates.

    [0033] The structured information can comprise information such as configuration information. In accordance with a possibility the configuration information includes information on authenticators used for securing access and/or connections between hosts and users in an information system.

    [0034] In the embodiments one or more hash values are computed over all or certain parts of structured information associate with a host. The hash value(s) may be computed by the host, by an interim node or a system processing and storing received structured information. The step of comparing hashes of previously stored structured information and the current structured information can also be implemented at various nodes. Possibilities for the nodes performing the comparing include a system running the database and an interim node.

    [0035] The computed hash value(s) are compared with hash value(s) computed and/or stored in a database based on previously received and stored structured information. Only those parts of the configuration information whose hash value has changed need to be parsed and updated in a database.

    [0036] According to an example not within the scope of the claims the comparison is done at the host. A database can send the host a hash value of structured information stored at the database. One or more hash values can have been saved in a database when earlier structured information is processed. This saved information is then sent to a host. Alternatively, the host may have stored the hash value when it previously sent the structured information to the database for updating.

    [0037] After having received or otherwise obtained hash value for the currently stored information the host can compute a new hash value of the current structured information for the host. If the newly computed hash value is identical to the hash value of the structured information stored in the database, no database update is needed. If the hashes differ, a process to update the database is triggered. In response thereto the host can send the most recent structured information to the database, thereby causing update of the database with the most recent information. Thus e.g. new configuration information can be sent to a system processing and storing the configuration information centrally only if the information has actually changed. According to a possibility only those parts of the information that have changed are sent. This embodiment has a further advantage of reducing the network traffic required to update the database.

    [0038] According to an embodiment, comparison of hash values is done at a data processing unit running the database. Hosts can send the most recent hash of structured information to the unit running the database. The unit running the database compares hashes received from the hosts to hashes of the structured information stored in the database for the respective hosts. Hashes of structured information stored in the database can be calculated at this phase, i.e. in response to receiving a new hash from a host.

    [0039] According to a possibility a hash value can be calculated and stored in a remote database in advance. The hash can be stored in the same database where the structured information is stored. The hash can also be computed at the time of storing. Storing the hash in a database in advance can provide certain advantage, for example in reducing network traffic required to update the database. Calculating the hash of the structured information stored in the database in advance and storing can also benefit in accelerating the process.

    [0040] If the hashes match, no database update is necessary. If the hashes do not match, the database is updated with the new structured information.

    [0041] According to a further embodiment there is some flexibility where the hash is computed. The comparison can be done at a processing unit running the remote database based on information from a host. The host can send structured information to the unit running the database whenever there is a change. Optionally, the hash of the structured information may also be sent from the host. If not already received from the host, the unit running the database calculates the hash of the structured information received from the host. The unit also calculates the hash of the structured information stored in the database or retrieves a previously calculated hash of the structured information stored in the database. If the hash of the structured information received from the host matches with the hash of the structured information stored in the database, there is no need for an update of the database. If the hashes do not match, the database is updated with the most recent structured information.

    [0042] If the information, or relevant part thereof, has not changed, an indication to that effect can be sent from the host. This effectively compresses the sent information using a "same as before" indication.

    [0043] The database controller can parse the information and update the information and its hash value(s) in the database only if the new configuration information was sent.

    [0044] Operation in accordance with a couple of exemplifying scenarios are now explained in more detail with reference to flowcharts of Figures 1 and 2 and maintaining updated configuration information for a plurality of hosts centrally.

    [0045] In Figure 1 flowchart a method of using hash values over a part of configuration information collected from a host to prevent redundant database updates is shown. New configuration information is received from a host at 101. The configuration information comprises information about user information directories configured for the host (such as NIS (Network Information System), LDAP( Lightweight Directory Access Protocol) directories and Active Directory) and may comprise, e.g., one or more of the following: system-wide configuration information for the host, such as one or more IP (Internet Protocol) addresses configured for the host, information about mounted networked file systems on the host (e.g., contents of /etc/fstab), information on configuration and related PAM (Pluggable Authentication Modules) configuration, including any filters or restrictions specified on which user accounts exist on the host or where to look for user accounts in the directory, information about local user accounts configured on the host, information about directory accounts recently used on the host, configuration files and host key files for SSH (Secure Shell), host certificate(s) for SSH, web server certificates configured on the host, trusted certificate authorities configured for the host, SSH identity keys configured for one or more user accounts, SSH authorized keys configured for one or more user accounts (including their options, or perhaps the entire contents of relevant authorized keys files), and/or storage encryption keys configured for the host. For private keys, the configuration information may comprise the corresponding public key, a fingerprint derived from the public key, or the private key itself. The configuration information may also comprise log data collected from the host, as well as other information. It is noted that the above are non-exclusive examples and that the configurations information can include only some of the examples mentioned above or any combinations of the exemplifying pieces of information.

