A load scheduling method and system for cryptographic devices based on shared locks
By adopting a load scheduling method based on shared locks, the problem of unreasonable scheduling of traditional cryptographic devices is solved, and balanced scheduling and efficient resource utilization of multiple cryptographic devices are achieved to meet high concurrency requirements.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- SHANDONG INST OF BLOCKCHAIN
- Filing Date
- 2022-12-08
- Publication Date
- 2026-07-03
AI Technical Summary
In high-concurrency business environments, traditional cryptographic computing services suffer from inefficient scheduling of multiple cryptographic devices, resulting in low data source pool switching efficiency and significant waste of computer resources.
A load balancing method based on shared locks is adopted. By pre-creating a Socket connection pool and a shared lock pool, combined with an exclusive lock mechanism and a load balancing algorithm, the resources of cryptographic devices are dynamically managed to ensure balanced scheduling of multiple cryptographic devices.
It improves cryptographic operation performance, avoids the time spent creating and releasing socket connections, reduces resource waste, achieves balanced scheduling of multiple cryptographic machines, and meets high concurrency requirements.
Smart Images

Figure CN116225683B_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of load scheduling technology, specifically relating to a load scheduling method and system for cryptographic devices based on shared locks. Background Technology
[0002] The statements in this section are merely background information related to the present invention and do not necessarily constitute prior art.
[0003] With the continuous development of cloud computing, virtualization technology has been widely used. Traditional cryptographic computing services are generally provided directly by cryptographic machines, which perform calculations and return the results directly.
[0004] Modern information services face increasingly higher demands for concurrent access to business services, and cryptographic operation requests are also highly concurrent. Inefficient scheduling of multiple cryptographic devices can lead to inefficient data source pool switching and excessive consumption of computer resources. Summary of the Invention
[0005] To address the aforementioned problems, this invention proposes a load scheduling method and system for cryptographic devices based on shared locks, which can solve the scheduling problem of multiple cryptographic devices and ensure balanced scheduling of multiple cryptographic machines.
[0006] According to some embodiments, the present invention adopts the following technical solution:
[0007] A load balancing method for cryptographic devices based on shared locks includes the following steps:
[0008] When receiving a request from a business system, the system determines the request source based on the request parameters and then calls the corresponding resource occupancy ratio and group identifier.
[0009] The system locates the corresponding shared lock pool based on the group identifier, calculates the maximum number of idle locks that the corresponding business system can use based on the number of locks in the shared lock pool, searches for idle locks in the shared lock pool, finds the corresponding Socket connection object through the association relationship of the successfully found locks, and calls the cryptographic machine device to perform cryptographic operations through the Socket connection object.
[0010] As an optional implementation, it also includes: pre-acquiring cryptographic device information, creating a number of Socket connection objects equal to the number of connections and saving them to the Socket connection pool, and recording the relationship between the group identifier and the cryptographic device information and the Socket connection pool;
[0011] Create a shared lock with the same number of Socket connections, save it to the shared lock pool, and save the relationship between the group identifier and the shared lock pool, and between the shared lock pool and the Socket connection pool.
[0012] Pre-allocate resources for cryptographic equipment and determine the resource occupancy ratio for each business system.
[0013] As a further defined implementation, the cryptographic device information includes the cryptographic device IP address, port number, cryptographic device model, number of connections, and group identifier.
[0014] As a further defined implementation, the locks in the shared lock pool have four states: idle, non-idle, pending deletion, and faulty, with the default being idle.
[0015] As a further defined implementation method, the specific process of pre-allocating cryptographic device resources includes: for multiple business systems under the same group, a resource percentage value is set for each business system according to the cryptographic algorithm requirements of the business system, and the sum of the resource percentage values is 100%.
[0016] As an optional implementation method, the specific process of determining the source of the request based on the request parameters includes: determining the business system from which the request comes based on the request parameters, retrieving the resource occupancy ratio and group identifier set by the business system, and recording the time of this business request;
[0017] Check if any other business systems in this group have initiated business requests within the recently set time period. If only this business system initiated the request, adjust the resource utilization ratio of this business system to 100% and save.
