Device access method and system, certificate configuration method, and hybrid cloud management platform
By parsing device digital certificates to obtain type identification information in a hybrid cloud environment, the problem of low device discovery efficiency and security risks in a hybrid cloud environment is solved, and automatic identification and secure access of device types are realized.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- LENOVO (BEIJING) LTD
- Filing Date
- 2026-03-27
- Publication Date
- 2026-07-03
AI Technical Summary
In a hybrid cloud environment, existing technologies require users to manually enter device accounts and passwords for device discovery, which is inefficient and poses security risks. They also cannot automatically discover devices that do not implement standard discovery protocols.
By acquiring and parsing the target device's digital certificate during the device access process, the device type identification information is obtained using the extended information field in the certificate. Combined with the root certificate of the enterprise certificate authority, the validity of the certificate is verified, the device type is automatically determined, and a management agreement is established.
It improves device discovery efficiency, reduces the number of network interactions, lowers device access latency, eliminates the risk of password leakage, and enables automatic identification of device types and secure automated access.
Smart Images

Figure CN122339743A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of hybrid cloud technology, and more specifically to a device access method and system, a certificate configuration method, and a hybrid cloud management platform. Background Technology
[0002] As enterprises deepen their digital transformation, hybrid cloud architecture has become the mainstream IT deployment model. In a hybrid cloud environment, enterprises typically need to manage a large number of heterogeneous devices, including servers, storage arrays, and network devices, distributed across different geographical locations and network subnets. When discovering devices that require authentication, existing solutions require users to pre-enter the device's management account and password. The management platform identifies the device type by polling various discovery protocols. This process is not only inefficient but also poses a security risk of account passwords being leaked during transmission and storage. For devices that do not implement standard discovery protocols, the management platform cannot even complete automatic discovery and requires manual configuration. Summary of the Invention
[0003] In view of the above problems, this application provides a device access method and system, a certificate configuration method, and a hybrid cloud management platform.
[0004] According to a first aspect of this application, a device access method in a hybrid cloud environment is provided, applied to a hybrid cloud management platform. The method includes: responding to a user's access request for a target device in the hybrid cloud management platform, the hybrid cloud management platform establishing a secure connection with the target device; during the process of establishing a secure connection with the target device, obtaining a digital certificate provided by the target device, the digital certificate including identification information representing the type of the target device; confirming whether the digital certificate is valid; if the digital certificate is determined to be valid, determining the device type of the target device based on the identification information of the target device type, so that the hybrid cloud management platform uses a device management protocol corresponding to the device type and establishes a user access channel with the target device.
[0005] According to an embodiment of this application, the process of establishing a secure connection with the target device includes a handshake process. The step of obtaining the digital certificate provided by the target device during the process of establishing a secure connection with the target device includes: receiving the digital certificate of the target device during the handshake process; and parsing the digital certificate of the target device before the handshake process is completed to obtain the identification information of the target device type.
[0006] According to an embodiment of this application, the digital certificate includes at least one extended information field, and the identification information of the target device type is stored in the extended information field; parsing the digital certificate of the target device to obtain the identification information of the target device type includes: parsing the extended information field and extracting the identification information of the target device type; wherein, the extended information field is a digital certificate subject alias field, and the identification information includes at least one of device model, serial number, and device type.
[0007] According to an embodiment of this application, the extended information field is a field that can contain multiple key-value pairs of data items, and the identification information of the target device type is stored in the field in the form of key-value pairs.
[0008] According to an embodiment of this application, the hybrid cloud management platform is used to manage a heterogeneous device cluster deployed across multiple subnets, the heterogeneous device cluster including at least one of servers, storage arrays, and intelligent network devices.
[0009] According to an embodiment of this application, the digital certificate is issued by an enterprise certificate authority, and the hybrid cloud management platform pre-stores the root certificate of the enterprise certificate authority. The step of confirming the validity of the digital certificate includes:
[0010] Use the root certificate to verify whether the digital certificate is valid.
[0011] A second aspect of this application provides a certificate configuration method applied to a certificate authority, comprising: receiving a certificate issuance request from a target device; generating a digital certificate to be signed based on the certificate issuance request; setting identification information of the target device type in the digital certificate to be signed, wherein the identification information is used by a hybrid cloud management platform to determine the device type of the target device after verifying the digital certificate, so that the hybrid cloud management platform uses a device management protocol corresponding to the device type and establishes a user access channel with the target device; signing the certificate to be signed to generate a digital certificate; and sending the digital certificate to the target device.