    [0046] A new hash value is determined for the new configuration information at 102. The hash value may be computed on the host or it may be computed from the new configuration information after reception. The hash value may cover the entire configuration information or some part of it. Multiple hash values may be determined for different parts of the configuration information (e.g., a separate hash might be computed for configuration information for each individual user account on the host).

    [0047] At least one old hash value for the host is read from a database at 103. Several hash values may be read, e.g., one for each individual user account on the host. The at last one old hash value is then compared to the new hash value at 104. At this stage steps 104-106 and possibly 107 may be repeated for each user account on the host.

    [0048] If the hash values are not the same, the configuration information is parsed at 105 to determine values of one or more configuration parameters, such as IP address of the host, enabled cryptographic algorithms for SSH or any other security protocol, SSH host keys or other authenticators, authorized keys and identity keys for each user account on the host and so on. The values of the configuration parameters are stored in the database at 106. This stage may involve comparing existing parameters with the new parameters to determine which parameters have changed. Such changes, if determined, may trigger further actions. Hash value(s) may also be updated in the database.

    [0049] If the old and new hash values are the same, parsing and updating information in the database is skipped. If update is considered necessary, the updating includes storing new value of at least one of the configuration parameters.

    [0050] A timestamp indicating when configuration data has last been received from the host is updated at 107. There could be several separate timestamps, such as one for each user on the host.

    [0051] Figure 2 illustrates an example not within the scope of the claims using hash values over a part of configuration information collected from a host to prevent redundant transmission of information from the host.

    [0052] At least one hash value for configuration information on the host is read from a database at 201. The at least one hash value is sent to the host at 202.

    [0053] New configuration information or an indication that the configuration information or part of it is the same as it was previously is received at 203. If there are multiple hash values for different parts of the configuration information, a separate indication or a new configuration information part can be provided for each such part. If it is determined at 204 that new configuration information is received for a part, the configuration information is parsed at 205 to determine new configuration parameters. The new configuration parameters are then stored and/or updated in the database at 206. One or more hashes may also be updated in the database.

    [0054] One or more timestamps indicating when information was last received are also updated at 207.

    [0055] Parsing the configuration information may mean, e.g., determining which authorized keys are configured for each user account. That may be implemented by parsing the authorized keys file. In the case of SSH sample code can be found in OpenSSH source code. The authorized keys are then stored in the database by comparing them to authorized keys already stored in the database for that user account. Missing keys are added and extra keys are deleted (or marked as being no longer existing). Any other actions due to changes in authorized keys are triggered (e.g., logging of the changes).

    [0056] Figure 3 illustrates an apparatus for using hash values to prevent redundant database updates or data transmissions. One or more processors (301), such as Intel Xeon series processors, are connected a non-transient computer-readable memory 303, such as SDRAM, comprising one or more program code means 304 for using hash values for handling received new configuration information and program data 305, and a database 306, such as PostgreSQL database, MS SQL database, or Oracle database.

    [0057] Examples of non-transitive computer-readable memories include semiconductor memory (e.g., SDRAM, flash, memristor memory), magnetic memory (e.g., hard disk), optical disk (e.g., DVD), and networked server (e.g., file server or web server) providing access to data stored in non-transitive computer-readable memory on the server over a network.

    [0058] Figure 4 shows an example for a system where configuration information for a plurality of host devices 10 is collected by a device 20. The data collection can take place over data links 12. The device 20 collecting and storing the configuration information can comprise at least one database 22 and at least one processor apparatus for controlling the operation of the device. As explained above, the various stages of processing can take place at the hosts or the central data processing unit comprising the database, or be distributed between them.

    [0059] Figure 5 shows an example of a system where comparison of hash function is done in a node 26 separate from the host 10 and a data processing unit 20 running the database 22. The separate unit can be e.g. an interim node adapted for capturing data communicated between hosts and a central database. The node can comprise appropriate data processing apparatus 27 and memory facility 28 to accomplish the data capture and hash comparison operations.