[0018] If other business systems have already initiated a request, adjust the resource utilization ratio of this business system to P2, and adjust the resource utilization ratio of other business systems to 100%-P2.
[0019] If, after the set time period, another business system initiates a business request, the resource allocation ratio for that business system will be adjusted to ensure that each business system has a corresponding resource allocation ratio.
[0020] As an alternative implementation, the specific process of searching for an idle lock in the shared lock pool includes: if the search is successful, setting the lock's state to non-idle; finding the corresponding Socket connection object through the lock's association; calling the cryptographic machine device through the Socket connection object to perform cryptographic operations; and after the operation is completed, setting the lock's state to idle and returning the operation result.
[0021] As an alternative implementation, if the search range is exceeded, the search ends and a new search is initiated after a certain period of time; if no free lock is found after multiple searches, a feedback notification is issued.
[0022] As an alternative implementation, when searching for locks that are in an idle state, cipher machines with fewer idle locks have a lower probability of having their idle locks found and being invoked, while cipher machines with more idle locks have a higher probability of being invoked.
[0023] As an alternative implementation, the steps are executed using an independent thread. When multiple requests initiate business operation requests simultaneously, multiple threads search for free locks at the same time. When searching for free locks in the shared lock pool, an exclusive lock mechanism ensures that only one thread can search for a lock at any given time.
[0024] This prevents multiple threads from finding a free lock simultaneously, or a single socket connection from handling multiple requests at the same time.
[0025] As an alternative implementation, at regular intervals, the connection pool parameter information of each cryptographic device is read to obtain the number of Socket connections that the cryptographic device has created. If the connection value in the configuration file is greater than the actual number of Socket connections created, the difference between the two is calculated, and the same number of Socket connections as the difference are created. The newly created Socket connections are then placed into the Socket connection pool. The same number of idle locks as the difference are also created and placed into the shared lock pool.
[0026] If the number of connections in the configuration file is less than the actual number of socket connections created, calculate the difference between the two and delete the same number of shared locks and socket connections as the difference.
[0027] A load balancing system for cryptographic devices based on shared locks, comprising:
[0028] When the request acquisition module is configured to receive requests from the business system, it determines the request source based on the request parameters and calls the corresponding resource occupancy ratio and group identifier.
[0029] The scheduling module is configured to find the corresponding shared lock pool based on the group identifier, calculate the maximum number of idle locks that the corresponding business system can use based on the number of locks in the shared lock pool, find the locks that are idle in the shared lock pool, find the corresponding Socket connection object through the association relationship of the successfully found locks, and call the cryptographic machine device to perform cryptographic operations through the Socket connection object.
[0030] As an optional implementation, a pre-configuration module is also included, which is configured to pre-acquire cryptographic device information, create a number of Socket connection objects equal to the number of connections and save them to the Socket connection pool, and record the relationship between the group identifier and the cryptographic device information and the Socket connection pool;
[0031] Create a shared lock with the same number of Socket connections, save it to the shared lock pool, and save the relationship between the group identifier and the shared lock pool, and between the shared lock pool and the Socket connection pool.
[0032] Pre-allocate resources for cryptographic equipment and determine the resource occupancy ratio for each business system.
[0033] Compared with the prior art, the beneficial effects of the present invention are as follows:
[0034] This invention pre-creates a connection pool of Socket connections. When there is a business request, an idle Socket connection is used directly, avoiding the time spent on creating and releasing Socket connections, thus improving performance.
[0035] This invention creates a shared lock pool and a socket connection pool with fewer than the maximum number of cipher machine socket connections. Even with a large number of business requests, no excessive number of socket connections will be created. The provided socket connection pool can store multiple cipher machine devices, thus solving the scheduling problem of multiple cipher machine devices.
[0036] This invention provides an exclusive lock mechanism to ensure that a socket can only be used by one request, and provides a load balancing algorithm to ensure balanced scheduling of multiple cryptographic machines.
