CN110737906A - Method and device for noninductive switching of privileged account of middleware connection pool - Google Patents

Abstract

The invention discloses a method and a device for insensibly switching privileged accounts of a middleware connection pool, and the method comprises the steps of accessing applications by a front-end user, deploying the applications on a related middleware and providing access addresses to the outside for the users to access, providing virtual account access for the connection pool by a double-account deployment module, insensibly switching the accounts of the applications, triggering a switching mechanism of a master account and a slave account when the privileged account password of the middleware connection pool of a security management system hosting the privileged accounts reaches a change date, switching the master account into an inactive privileged account, switching the slave account into an active privileged account, and modifying the password of the inactive privileged account.

Description

Method and device for noninductive switching of privileged account of middleware connection pool

Technical Field

The invention relates to the field of security management of privileged accounts, in particular to a method and a device for kinds of noninductive switching of middleware connection pool privileged accounts.

Background

The information security protection means are more and more advanced, but the last defense lines of data information are that the privileged account number and password can not be effectively protected and managed all the time, and attackers can still enter the internal network of an enterprise through legal technical approaches to steal valuable data.

Particularly, for an application program such as a bank which is heavy in business and cannot be stopped at any time to update and modify the password of the middleware connection pool, the traditional bastion machine cannot provide a solution for the application without restarting, so that the password of the middleware connection pool of the key core application cannot be modified regularly, and the requirements on equal protection cannot be met.

Disclosure of Invention

The technical problem to be solved by the present invention is to provide methods and apparatuses for switching privileged account numbers of a middleware connection pool, which can enable a privileged account number password of the middleware connection pool of an enterprise or an organization to be changed periodically, and enable seamless switching during the change, so that the stability of a key application system is ensured, and the methods and apparatuses for switching privileged account numbers of the middleware connection pool invisibly not only enhance the security of privileged account numbers of the middleware connection pool of the enterprise or the organization, but also better ensure the stable operation of a business system.

The technical scheme adopted by the invention for solving the technical problems is that the method for constructing kinds of noninductive switching middleware connection pool privileged accounts comprises the following steps:

A) the front-end user accesses the application;

B) deploying the application on the related middleware, and providing an access address to the outside for a user to access;

C) the double-account deployment module provides virtual account access for the connection pool and does not sense the account of the switching application;

D) when the password of the privileged account in the middleware connection pool of the security management system of the hosted privileged account reaches the change date, triggering a switching mechanism of the master account and the slave account, switching the master account into the inactive privileged account, switching the slave account into the active privileged account, and modifying the password of the inactive privileged account.

In the method for connecting a privileged account of a pool by a non-inductive switching middleware, the privileged account security management system includes:

a node management unit: the system is used for constructing a directory tree conforming to an enterprise organization architecture and allowing independent management of respective directories by different entitled users;

an account management unit: the system is used for importing and hosting the privileged account and realizes the life cycle management work of the account by taking the privileged account body as the center;

an access control unit: the system is used for realizing the permission subdivision of account use, so that different users have different use permissions for different accounts;

a session monitoring unit: the system is used for realizing video recording, monitoring, intercepting and auditing in the single sign-on process of the account by the user;

an audit management unit, which is used for providing log query for an audit part , wherein the log query at least comprises the log query of the use and management of the account number and the change of the platform;

the approval management unit is used for providing an account use process approval capability of an affair audit for a user;

the system setting unit is used for providing account strategy and connection strategy of a full platform for a user, user setting and self-editing attribute parameters;

the node management unit, the account management unit, the access control unit, the session monitoring unit, the auditing management unit, the approval management unit and the system setting unit are connected with each other.

In the method for noninductive switching of a middleware connection pool privileged account according to the present invention, the account management unit further includes:

an account number rotation module: the system is used for carrying out automatic password alternation management on the target privileged account according to the requirement of an enterprise management strategy;

the embedded dependency synchronization module: the system is used for replacing hard code passwords in enterprise application programs, scripts and operation and maintenance tools into synchronous module codes, the passwords are not exposed, or a pushing mode is adopted, and new passwords are periodically pushed to hard code configuration;

the single sign-on connection module is used for providing key connection capacity for the user and allowing an administrator to provide a client tool for the user to release in a centralized manner, so that the single sign-on effect is achieved, and finally, the password does not fall to the user side all the time, and the continuous monitoring and auditing capacity is realized;

a fine-grained sharing module: the sharing capability based on account number level fine granularity is provided for the user;

the account number alternation module, the embedded dependency synchronization module, the single sign-on connection module and the fine-grained sharing module are connected with one another.