    [0060] Figure 6 shows a flowchart for a method in accordance with the herein disclosed principles. In the method a hash value computed over structured information determined for a host is compared at 300 to a hash value computed over a corresponding stored structured information for the host. Following the comparison, update of at least a part of the stored structured information can be caused at 302 in response to determining a difference in the hash values. The stored structured information can be kept at 304 as it is in response to determining that the hash values are equal.

    [0061] In accordance with an embodiment a computer program embedded in a non-transitory computer readable storage medium and comprising program code means adapted for processing one or more of the steps described herein is provided. The computer code can be adapted to compare a hash value computed over structured information determined for a host to a hash value computed over a corresponding structured information stored in a remote database for the host. The computing may be by the computer code, or by a another computer code running in another node. The computer code can then cause update of at least a part of the stored structured information in response to determining a difference in the hash values or refrain from the update and keep the stored structured information in the database in response to determining that the hash values are equal.

    [0062] The aspects of the embodiments of the invention may be combined to form new aspects and embodiments. Steps may be performed in any reasonable order, and steps may be omitted or other steps added.

    [0063] While certain information has been described as being stored in a database, it could equivalently be stored in two or more databases, such as one type of information being stored in one database and another kind of information in another database. Such split databases are still considered a single database for the purposes of this specification.

    [0064] The foregoing description has provided by way of exemplary and non-limiting examples a full and informative description of the exemplary embodiment of this invention. However, various modifications and adaptations may become apparent to those skilled in the relevant arts in view of the foregoing description, when read in conjunction with the accompanying drawings and the appended claims. All such and similar modifications of the teachings of this invention will still fall within the scope of this invention as defined in the appended claims. Indeed there is a further embodiment comprising a combination of one or more of any of the other embodiments previously discussed.


    Claims

    1. A method of controlling a remote database (22) for centrally storing configuration information for a plurality of hosts (10) in a data network, the method comprising:

    receiving, by a network device (20; 26) separate from the hosts (10) and configured to control the remote database (22), configuration information for a host, characterized by

    the configuration information comprising information about user information directories configured for the host;

    comparing, by the network device (20; 26), a hash value computed over the received configuration information for the host (10) to a hash value computed over a corresponding configuration information stored in the remote database (22) for the host to prevent redundant database updates of configuration information stored in the remote database (22);

    the method further comprising one of

    causing, by the network device (20; 26), update of at least a part of the stored configuration information in response to determining, by the network device, a difference in the hash values, and

    keeping the stored configuration information in the remote database (22) in response to determining, by the network device (20; 26), that the hash values are equal.


     
    2. The method of claim 1, wherein the configuration information comprises at least one authenticator.
     
    3. The method of claim 2, wherein the at least one authenticator comprises a secure shell, SSH, key and the configuration information comprises at least one configuration file for SSH.
     
    4. The method of any preceding claim, comprising receiving the configuration information for the host (10) in a data processing unit (20) comprising the database (22) and comparing the hash values of the received and stored configuration information by the data processing unit.
     
    5. The method of any of claims 1 to 3, comprising performing the comparing at an interim node (26) separate from the host (10) and a data processing unit (20) comprising the database (22).
     
    6. The method of any preceding claim, comprising

    retrieving the hash value for the comparison from the database (22), and

    storing in the database a new hash value computed over the configuration information in response to determination that the hash values differ.


     
    7. The method of any preceding claim, wherein the configuration information comprises information about at least one of Internet Protocol (IP) addresses configured for the host (10), networked file systems mounted on the host, local user accounts configured on the host, a system-wide configuration for the host, and all collected configuration information for at least one user account on the host.
     
    8. The method of any preceding claim, wherein the configuration information comprises information about at least one of at least one certificate associated with the host, at least one cryptographic key configured for a user account on the host, all authorized keys configured for the host, at least one cryptographic key configured for a user account on the host, the cryptographic key being an identity key or an authorized key for a user account, at least one Kerberos credential for the hosts, and at least one host-based authentication configuration file of at least one user account of the host.
     
    9. The method of any preceding claim, wherein the configuration information is fully parsed only if the hash values differ.
     