[0037] This invention manages business systems, cryptographic devices, socket connection pools, and shared lock pools in groups. Multiple cryptographic devices can be called by multiple business systems simultaneously, reducing the waste of cryptographic device resources and avoiding situations where individual business systems cannot make normal requests due to resource contention.
[0038] This invention can dynamically expand the number of socket connections in the socket connection pool to meet the high concurrency requirements of business systems; it can also dynamically delete the number of idle locks to limit the number of business requests and prevent cryptographic devices from running under overload.
[0039] To make the above-mentioned objects, features and advantages of the present invention more apparent and understandable, preferred embodiments are described below in detail with reference to the accompanying drawings. Attached Figure Description
[0040] The accompanying drawings, which form part of this invention, are used to provide a further understanding of the invention. The illustrative embodiments of the invention and their descriptions are used to explain the invention and do not constitute an improper limitation of the invention.
[0041] Figure 1 This is a flowchart illustrating one embodiment of the present invention;
[0042] Figure 2 This is a system schematic diagram of one embodiment of the present invention. Detailed Implementation
[0043] The present invention will be further described below with reference to the accompanying drawings and embodiments.
[0044] It should be noted that the following detailed description is illustrative and intended to provide further explanation of the invention. Unless otherwise specified, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention pertains.
[0045] It should be noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit the scope of exemplary embodiments according to the invention. As used herein, the singular form is intended to include the plural form as well, unless the context clearly indicates otherwise. Furthermore, it should be understood that when the terms "comprising" and / or "including" are used in this specification, they indicate the presence of features, steps, operations, devices, components, and / or combinations thereof.
[0046] Example 1
[0047] This embodiment provides a load scheduling method for cryptographic devices based on shared locks, such as... Figure 1 As shown, it includes the following steps:
[0048] Read the pre-saved cryptographic machine device information, including the cryptographic machine IP address, port number, cryptographic machine model, number of connections, group identifier, etc., create the same number of Socket connection objects as the number of connections and save them to the Socket connection pool, and record the relationship between the group identifier, the cryptographic machine device information, and the Socket connection pool.
[0049] Create a shared lock with the same number of Socket connections and save it to the shared lock pool. Save the relationship between the group identifier and the shared lock pool, and between the shared lock pool and the Socket connection pool. The locks in the shared lock pool have four states: idle, non-idle, pending deletion, and fault. The default is idle.
[0050] This embodiment pre-allocates cryptographic machine resources. For multiple business systems within the same group, a resource percentage is set for each system based on its cryptographic algorithm requirements, with the sum of these percentages being 100%. For example, if a group contains three business systems B1, B2, and B3, the percentage of cryptographic machine resources they can occupy is set as follows: B1 can occupy P1, B2 can occupy P2, and B3 can occupy P3; P1 + P2 + P3 = 100%.
[0051] When a business system initiates a request, first determine which business system the request comes from based on the request parameters (let's assume it's business system B2). Then, retrieve the resource utilization ratio P2 and group identifier set by the business system and record the time of this business request. Next, check if any other business systems in this group have also initiated business requests in the last few seconds. If only this business system initiated the request, adjust the resource utilization ratio of this business system to 100% and save it.
[0052] If another business system B1 has already initiated a request, adjust the resource utilization ratio of business system B2 to P2, and adjust the resource utilization ratio of business system B1 to 100%-P2.
[0053] If B3 also initiates a business request a few seconds later, the resource allocation values of the business systems will be adjusted to P1, P2, and P3 respectively.
[0054] After the resource proportion adjustment is completed, the corresponding shared lock pool is searched according to the group identifier. Based on the number of locks in the shared lock pool, the maximum number of idle locks that each business system can use is calculated, and the search range is adjusted. Locks in the shared lock pool that are in an idle state are searched. If the search is successful, the state of the lock is set to non-idle. The corresponding Socket connection object is found through the lock's association relationship. The cryptographic machine is called through the Socket connection object to perform cryptographic operations. After the operation is completed, the state of the lock is set to idle, and the operation result is returned.