The invention also relates to devices for implementing the method for connecting the privileged account of the pool by the non-inductive switching middleware, which comprises the following steps:

an access unit: the front-end user accesses the application;

a deployment unit: the application is deployed on the related middleware and provides an access address to the outside for a user to access;

an unaware switching unit: the double-account deployment module provides virtual account access for the connection pool and does not sense the account of the switching application;

a password modification unit: the method is used for triggering a switching mechanism of a master account and a slave account when the password of the privileged account in a middleware connection pool of the security management system of the privileged account is changed to a change date, switching the master account into an inactive privileged account, switching the slave account into an active privileged account, and modifying the password of the inactive privileged account.

In the apparatus of the present invention, the privileged account security management system includes:

a node management unit: the system is used for constructing a directory tree conforming to an enterprise organization architecture and allowing independent management of respective directories by different entitled users;

an account management unit: the system is used for importing and hosting the privileged account and realizes the life cycle management work of the account by taking the privileged account body as the center;

an access control unit: the system is used for realizing the permission subdivision of account use, so that different users have different use permissions for different accounts;

a session monitoring unit: the system is used for realizing video recording, monitoring, intercepting and auditing in the single sign-on process of the account by the user;

an audit management unit, which is used for providing log query for an audit part , wherein the log query at least comprises the log query of the use and management of the account number and the change of the platform;

the approval management unit is used for providing an account use process approval capability of an affair audit for a user;

the system setting unit is used for providing account strategy and connection strategy of a full platform for a user, user setting and self-editing attribute parameters;

the node management unit, the account management unit, the access control unit, the session monitoring unit, the auditing management unit, the approval management unit and the system setting unit are connected with each other.

In the apparatus of the present invention, the account management unit further includes:

an account number rotation module: the system is used for carrying out automatic password alternation management on the target privileged account according to the requirement of an enterprise management strategy;

the embedded dependency synchronization module: the system is used for replacing hard code passwords in enterprise application programs, scripts and operation and maintenance tools into synchronous module codes, the passwords are not exposed, or a pushing mode is adopted, and new passwords are periodically pushed to hard code configuration;

the single sign-on connection module is used for providing key connection capacity for the user and allowing an administrator to provide a client tool for the user to release in a centralized manner, so that the single sign-on effect is achieved, and finally, the password does not fall to the user side all the time, and the continuous monitoring and auditing capacity is realized;

a fine-grained sharing module: the sharing capability based on account number level fine granularity is provided for the user;

the account number alternation module, the embedded dependency synchronization module, the single sign-on connection module and the fine-grained sharing module are connected with one another.

The method and the device for connecting the privileged account of the pool by the middleware in the non-inductive switching have the following advantages that: the invention can ensure that the privileged account password of the middleware connection pool of an enterprise or an organization can be changed regularly, seamless switching during the change period is also ensured, the stability of a key application system is ensured, the security of the privileged account of the middleware connection pool of the enterprise or the organization is enhanced, and the stable operation of a business system is better ensured.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.

FIG. 1 is a flowchart of a method in embodiments of the method and apparatus for noninductive switching of a middleware connection pool privileged account of the present invention;

fig. 2 is a flowchart of a method for noninductive switching of a middleware connection pool privileged account in the embodiment;

fig. 3 is a schematic structural diagram of a security management system for privileged accounts in the embodiment;

fig. 4 is a schematic structural diagram of an account management unit in the embodiment;

fig. 5 is a schematic structural diagram of the device in the embodiment.

Detailed Description

The technical solutions in the embodiments of the present invention will be described clearly and completely with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only partial embodiments of of the present invention, rather than all embodiments.

In the embodiments of the method and the device for noninductive switching of the privileged account of the middleware connection pool, a flowchart of a method for noninductive switching of the privileged account of the middleware connection pool is shown in fig. 1. Fig. 2 is a flowchart of a method for insensibly switching a middleware connection pool privileged account in this embodiment. In fig. 1, the method for connecting a privileged account of a pool by a non-inductive switching middleware includes the following steps:

step S01, the front-end user accesses the application: in this step, the front-end user accesses the application.

Step S02 deploys the application on the relevant middleware and provides the user with an access address to access: in this step, the application is deployed on the relevant middleware, and the application provides an access address to the outside for the user to access.