    10. An apparatus for a network device (20) configured for controlling a database (22) for centrally storing in a data network configuration information for a plurality of remote hosts (10), the apparatus comprising at least one processor (24), and at least one memory including computer program code, wherein the at least one memory and the computer program code are configured, with the at least one processor, to:

    receive configuration information for a remote host (10) in the data network wherein the configuration information comprises information about user information directories configured for the remote host;

    compare a hash value computed over the received configuration information for the remote host (10) to a hash value computed over a corresponding configuration information stored for the remote host in the database (22) to prevent redundant database updates of centrally stored configuration information in the database; and

    cause update of at least a part of the stored configuration information in the database based on the received configuration information in response to determination of a difference in the hash values, and

    keep the stored configuration information in the database in response to determination that the hash values are equal.


     
    11. The apparatus of claim 10, wherein the configuration information comprises information about at least one of IP addresses configured for the host, networked file systems mounted on the host, local user accounts configured on the host, a system-wide configuration for the host, at least one certificate associated with the host, at least one cryptographic key configured for a user account on the host, all collected configuration information for at least one user account on the host, all authorized keys configured for the host, at least one cryptographic key configured for a user account on the host, the cryptographic key being an identity key or an authorized key for a user account, at least one Kerberos credential for the host, and at least one host-based authentication configuration file of at least one user account of the host.
     
    12. The apparatus of claim 10 or 11, configured to update a timestamp indicating when configuration information was last received from the host.
     
    13. An apparatus for an interim node (26) in a data network wherein configuration information for a plurality of hosts is stored centrally in a remote database (22), the apparatus comprising at least one processor (27), and at least one memory (28) including computer program code, wherein the at least one memory and the computer program code are configured, with the at least one processor, to:

    receive configuration information for a remote host (10) in the data network, wherein the configuration information comprises information about user information directories configured for the remote host;

    compare a hash value computed over the received configuration information for the host (10) to a hash value computed over a corresponding configuration information stored for the host in the remote database (22) to prevent redundant database updates of centrally stored configuration information in the database; and

    cause, in response to determination of a difference in the hash values, update of at least a part of the stored configuration information for the hosts in the database based on said received configuration information for the host, and refrain, in response to determination that the hash values are equal, from triggering an update of the stored configuration information in the database.


     
    14. The apparatus of claim 13, configured to receive the hash value computed over the stored configuration information from the database (22).
     
    15. The apparatus of claim 13 or 14, configured to

    store configuration information for the host (10) in a node (26) separate from the host and the database (22);

    determine new configuration information for the host;

    compare the hash values of the new and the stored configuration information; and

    cause an update of at least a part of the stored configuration information in the database in response to determining a difference in the hash values.


     


    Ansprüche

    1. Verfahren zum Steuern einer entfernten Datenbank (22) zum zentralen Speichern von Konfigurationsinformationen für mehrere Hosts (10) in einem Datennetzwerk, wobei das Verfahren aufweist:

    Empfangen von Konfigurationsinformationen für einen Host durch eine Netzvorrichtung (20; 26), die von den Hosts (10) getrennt ist und konfiguriert ist, um die entfernte Datenbank (22) zu steuern, gekennzeichnet durch die Informationen über Benutzerinformationsverzeichnisse, die für den Host konfiguriert sind, aufweisenden Konfigurationsinformationen;

    Vergleichen, durch die Netzvorrichtung (20; 26), eines Hash-Wertes, der über die empfangenen Konfigurationsinformationen für den Host (10) kalkuliert wird, mit einem Hash-Wert, der über eine entsprechende Konfigurationsinformation kalkuliert wird, die in der entfernten Datenbank (22) für den Host gespeichert ist, um redundante Datenbankaktualisierungen von in der entfernten Datenbank (22) gespeicherten Konfigurationsinformationen zu verhindern;

    wobei das Verfahren ferner eines aufweist von

    Veranlassen, durch die Netzvorrichtung (20; 26), einer Aktualisierung wenigstens eines Teils der gespeicherten Konfigurationsinformationen als Reaktion auf das Ermitteln einer Differenz in den Hash-Wertendurch die Netzvorrichtung, und

    Halten der gespeicherten Konfigurationsinformationen in der entfernten Datenbank (22) als Reaktion auf das Ermitteln durch die Netzvorrichtung (20; 26), dass die Hash-Werte gleich sind


     
    2. Verfahren nach Anspruch 1, bei welchem die Konfigurationsinformationen wenigstens Authentifikator aufweisen.
     
    3. Verfahren nach Anspruch 2, bei welchem der wenigstens eine Authentifikator einen Secure Shell, SSH, - Schlüssel aufweist und die Konfigurationsinformationen wenigstens eine Konfigurationsdatei für SSH aufweisen.
     