[0055] If the search is outside the range, the search ends and the system waits for a certain period of time before searching again; if no free lock is found after multiple searches, the system issues a notification.
[0056] Because different cryptographic algorithms require different computation times during actual business requests, the number of idle locks in multiple cryptographic devices in the idle lock pool will inevitably vary.
[0057] This embodiment provides a load balancing algorithm, which means that a cipher machine with fewer free locks has a lower probability of its free locks being found, and thus a lower probability of the cipher machine being invoked; a cipher machine with more free locks has a higher probability of being invoked.
[0058] Each time the business system initiates a business request, this embodiment creates a new thread to process the request. When multiple requests initiate business operations simultaneously, multiple threads may search for an idle lock at the same time. In this embodiment, when searching for an idle lock in the shared lock pool, an exclusive lock mechanism is used so that only one thread can search for the lock at any given time, thereby preventing multiple threads from finding an idle lock at the same time and preventing a single Socket connection from processing multiple requests simultaneously.
[0059] In this embodiment, at regular intervals, the connection pool parameter information of each cryptographic device in the configuration file is read to obtain the number of Socket connections that the cryptographic device has created. If the connection value in the configuration file is greater than the actual number of Socket connections created, the difference between the two is calculated, and the same number of Socket connections as the difference are created. The newly created Socket connections are then placed into the Socket connection pool. The same number of idle locks as the difference are also created, and the newly created idle locks are placed into the shared lock pool.
[0060] If the number of connections in the configuration file is less than the actual number of socket connections created, calculate the difference between the two and delete the same number of shared locks and socket connections as the difference.
[0061] Example 2
[0062] like Figure 2 As shown, a load scheduling system includes a business system, a shared lock load scheduling system, and a cryptographic machine.
[0063] A business system refers to an information system that requires encryption and decryption of business data.
[0064] The shared lock load balancing system executes the method in Example 1 and is responsible for creating the Socket connection pool for cryptographic devices, scheduling cryptographic devices, load balancing, and dynamically expanding the number of connections.
[0065] The business system transmits parameters to the shared lock load scheduling system, which then sends the received data to the cryptographic machine. After processing, the cryptographic machine returns the result to the shared lock load scheduling system, which in turn returns the result to the business system.
[0066] Those skilled in the art will understand that embodiments of the present invention can be provided as methods, systems, or computer program products. Therefore, the present invention can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention can take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0067] This invention is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0068] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0069] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0070] The above description is merely a preferred embodiment of the present invention and is not intended to limit the invention. Various modifications and variations can be made to the present invention by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made by those skilled in the art without creative effort within the spirit and principles of the present invention should be included within the scope of protection of the present invention.
Claims
1. A load scheduling method for cryptographic devices based on shared locks, characterized in that, Includes the following steps: When receiving a request from a business system, the system determines the request source based on the request parameters and then calls the corresponding resource occupancy ratio and group identifier. The specific process of determining the source of a request based on the request parameters includes: determining the business system from which the request comes based on the request parameters, retrieving the resource utilization ratio and group identifier set by the business system, and recording the time of this business request; Check if any other business systems in this group have initiated business requests within the recently set time period. If only this business system initiated the request, adjust the resource utilization ratio of this business system to 100% and save. If other business systems have already initiated a request, adjust the resource utilization ratio of this business system to P2, and adjust the resource utilization ratio of other business systems to 100%-P2. If a business system initiates a business request after the set time period, the resource allocation ratio of the business system will continue to be adjusted so that each business system has a corresponding resource allocation ratio. The system searches for the corresponding shared lock pool based on the group identifier, calculates the maximum number of idle locks that the corresponding business system can use based on the number of locks in the shared lock pool, searches for locks that are idle in the shared lock pool, finds the corresponding Socket connection object through the association relationship of the successfully found locks, and calls the cryptographic machine device to perform cryptographic operations through the Socket connection object. By using an independent thread to execute the steps, when multiple requests initiate business operations simultaneously, multiple threads search for free locks at the same time. When searching for free locks in the shared lock pool, an exclusive lock mechanism ensures that only one thread can search for a lock at any given time.