Step S03, the dual-account deployment module provides virtual account access to the connection pool, and does not sense the account of the switching application: in this step, the dual account (dual accounts refer to a primary account and a secondary account) deployment module provides virtual account access to the connection pool, and performs non-sensing switching of application accounts.

Step S04, when the privileged account password of the middleware connection pool hosted in the privileged account security management system reaches the change date, triggering a switching mechanism of the master and slave accounts, switching the master account to the inactive privileged account, switching the slave account to the active privileged account, and modifying the password of the inactive privileged account: in this step, when the middleware of the security management system hosting the privileged account connects the privileged account password of the pool to the change date, a switching mechanism of the master account and the slave account is triggered, specifically, the master account is switched to the inactive privileged account, the slave account is switched to the active privileged account, and the password of the inactive privileged account is modified, that is, the original master account is automatically switched.

Fig. 3 is a schematic structural diagram of a security management system for privileged accounts in this embodiment; in fig. 3, the privileged account security management system includes a node management unit 1, an account management unit 2, an access control unit 3, a session monitoring unit 4, an audit management unit 5, an approval management unit 6, and a system setting unit 7, which are connected to each other; the node management unit 1 is used for constructing a directory tree conforming to an enterprise organization architecture, and allows different entitled users to independently manage respective directories.

The account management unit 2 is used for importing and hosting the privileged account, and realizes the life cycle management work of the account by taking the privileged account body as the center. In particular, the problem that the privileged account number which needs to be automatically checked, changed or even reset (get back the password) is various in types, and is often embedded into a DevOps tool, code and program and is difficult to manage is solved. For example, a Jenkins tool which is a continuous integration tool embeds a development access key of a cloud platform, which means that the key is easily exposed in the tool configuration, difficult to audit the use condition and not beneficial to the maintenance work of regularly rotating the key. The account management unit 2 can solve the above problem well. In addition, when the user, i.e. human, needs to use these new account credentials, the secure use that the credentials do not fall to the ground can be implemented through the single sign-on connection module of the account management unit 2.

The access control unit 3 is responsible for subdividing the use permission of the account, so that different users have different use permissions for different accounts. The account number password box of the access control unit 3 provides the capacity of adding, modifying and managing the account number password box, and provides a logic independent space and a password box for account number storage. And also provides access usage authorization for the user based on the set of lockboxes.

The session monitoring unit 4 is used for conveniently realizing video recording, monitoring, intercepting and auditing for the single sign-on process of the account of the user. The functions of quickly inquiring conversation, positioning operation records, realizing conversation intervention, operation interception and the like can be provided.

The audit management unit 5 is configured to provide log query for the audit unit , where the log query at least includes log query of account usage and management and platform change, in other words, the audit management unit 5 provides log query of dimensions such as account usage and management, platform change and the like for the audit unit .

The approval management unit 6 is used for providing account use process approval capability of an affair approval for a user, the approval process can specify factors such as an approver, operation content, a time window, reasons and the like, and the approval management unit has plug-in expansion capability and meets the requirement of docking an external work order system platform.

The system setting unit 7 is used for providing the full platform of the account policy, the connection policy, user setting and self-editing attribute parameter and other capabilities for the user, and the system setting unit 7 is mainly connected with the account management unit 2.

According to the invention, by setting the node management unit 1, the account management unit 2, the access control unit 3, the session monitoring unit 4, the audit management unit 5, the approval management unit 6 and the system setting unit 7, the privileged account of an enterprise can be automatically managed, a user can perform single-point login on the premise of not contacting with a password, and flexible and plug-in account management can be performed on the privileged account in environments such as cloud, DevOps, containerization and the like.

Fig. 4 is a schematic structural diagram of the account management unit in this embodiment, and in fig. 4, the account management unit 2 further includes an account rotation module 21, an embedded dependency synchronization module 22, a single sign-on connection module 23, and a fine-grained sharing module 24 that are connected to each other, and in addition, the account rotation module 21, the embedded dependency synchronization module 22, and the single sign-on connection module 23 are connected to the system setting unit 7, the node management unit 1, the approval management unit 6, and the audit management unit 5.

The account shift module 21 is configured to perform automatic password shift management on the target privileged account according to the requirement of the enterprise management policy, such as periodic verification, password change, automatic reset in case of a mistake, and the like. The account number rotation module 21 implements automatic rotation of account number and password of the target privileged account number according to the defined account number policy, and the type of the target account number is not limited. Currently, the types of supported accounts include, but are not limited to, an operating system account, a database account, a network security device account, a virtualization control console account, a cloud platform console account, a containerization administrator account, a DevOps tool console account, an application middleware console account (non-operating system account), a development interface program access key account, and the like.