    4. Verfahren nach einem der vorhergehenden Ansprüche, aufweisend ein Empfangen der Konfigurationsinformationen für den Host (10) in einer Datenverarbeitungseinheit (20) mit der Datenbank (22) und Vergleichen der Hash-Werte der empfangenen und gespeicherten Konfigurationsinformationen durch die Datenverarbeitungseinheit.
     
    5. Verfahren nach einem der Ansprüche 1 bis 3, aufweisend ein Durchführen des Vergleichens an einem Zwischenknoten (26) getrennt vom Host (10) und einer Datenverarbeitungseinheit (20) mit der Datenbank (22).
     
    6. Verfahren nach einem der vorhergehenden Ansprüche, aufweisend Abrufen des Hash-Wertes für den Vergleich aus der Datenbank (22), und Speichern eines neuen Hash-Werts, der über die Konfigurationsinformationen kalkuliert wird, in der Datenbank als Reaktion auf das Ermitteln, dass sich die Hash-Werte unterscheiden.
     
    7. Verfahren nach einem der vorhergehenden Ansprüche, bei welchem die Konfigurationsinformationen Informationen über wenigstens eines aufweisen von für den Host (10) konfigurierten Internetprotokoll (IP) - Adressen, auf dem Host montierten vernetzten Dateisystemen, auf dem Host konfigurierten lokalen Benutzerkonten, einer systemweiten Konfiguration für den Host und allen gesammelten Konfigurationsinformationen für wenigstens ein Benutzerkonto auf dem Host.
     
    8. Verfahren nach einem der vorhergehenden Ansprüche, bei welchem die Konfigurationsinformationen Informationen über wenigstens eines aufweisen von wenigstens einem mit dem Host verbundenen Zertifikat, wenigstens einem für ein Benutzerkonto auf dem Host konfigurierten kryptographischen Schlüssel, allen für den Host konfigurierten autorisierten Schlüsseln, wenigstens einem für ein Benutzerkonto auf dem Host konfigurierten kryptographischen Schlüssel, dem kryptographischen Schlüssel, der ein Identitätsschlüssel oder ein autorisierter Schlüssel für ein Benutzerkonto ist, wenigstens einem Kerberos-Berechtigungsnachweis für die Hosts und wenigstens einer host-basierten Authentifizierungskonfigurationsdatei von wenigstens einem Benutzerkonto des Hosts.
     
    9. Verfahren nach einem der vorhergehenden Ansprüche, bei welchem die Konfigurationsinformationen nur ganz geparst werden, wenn sich die Hash-Werte unterscheiden.
     
    10. Vorrichtung für eine Netzvorrichtung (20), die zum Steuern einer Datenbank (22) zum zentralen Speichern in einer Datennetzwerk-Konfigurationsinformation für mehrere entfernte Hosts (10) konfiguriert ist, wobei die Vorrichtung wenigstens einen Prozessor (24) und wenigstens einen Speicher mit Computerprogrammcode aufweist, wobei der wenigstens eine Speicher und der Computerprogrammcode mit dem wenigstens einen Prozessor konfiguriert sind, um:

    Konfigurationsinformationen für einen entfernten Host (10) im Datennetzwerk zu empfangen, wobei die Datennetzwerk, wobei die Konfigurationsinformationen Informationen über Benutzerinformationsverzeichnisse, die für den entfernten Host konfiguriert sind, aufweisen;

    einen Hash-Wert, der über die empfangenen Konfigurationsinformationen für den entfernten Host (10) kalkuliert wird, mit einem Hash-Wert, der über eine entsprechende Konfigurationsinformation kalkuliert wird, die für den entfernten Host in der Datenbank (22) gespeichert ist, zu vergleichen, um redundante Datenbankaktualisierungen von in der Datenbank zentral gespeicherten Konfigurationsinformationen zu verhindern; und

    eine Aktualisierung wenigstens eines Teils der gespeicherten Konfigurationsinformationen in der Datenbank basierend auf den empfangenen Konfigurationsinformationen als Reaktion auf das Ermitteln einer Differenz in den Hash-Werten zu veranlassen, und

    die gespeicherten Konfigurationsinformationen in der Datenbank als Reaktion auf das Ermitteln, dass die Hash-Werte gleich sind, zu halten.