[0012] A third aspect of this application provides a device access method in a hybrid cloud environment, applied to a target device. The target device stores a digital certificate, which is issued by a trusted certificate authority and includes identification information representing the type of the target device. The method includes: receiving a secure connection request from a hybrid cloud management platform; and, during the process of establishing a secure connection with the hybrid cloud management platform, providing the digital certificate to the hybrid cloud management platform so that the hybrid cloud management platform determines the device type of the target device based on the identification information of the target device type, uses a device management protocol corresponding to the device type, and establishes a user access channel with the target device.
[0013] A fourth aspect of this application provides a hybrid cloud management platform, including a network interface; a memory storing a computer program; and a processor executing the computer program to: respond to a user's access request for a target device in the hybrid cloud management platform, the hybrid cloud management platform establishing a secure connection with the target device through the network interface; during the process of establishing a secure connection with the target device, obtaining a digital certificate provided by the target device, the digital certificate including identification information representing the type of the target device; confirming whether the digital certificate is valid; if the digital certificate is determined to be valid, then based on the identification information of the target device type, using a device management protocol corresponding to the device type, and establishing a user access channel with the target device.
[0014] The fifth aspect of this application provides a device access system, comprising: a certificate authority configured to perform a certificate configuration method as described in the second aspect; a target device configured to store a digital certificate issued by the certificate authority and perform a device access method as described in the third aspect; and a hybrid cloud management platform configured to access the target device by performing a device access method as described in the first aspect. Attached Figure Description
[0015] The above-mentioned contents, other objects, features and advantages of this application will become clearer from the following description of embodiments with reference to the accompanying drawings, in which:
[0016] Figure 1 The illustrations depict application scenarios of the device access method and system, certificate configuration method, and hybrid cloud management platform according to embodiments of this application.
[0017] Figure 2 A flowchart illustrating a device access method in a hybrid cloud environment according to an embodiment of this application is shown schematically.
[0018] Figure 3 This illustration schematically shows a diagram illustrating the establishment of a TLS secure connection according to an embodiment of this application;
[0019] Figure 4 A schematic diagram illustrating a certificate configuration method according to an embodiment of this application is shown.
[0020] Figure 5 A timing diagram of a device access system according to an embodiment of this application is schematically shown; and
[0021] Figure 6 A block diagram schematically illustrates an electronic device suitable for implementing a device access method according to an embodiment of this application. Detailed Implementation
[0022] The embodiments of this application will now be described with reference to the accompanying drawings. However, it should be understood that these descriptions are exemplary only and are not intended to limit the scope of this application. In the following detailed description, numerous specific details are set forth to provide a thorough understanding of the embodiments of this application for ease of explanation. However, it will be apparent that one or more embodiments may be implemented without these specific details. Furthermore, descriptions of well-known structures and technologies are omitted in the following description to avoid unnecessarily obscuring the concepts of this application.
[0023] The terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit the scope of this application. The terms “comprising,” “including,” etc., as used herein indicate the presence of the stated features, steps, operations, and / or components, but do not exclude the presence or addition of one or more other features, steps, operations, or components.
[0024] All terms used herein (including technical and scientific terms) have the meanings commonly understood by those skilled in the art, unless otherwise defined. It should be noted that the terms used herein are to be interpreted in a manner consistent with the context of this specification, and not in an idealized or overly rigid way.
[0025] When using expressions such as "at least one of A, B and C", they should generally be interpreted in accordance with the meaning that is commonly understood by those skilled in the art (e.g., "a system having at least one of A, B and C" should include, but is not limited to, a system having A alone, a system having B alone, a system having C alone, a system having A and B, a system having A and C, a system having B and C, and / or a system having A, B and C, etc.).
[0026] Figure 1 The illustrations depict application scenarios of the device access method and system, certificate configuration method, and hybrid cloud management platform according to embodiments of this application.
[0027] like Figure 1 As shown, the application scenario 100 according to this embodiment may include multiple data centers, including a first data center 110 and a second data center 120, wherein the first data center 110 and the second data center 120 are located in different network subnets.
[0028] The first data center 110 is equipped with a hybrid cloud management platform 111, as well as multiple server devices 112 and multiple storage arrays 113. The second data center 120 is equipped with multiple server devices 121, multiple storage arrays 122 and multiple intelligent network devices 123.