The embedded dependency synchronization module 22 is used to replace hard coded passwords in the enterprise applications, scripts and operation and maintenance tools with synchronization module codes, so that the passwords are not exposed, or a push mode is adopted to periodically push new passwords to the hard coded configuration. The embedded dependency synchronization module 22 is interconnected with the account rotation module 21, and is responsible for synchronously pushing the account main body in the account rotation module 21 to a required embedded dependency position, such as a system service, a configuration file, tool setting, a database table entry, and the like. Meanwhile, the embedded dependency synchronization module 22 can also provide a related development language package for the embedded password code in the program code, replace the plain text password in the code, realize that the program encryption does not need hard coding, and can audit, limit and isolate the identity validity and safety of the encryption program.

The single sign-on connection module 23 is used for providing key connection capability for a user, allowing an administrator to provide a client tool issued in a centralized manner for the user, achieving a single sign-on effect, and finally enabling passwords to always not fall to the user side, so that safety is improved, and continuous monitoring and auditing capabilities can be realized.

The fine-grained sharing module 24 is used for providing a sharing capability based on account number fine-grained sharing for a user, and flexibly meeting the requirement of temporary authorization for use.

Compared with the current method that enterprises or organizations do not change the privileged account passwords of the middleware connection pool in the key service for a long time, the method for switching the privileged account passwords of the middleware connection pool in the non-inductive switching middleware adopts mechanisms for switching the privileged account passwords of the middleware connection pool in the non-inductive switching middleware connection pool, and when the privileged account passwords of the middleware connection pool hosted in the privileged account security management system reach the modification date, the mechanism of double accounts is triggered, active accounts and inactive accounts are automatically switched, and then the passwords of the inactive privileged accounts are modified.

The embodiment also relates to apparatuses for implementing the method for switching the privileged account of the middleware connection pool, and a structural schematic diagram of the apparatus is shown in fig. 5. in fig. 5, the apparatus includes an access unit 100, a deployment unit 200, an imperceptible switching unit 300, and a password modification unit 400, where the access unit 100 is used for a front-end user to access an application, the deployment unit 200 is used for deploying the application on a related middleware and providing an access address to the outside for the user to access, the imperceptible switching unit 300 provides a virtual account access to the connection pool by using a dual-account deployment module and switching the account of the application imperceptibly, and the password modification unit 400 is used for triggering a switching mechanism of a master account and a slave account when the middleware connection pool privileged account password hosted in the privileged account security management system reaches a change date, switching a master account into an inactive privileged account, switching the slave account into an active privileged account, and modifying the password of the inactive privileged account.

Compared with the current privilege account password of the middleware connection pool in the key service, which is not replaced by enterprises or organizations for a long time, the device of the invention adopts mechanisms for switching the privilege account password of the middleware connection pool in an imperceptible way, and triggers the mechanism of double accounts when the privilege account password of the middleware connection pool hosted in the privilege account security management system reaches the modification date, automatically switches active accounts and inactive accounts, and then modifies the password of inactive privileged accounts.

In a word, the invention provides kinds of non-inductive switching middleware connection pool privileged accounts, and based on double-account deployment, a mechanism of double-account deployment and seamless switching of the middleware connection pool is adopted, so that the problem that passwords of the connection pool privileged accounts cannot be modified periodically is solved, and the problem that the passwords are incorrect and a database is locked due to delay in periodic password rotation is solved, and the method is applied to a privileged account security management system.

The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (6)

1, method for connecting privileged account of pool by middleware in a non-inductive switching way, which is characterized by comprising the following steps:

A) the front-end user accesses the application;

B) deploying the application on the related middleware, and providing an access address to the outside for a user to access;

C) the double-account deployment module provides virtual account access for the connection pool and does not sense the account of the switching application;

D) when the password of the privileged account in the middleware connection pool of the security management system of the hosted privileged account reaches the change date, triggering a switching mechanism of the master account and the slave account, switching the master account into the inactive privileged account, switching the slave account into the active privileged account, and modifying the password of the inactive privileged account.