     
    11. Vorrichtung nach Anspruch 10, bei welcher die Konfigurationsinformationen Informationen über wenigstens eines aufweisen von für den Host konfigurierten IP-Adressen, auf dem Host montierten vernetzten Dateisystemen, auf dem Host konfigurierten lokalen Benutzerkonten, einer systemweiten Konfiguration für den Host, wenigstens einem mit dem Host verbundenen Zertifikat, wenigstens einem für ein Benutzerkonto auf dem Host konfigurierten kryptographischen Schlüssel, allen gesammelten Konfigurationsinformationen für wenigstens ein Benutzerkonto auf dem Host, allen für den Host konfigurierten autorisierten Schlüsseln, wenigstens einem für ein Benutzerkonto auf dem Host konfigurierten kryptographischen Schlüssel, dem kryptographischen Schlüssel, der ein Identitätsschlüssel oder ein autorisierter Schlüssel für ein Benutzerkonto ist, wenigstens einem Kerberos-Berechtigungsnachweis für den Host und wenigstens einer host-basierten Authentifizierungskonfigurationsdatei von wenigstens einem Benutzerkonto des Hosts.
     
    12. Vorrichtung nach Anspruch 10 oder 11, die konfiguriert ist, um einen Zeitstempel zu aktualisieren, der anzeigt, wann Konfigurationsinformationen zuletzt vom Host empfangen wurden.
     
    13. Vorrichtung für einen Zwischenknoten (26) in einem Datennetzwerk, wobei Konfigurationsinformationen für mehrere Hosts zentral in einer entfernten Datenbank (22) gespeichert sind, wobei die Vorrichtung wenigstens einen Prozessor (27) und wenigstens einen Speicher (28) mit Computerprogrammcode aufweist, wobei der wenigstens eine Speicher und der Computerprogrammcode mit dem wenigstens einen Prozessor konfiguriert sind, um;

    Konfigurationsinformationen für einen entfernten Host (10) im Datennetzwerk zu empfangen, wobei die Konfigurationsinformationen Informationen über Benutzerinformationsverzeichnisse, die für den entfernten Host konfiguriert sind, aufweisen; einen Hash-Wert, der über die empfangenen Konfigurationsinformationen für den Host (10) kalkuliert wird, mit einem Hash-Wert, der über eine entsprechende Konfigurationsinformation kalkuliert wird, die für den Host in der entfernten Datenbank (22) gespeichert ist, zu vergleichen, um redundante Datenbankaktualisierungen von zentral gespeicherten Konfigurationsinformationen in der Datenbank zu verhindern; und

    als Reaktion auf die Ermittlung einer Differenz in den Hash-Werten, ein Aktualisieren wenigstens eines Teils der gespeicherten Konfigurationsinformationen für die Hosts in der Datenbank basierend auf den empfangenen Konfigurationsinformationen für den Host, und als Reaktion auf die Ermittlung, dass die Hash-Werte gleich sind, ein Unterlassen eines Auslösens einer Aktualisierung der gespeicherten Konfigurationsinformationen in der Datenbank zu veranlassen.


     
    14. Vorrichtung nach Anspruch 13, die konfiguriert ist, um den über die gespeicherten Konfigurationsinformationen kalkulierten Hash-Wert von der Datenbank (22) zu empfangen.
     
    15. Vorrichtung nach Anspruch 13 oder 14, die konfiguriert ist, um Konfigurationsinformationen für den Host (10) in einem von dem Host und der Datenbank (22) getrennten Knoten (26) zu speichern;

    neue Konfigurationsinformationen für den Host zu ermitteln;

    die Hash-Werte der neuen und der gespeicherten Konfigurationsinformation zu vergleichen; und

    eine Aktualisierung wenigstens eines Teils der gespeicherten Konfigurationsinformationen in der Datenbank als Reaktion auf das Ermitteln einer Differenz in den Hash-Werten zu veranlassen.