2. The load scheduling method for cryptographic devices based on shared locks as described in claim 1, characterized in that it further... include: Pre-obtain cipher machine device information, create the same number of Socket connection objects as the number of connections and save them to the Socket connection pool, and record the relationship between the group identifier, cipher machine device information, and Socket connection pool; Create a shared lock with the same number of Socket connections, save it to the shared lock pool, and save the relationship between the group identifier and the shared lock pool, and between the shared lock pool and the Socket connection pool. Pre-allocate resources for cryptographic equipment and determine the resource occupancy ratio for each business system.
3. The load scheduling method for cryptographic devices based on shared locks as described in claim 2, characterized in that, The cryptographic device information includes the cryptographic device IP address, port number, cryptographic device model, number of connections, and group identifier. Alternatively, the locks in the shared lock pool have four states: idle, non-idle, pending deletion, and faulty, with the default being idle; Alternatively, the specific process of pre-allocating cryptographic machine equipment resources includes: for multiple business systems under the same group, each is assigned a resource percentage value based on the cryptographic algorithm requirements of the business system, and the sum of the resource percentage values is 100%.
4. The load scheduling method for cryptographic devices based on shared locks as described in claim 1, characterized in that, The specific process of finding an idle lock in the shared lock pool includes: if the search is successful, setting the lock's state to non-idle; finding the corresponding Socket connection object through the lock's association; calling the cryptographic machine device through the Socket connection object to perform cryptographic operations; after the operation is completed, setting the lock's state to idle and returning the operation result.
5. A load scheduling method for cryptographic devices based on shared locks as described in claim 1, characterized in that, If the search is outside the range, the search ends and will restart after a certain period of time. If no free lock is found after multiple searches, a feedback notification is sent. Alternatively, when searching for locks that are in an idle state, cipher machines with fewer idle locks have a lower chance of having their idle locks found and being invoked, while cipher machines with more idle locks have a higher chance of being invoked.
6. The load scheduling method for cryptographic devices based on shared locks as described in claim 1, characterized in that, At regular intervals, read the connection pool parameter information of each cryptographic device, obtain the number of Socket connections that the cryptographic device has created, if the connection value in the configuration file is greater than the actual number of Socket connections created, calculate the difference between the two, create the same number of Socket connections as the difference, and put the newly created Socket connections into the Socket connection pool; create the same number of idle locks as the difference, and put the newly created idle locks into the shared lock pool; If the number of connections in the configuration file is less than the actual number of socket connections created, calculate the difference between the two and delete the same number of shared locks and socket connections as the difference.
7. A load scheduling system for cryptographic devices based on shared locks, employing a load scheduling method for cryptographic devices based on shared locks as described in any one of claims 1-6, characterized in that, include: When the request acquisition module is configured to receive requests from the business system, it determines the request source based on the request parameters and calls the corresponding resource occupancy ratio and group identifier. The scheduling module is configured to find the corresponding shared lock pool based on the group identifier, calculate the maximum number of idle locks that the corresponding business system can use based on the number of locks in the shared lock pool, find the locks that are idle in the shared lock pool, find the corresponding Socket connection object through the association relationship of the successfully found locks, and call the cryptographic machine device to perform cryptographic operations through the Socket connection object.
8. A load scheduling system for cryptographic devices based on a shared lock as described in claim 7, characterized in that, It also includes a pre-configuration module, which is configured to pre-acquire cryptographic device information, create the same number of Socket connection objects as the number of connections and save them to the Socket connection pool, and record the relationship between the group identifier and the cryptographic device information and the Socket connection pool; Create a shared lock with the same number of Socket connections, save it to the shared lock pool, and save the relationship between the group identifier and the shared lock pool, and between the shared lock pool and the Socket connection pool. Pre-allocate resources for cryptographic equipment and determine the resource occupancy ratio for each business system.