2. The method for the noninductive switching of the middleware connection pool privileged account of claim 1, wherein the privileged account security management system comprises:

a node management unit: the system is used for constructing a directory tree conforming to an enterprise organization architecture and allowing independent management of respective directories by different entitled users;

an account management unit: the system is used for importing and hosting the privileged account and realizes the life cycle management work of the account by taking the privileged account body as the center;

an access control unit: the system is used for realizing the permission subdivision of account use, so that different users have different use permissions for different accounts;

a session monitoring unit: the system is used for realizing video recording, monitoring, intercepting and auditing in the single sign-on process of the account by the user;

an audit management unit, which is used for providing log query for an audit part , wherein the log query at least comprises the log query of the use and management of the account number and the change of the platform;

the approval management unit is used for providing an account use process approval capability of an affair audit for a user;

the system setting unit is used for providing account strategy and connection strategy of a full platform for a user, user setting and self-editing attribute parameters;

the node management unit, the account management unit, the access control unit, the session monitoring unit, the auditing management unit, the approval management unit and the system setting unit are connected with each other.

3. The method for noninductive switching of middleware connection pool privileged account as claimed in claim 2, wherein the account management unit further comprises:

an account number rotation module: the system is used for carrying out automatic password alternation management on the target privileged account according to the requirement of an enterprise management strategy;

the embedded dependency synchronization module: the system is used for replacing hard code passwords in enterprise application programs, scripts and operation and maintenance tools into synchronous module codes, the passwords are not exposed, or a pushing mode is adopted, and new passwords are periodically pushed to hard code configuration;

the single sign-on connection module is used for providing key connection capacity for the user and allowing an administrator to provide a client tool for the user to release in a centralized manner, so that the single sign-on effect is achieved, and finally, the password does not fall to the user side all the time, and the continuous monitoring and auditing capacity is realized;

a fine-grained sharing module: the sharing capability based on account number level fine granularity is provided for the user;

the account number alternation module, the embedded dependency synchronization module, the single sign-on connection module and the fine-grained sharing module are connected with one another.

An apparatus for implementing the method of noninductive switching of middleware connection pool privileged accounts as claimed in claim 1, comprising:

an access unit: the front-end user accesses the application;

a deployment unit: the application is deployed on the related middleware and provides an access address to the outside for a user to access;

an unaware switching unit: the double-account deployment module provides virtual account access for the connection pool and does not sense the account of the switching application;

a password modification unit: the method is used for triggering a switching mechanism of a master account and a slave account when the password of the privileged account in a middleware connection pool of the security management system of the privileged account is changed to a change date, switching the master account into an inactive privileged account, switching the slave account into an active privileged account, and modifying the password of the inactive privileged account.

5. The apparatus of claim 4, wherein the privileged account security management system comprises:

a node management unit: the system is used for constructing a directory tree conforming to an enterprise organization architecture and allowing independent management of respective directories by different entitled users;

an account management unit: the system is used for importing and hosting the privileged account and realizes the life cycle management work of the account by taking the privileged account body as the center;

an access control unit: the system is used for realizing the permission subdivision of account use, so that different users have different use permissions for different accounts;

a session monitoring unit: the system is used for realizing video recording, monitoring, intercepting and auditing in the single sign-on process of the account by the user;

an audit management unit, which is used for providing log query for an audit part , wherein the log query at least comprises the log query of the use and management of the account number and the change of the platform;

the approval management unit is used for providing an account use process approval capability of an affair audit for a user;

the system setting unit is used for providing account strategy and connection strategy of a full platform for a user, user setting and self-editing attribute parameters;

the node management unit, the account management unit, the access control unit, the session monitoring unit, the auditing management unit, the approval management unit and the system setting unit are connected with each other.

6. The apparatus of claim 5, wherein the account management unit further comprises:

an account number rotation module: the system is used for carrying out automatic password alternation management on the target privileged account according to the requirement of an enterprise management strategy;

the embedded dependency synchronization module: the system is used for replacing hard code passwords in enterprise application programs, scripts and operation and maintenance tools into synchronous module codes, the passwords are not exposed, or a pushing mode is adopted, and new passwords are periodically pushed to hard code configuration;

the single sign-on connection module is used for providing key connection capacity for the user and allowing an administrator to provide a client tool for the user to release in a centralized manner, so that the single sign-on effect is achieved, and finally, the password does not fall to the user side all the time, and the continuous monitoring and auditing capacity is realized;

a fine-grained sharing module: the sharing capability based on account number level fine granularity is provided for the user;

the account number alternation module, the embedded dependency synchronization module, the single sign-on connection module and the fine-grained sharing module are connected with one another.

Images