     


    Revendications

    1. Procédé de commande d'une base de données distante (22) pour stocker dans un réseau de données, de manière centralisée, des informations de configuration pour une pluralité d'hôtes (10), le procédé consistant à :
    recevoir, par un dispositif de réseau (20 ; 26) séparé des hôtes (10) et configuré pour commander la base de données distante (22), des informations de configuration pour un hôte, caractérisé en ce que :

    les informations de configuration comprennent des informations sur des répertoires d'information d'utilisateur qui sont configurés pour l'hôte ;

    le procédé consiste à comparer, par le dispositif de réseau (20 ; 26), une valeur de hachage calculée sur les informations de configuration pour l'hôte (10) telles que reçues à une valeur de hachage calculée sur des informations de configuration correspondantes qui sont stockées dans la base de données distante (22) pour l'hôte, afin d'empêcher des mises à jour redondantes de la base de données concernant les informations de configuration stockées dans la base de données distante (22) ;

    le procédé consistant en outre à l'une de ces étapes :

    provoquer, par le dispositif de réseau (20 ; 26), la mise à jour d'au moins une partie des informations de configuration stockées en réponse à la détermination, par le dispositif de réseau, d'une différence dans les valeurs de hachage, et

    conserver les informations de configuration stockées dans la base de données distante (22) en réponse à la détermination, par le dispositif de réseau (20 ; 26), que les valeurs de hachage sont égales.


     
    2. Procédé selon la revendication 1, dans lequel les informations de configuration comprennent au moins un authentifiant.
     
    3. Procédé selon la revendication 2, dans lequel ledit au moins un authentifiant comprend une clé SSH (Secure Shell), et les informations de configuration comprennent au moins un fichier de configuration pour SSH.
     
    4. Procédé selon l'une quelconque des revendications précédentes, consistant à recevoir les informations de configuration pour l'hôte (10) dans une unité de traitement de données (20) comprenant la base de données (22), et à comparer les valeurs de hachage des informations de configuration reçues et stockées par l'unité de traitement de données.
     
    5. Procédé selon l'une quelconque des revendications 1 à 3, consistant à effectuer la comparaison au niveau d'un nœud intermédiaire (26) séparé de l'hôte (10) et d'une unité de traitement de données (20) comprenant la base de données (22).
     
    6. Procédé selon l'une quelconque des revendications précédentes, consistant à :

    récupérer de la base de données (22), la valeur de hachage à des fins de comparaison, et

    stocker dans la base de données, une nouvelle valeur de hachage calculée sur les informations de configuration en réponse à la détermination que les valeurs de hachage différent.


     
    7. Procédé selon l'une quelconque des revendications précédentes, dans lequel les informations de configuration comprennent des informations sur au moins l'un parmi des adresses de protocole Internet (IP) configurées pour l'hôte (10), des systèmes de fichiers en réseau montés sur l'hôte, des comptes d'utilisateurs locaux configurés sur l'hôte, une configuration à l'échelle du système pour l'hôte, et toutes les informations de configuration collectées pour au moins un compte d'utilisateur sur l'hôte.
     
    8. Procédé selon l'une quelconque des revendications précédentes, dans lequel les informations de configuration comprennent des informations sur au moins l'un parmi au moins un certificat associé à l'hôte, au moins une clé cryptographique configurée pour un compte d'utilisateur sur l'hôte, toutes les clés autorisées configurées pour l'hôte, au moins une clé cryptographique configurée pour un compte d'utilisateur sur l'hôte, la clé cryptographique étant une clé d'identité ou une clé autorisée pour un compte d'utilisateur, au moins un justificatif d'identité Kerberos pour les hôtes, et au moins un fichier de configuration d'authentification basé sur l'hôte d'au moins un compte d'utilisateur de l'hôte.
     
    9. Procédé selon l'une quelconque des revendications précédentes, dans lequel les informations de configuration ne sont entièrement analysées que si les valeurs de hachage diffèrent.
     