[0029] The hybrid cloud management platform 111 communicates with devices in the first data center 110 and the second data center 120 via network 140. Network 140 can be a wide area network, a metropolitan area network, or a private network, supporting data transmission across subnets.
[0030] Certificate Authority 130, communicating with the hybrid cloud management platform 111, is used to issue digital certificates to devices within the first data center 110 and the second data center 120. Certificate Authority 130 can be an internal certificate authority deployed by the enterprise or a third-party certificate authority trusted by the enterprise. Certificate Authority 130 can also be a managed certificate issuance service provided by a cloud service provider, allowing the enterprise to apply for and manage device certificates through the cloud service provider's console or application programming interface (API), with the cloud service provider responsible for the operation, maintenance, and security management of the certificate authority. Certificate Authority 130 can also adopt a hybrid deployment model. For example, the enterprise may use an internal certificate authority to issue certificates for internal devices while simultaneously using a commercial certificate authority to issue certificates for devices providing external services. Alternatively, the enterprise may use a root certificate for self-signing and then establish a trust chain with a commercial certificate authority through an intermediate certificate.
[0031] In actual deployment, the Certificate Authority 130 can be a dedicated certificate server or a certificate service cluster consisting of multiple servers to ensure high availability and scalability.
[0032] In practical applications, operations and maintenance personnel initiate access requests to target devices (such as server devices 121 in the second data center 120) through the hybrid cloud management platform 111. The hybrid cloud management platform 111 establishes a secure connection with server devices 121 and obtains the digital certificate of server devices 121 during the connection process. After successful verification, automatic discovery and access management of target devices are achieved.
[0033] It should be noted that this application does not limit the specific implementation form of the certificate issuing authority. Any trusted authority capable of issuing digital certificates containing type identification information for the target device can be applied to the embodiments of this application. As long as the digital certificate issued by the authority can be verified by the hybrid cloud management platform and the device type identification information contained in the certificate can be correctly parsed, the technical solution of this application can be achieved.
[0034] It should be noted that the device access method provided in this application embodiment can generally be executed by a hybrid cloud management platform. Accordingly, the device access device provided in this application embodiment can also be set in a hybrid cloud management platform.
[0035] The device access method provided in this application embodiment can also be executed by a server or server cluster that is different from the hybrid cloud management platform and capable of communicating with the target device. Correspondingly, the device access device provided in this application embodiment can also be set in a server or server cluster that is different from the hybrid cloud management platform and capable of communicating with the target device.
[0036] Alternatively, some steps of the device access method provided in the embodiments of this application can also be performed by the target device. Accordingly, the related devices provided in the embodiments of this application can also be disposed in the target device.
[0037] It should be understood that Figure 1 The number of data centers, devices, and servers shown is merely illustrative. Depending on actual deployment needs, there can be any number of data centers, subnets, devices, and management platforms.
[0038] In the technical solution of this application, the collection, storage, use, processing, transmission, and provision of data such as enterprise certificates, equipment identification information, and network addresses all comply with the provisions of relevant laws and regulations, have taken necessary confidentiality measures, and do not violate public order and good morals.
[0039] In the technical solution of this application, the security of data transmission is ensured before acquiring or collecting device information by adopting encrypted channels and certificate verification mechanisms to protect device information and enterprise network security.
[0040] Figure 2 A flowchart illustrating a device access method in a hybrid cloud environment according to an embodiment of this application is shown schematically.
[0041] like Figure 2 As shown, the device access method 200 in the hybrid cloud environment of this embodiment includes operations S210 to S230.
[0042] When operating S210, in response to a user's access request for the target device in the hybrid cloud management platform, the hybrid cloud management platform establishes a secure connection with the target device.
[0043] According to embodiments of this application, the target device can be various manageable devices located in different network environments or various manageable devices in the same network environment, such as computing devices, data storage arrays, or network communication devices.
[0044] According to embodiments of this application, a secure connection refers to an encrypted connection that can guarantee the confidentiality, integrity, and authenticity of communication data. Such connections can be established between the hybrid cloud management platform and the target device through various secure communication protocols, such as a certificate-based Transport Layer Security (TSL) connection, a Secure Shell (SSH) connection configured with certificate authentication, etc. This application does not limit the specific implementation of the secure connection; any protocol that can ensure communication security and support the exchange of digital certificates during connection establishment or the initial authentication phase of the connection is applicable.
[0045] According to the embodiments of this application, in practical applications, when maintenance personnel need to manage a specific device, they can trigger an access request by entering the network identification information (such as IP address, domain name, etc.) of the target device on the operation interface of the hybrid cloud management platform or by selecting the target device from the list of registered devices. The hybrid cloud management platform then attempts to establish a secure connection with the target device based on the network identification information. Even if the target device is located in a different subnet or data center, the hybrid cloud management platform can establish communication with the target device across subnets.
[0046] During the operation of S220, a digital certificate provided by the target device is obtained during the process of establishing a secure connection with the target device.
[0047] According to embodiments of this application, a digital certificate can be a digital credential sent by the target device to the hybrid cloud management platform during the establishment of a secure connection. Different security protocols may exchange certificates differently during connection establishment. For example, in a TLS-based connection, the digital certificate is sent during the handshake phase; in an SSH-based connection configured with digital certificate authentication on the target device, the digital certificate may be provided during key exchange. This application does not limit the specific timing and method of certificate exchange, as long as the target device's digital certificate can be obtained during the establishment of the secure connection.
[0048] According to an embodiment of this application, a digital certificate may include identification information representing the type of a target device. This identification information may be embedded in a specific data area of the digital certificate to describe attributes such as the category or model of the target device. The digital certificate is pre-issued by a trusted credential authority and deployed in the target device. For example, for a server device, its digital certificate may contain identification information in the form of "Device type: Server; Device model: SR650; Device serial number: 7D7AMT110D".
[0049] According to the embodiments of this application, the digital certificate can be obtained when the hybrid cloud management platform performs a protocol handshake with the target device during the secure connection establishment process. Since the digital certificate is obtained during the connection establishment phase, there is no need for additional device discovery interactions after the secure connection is established, thereby improving device discovery efficiency and avoiding the problem of trying multiple discovery methods in related solutions.
[0050] When operating S230, verify whether the digital certificate is valid.
[0051] According to embodiments of this application, verifying the validity of a digital certificate may include verifying the authenticity and integrity of the digital certificate. A hybrid cloud management platform can use pre-stored verification information to check whether the signature of the target device's digital certificate is correct, whether the certificate is valid, and whether the certificate is complete and unaltered.
[0052] For example, a hybrid cloud management platform can pre-import trusted credentials during deployment and store them locally. Upon receiving a digital certificate from a target device, the platform uses these trusted credentials to verify the certificate. If verification fails, the hybrid cloud management platform can interrupt the connection establishment process and refuse further communication with the target device, thus ensuring that only legitimate devices with valid certificates can access the platform. This digital credential-based verification mechanism can replace username and password authentication, eliminating the security risks of password leakage during transmission and storage.
[0053] When operating S240, if the digital certificate is found to be valid, the device type of the target device is determined based on the identification information of the target device type, so that the hybrid cloud management platform can use the device management protocol corresponding to the device type and establish a user access channel with the target device.
[0054] According to an embodiment of this application, after verifying the validity of the digital certificate, the hybrid cloud management platform can parse the type identification information from the certificate and determine the specific type of the target device based on this information. The platform can then select an appropriate communication protocol to establish a dedicated management path with the target device based on the device type, and provide users with access to the target device through this management path.
[0055] For example, when the identification information parsed from the certificate indicates that the target device is a server, the hybrid cloud management platform can select a management protocol suitable for servers to establish a management connection with the device; when the identification information indicates that the target device is a storage array, the platform can select a management protocol suitable for storage arrays. Through this mechanism, the platform can automatically adapt to the communication methods of different types of devices without requiring users to pre-specify the device type or management protocol.
[0056] It should be noted that the user access channel established in operation S240 can be the same connection as the secure connection established in operation S210, or it can be a newly created connection. If the secure connection itself already supports subsequent management protocol interactions, it can be reused directly; if a different communication method is required, the platform will establish a new connection.
[0057] According to the embodiments of this application, on the one hand, since the acquisition of the digital certificate is completed during the establishment of a secure connection, the hybrid cloud management platform does not need to initiate a dedicated device discovery request after the connection is established, reducing the number of network interactions, lowering the latency of device access, and improving device discovery efficiency. On the other hand, since the device type identification information is built into the digital certificate, the hybrid cloud management platform does not need to know the type of the target device in advance to directly identify it by parsing the certificate, avoiding the cumbersome operation of trying multiple discovery protocols or relying on the user to manually specify the device type, thus achieving automatic identification of the device type. Furthermore, since digital certificates are used to replace traditional usernames and passwords for device authentication, the device private key is always stored locally on the device and is not transmitted over the network, eliminating the security risk of password interception or leakage during transmission and storage, and improving the security of the device access process.