    10. Appareil destiné à un dispositif de réseau (20) configuré pour commander une base de données (22) pour stocker dans un réseau de données, de manière centralisée, des informations de configuration pour une pluralité d'hôtes distants (10), l'appareil comprenant au moins un processeur (24) et au moins une mémoire incluant un code de programme informatique, dans lequel ladite au moins une mémoire et le code de programme informatique sont configurés, avec ledit au moins un processeur, pour :

    recevoir des informations de configuration pour un hôte distant (10) dans le réseau de données, dans lequel les informations de configuration comprennent des informations sur des répertoires d'information d'utilisateur qui sont configurés pour l'hôte distant ;

    comparer une valeur de hachage calculée sur les informations de configuration pour l'hôte distant (10) telles que reçues à une valeur de hachage calculée sur des informations de configuration correspondantes qui sont stockées dans la base de données distante (22) pour l'hôte distant, afin d'empêcher des mises à jour redondantes de la base de données concernant les informations de configuration stockées de manière centralisée dans la base de données ; et

    provoquer la mise à jour d'au moins une partie des informations de configuration stockées dans la base de données en se basant sur les informations de configuration reçues, en réponse à la détermination d'une différence dans les valeurs de hachage, et

    conserver les informations de configuration stockées dans la base de données, en réponse à la détermination que les valeurs de hachage sont égales.


     
    11. Appareil selon la revendication 10, dans lequel les informations de configuration comprennent des informations sur au moins l'un parmi des adresses IP configurées pour l'hôte, des systèmes de fichiers en réseau montés sur l'hôte, des comptes d'utilisateurs locaux configurés sur l'hôte, une configuration à l'échelle du système pour l'hôte, au moins un certificat associé à l'hôte, au moins une clé cryptographique configurée pour un compte d'utilisateur sur l'hôte, toutes les informations de configuration collectées pour au moins un compte d'utilisateur sur l'hôte, toutes les clés autorisées configurées pour l'hôte, au moins une clé cryptographique configurée pour un compte d'utilisateur sur l'hôte, la clé cryptographique étant une clé d'identité ou une clé autorisée pour un compte d'utilisateur, au moins un justificatif d'identité Kerberos pour l'hôte, et au moins un fichier de configuration d'authentification basé sur l'hôte d'au moins un compte d'utilisateur de l'hôte.
     
    12. Appareil selon la revendication 10 ou 11, lequel est configuré pour mettre à jour un horodatage indiquant quand les informations de configuration ont été reçues de l'hôte pour la dernière fois.
     
    13. Appareil destiné à un nœud intermédiaire (26) dans un réseau de données, dans lequel des informations de configuration pour une pluralité d'hôtes sont stockées de manière centralisée dans une base de données distante (22), l'appareil comprenant au moins un processeur (27) et au moins une mémoire (28) incluant un code de programme informatique, dans lequel ladite au moins une mémoire et le code de programme informatique sont configurés, avec ledit au moins un processeur, pour :

    recevoir des informations de configuration pour un hôte distant (10) dans le réseau de données, dans lequel les informations de configuration comprennent des informations sur des répertoires d'information d'utilisateur qui sont configurés pour l'hôte distant ;

    comparer une valeur de hachage calculée sur les informations de configuration pour l'hôte (10) telles que reçues à une valeur de hachage calculée sur des informations de configuration correspondantes qui sont stockées dans la base de données distante (22) pour l'hôte, afin d'empêcher des mises à jour redondantes de la base de données concernant les informations de configuration stockées de manière centralisée dans la base de données ; et

    provoquer, en réponse à la détermination d'une différence dans les valeurs de hachage, la mise à jour d'au moins une partie des informations de configuration stockées pour les hôtes dans la base de données en se basant sur lesdites informations de configuration reçues pour l'hôte, et renoncer, en réponse à la détermination que les valeurs de hachage sont égales, à déclencher une mise à jour des informations de configuration stockées dans la base de données.


     
    14. Appareil selon la revendication 13, lequel est configuré pour recevoir la valeur de hachage calculée sur les informations de configuration stockées provenant de la base de données (22).
     
    15. Appareil selon la revendication 13 ou 14, lequel est configuré pour :

    stocker des informations de configuration pour l'hôte (10) dans un nœud (26) séparé de l'hôte et de la base de données (22) ;

    déterminer de nouvelles informations de configuration pour l'hôte ;

    comparer les valeurs de hachage des nouvelles informations de configuration et des informations de configuration stockées ; et

    provoquer une mise à jour d'au moins une partie des informations de configuration stockées dans la base de données, en réponse à la détermination d'une différence dans les valeurs de hachage.


     




    Drawing




















    Cited references

    REFERENCES CITED IN THE DESCRIPTION



    This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

    Patent documents cited in the description