[0058] The following example uses a certificate-based TLS connection as a case study. Figures 3-4 This application provides an illustrative description of the device access method in a hybrid cloud environment.
[0059] Figure 3 The illustration shows a schematic diagram of establishing a TLS secure connection according to an embodiment of this application.
[0060] like Figure 3 As shown, in this embodiment, establishing a TLS secure connection between the hybrid cloud management platform 310 and the target device 320 may include a handshake phase. After the handshake is completed, the hybrid cloud management platform 310 and the target device 320 may enter a session phase to transmit data.
[0061] In some embodiments of this application, during the TLS handshake phase, the hybrid cloud management platform 310 can receive a digital certificate sent by the target device 320. Specifically, during the Certificate message phase of the TLS handshake protocol, the target device 320, acting as a TLS server, sends its digital certificate to the hybrid cloud management platform 310, acting as a TLS client. Upon receiving the Certificate message, the hybrid cloud management platform 310 can obtain the digital certificate.
[0062] In some embodiments of this application, before the TLS handshake process is completed, the hybrid cloud management platform 310 parses the digital certificate of the target device to obtain the identification information of the target device type 320. Specifically, after receiving the digital certificate of the target device 320 but before the TLS handshake is completed (i.e., before the Finished message exchange), the hybrid cloud management platform 310 can parse the digital certificate and extract the type identification information stored in the extended fields, such as device model and serial number.
[0063] For example, taking the TLS 1.3 protocol as an example, the hybrid cloud management platform 310 can parse the identification information in the certificate after receiving the ServerHello and Certificate messages but before sending the Finished message. In this way, when the TLS handshake is completed, the hybrid cloud management platform 310 has already obtained the device type information of the target device 320 and can immediately prepare for subsequent access operations without initiating a separate device discovery request after the connection is established. The two originally separate processes of "identity authentication" and "device discovery" are integrated into the same secure handshake process and completed in one go, thereby reducing the number of network interactions and improving device discovery efficiency.
[0064] According to embodiments of this application, a digital certificate may include certificate subject information, signature information, and one or more extended information fields. The extended information fields are used to store additional certificate attributes, which may include identification information of the target device type as described in embodiments of this application.
[0065] In some embodiments of this application, the digital certificate includes at least one extended information field, and the identification information of the target device type is stored in the extended information field. Digital certificate standards typically define multiple extended fields to store additional attributes of the certificate. When the hybrid cloud management platform obtains the digital certificate of the target device, it parses the extended information field area of the certificate to locate the specific extended field storing the array type identification information, and extracts the device type identification information from that field. The identification information may include at least one of device model, serial number, and device type.
[0066] In some embodiments of this application, the extended information field is the certificate subject alias field. The subject alias is a commonly used extended field defined in digital certificate standards, used to specify network identifiers such as DNS names and IP addresses available to the certificate, thereby expanding the representation capabilities of the certificate subject name. Embodiments of this application utilize this standard extended field to store the type identification information required for array management, thus achieving the carrying of device information without changing the basic certificate structure. Since the subject alias field is a universally supported extended field in various digital certificate implementations, using this field to store array information offers good compatibility.
[0067] For example, a digital certificate can be an X.509V3 digital certificate. X.509V3 is the most widely used digital certificate standard in public key infrastructure, defined in ITU-T X.509V3 and ISO / IEC 9594-8. An X.509V3 certificate can contain information such as version number, serial number, signature algorithm, issuer, validity period, subject, and public key, and supports various standard extended fields, such as key usage, enhanced key usage, certificate policy, and subject alias. In a specific implementation using an X.509V3 digital certificate as an example, the subject alias field of the target device's digital certificate can contain information in the following form:
[0068] subjectAltName =
[0069] DNS: device1.company.com
[0070] IP Address: 192.168.1.100
[0071] MachineName: ThinkSystem ST650 V3,
[0072] SerialNumber: 7D7AMT110D
[0073] DeviceType: Server
[0074] Among them, "MachineName: ThinkSystem ST650" represents the device model, "SerialNumber:7D7AMT110D" represents the device serial number, and "DeviceType: Server" represents the device type. When the hybrid cloud management platform parses the main alias field, it can extract the corresponding identification information by looking up the preset key names (such as "MachineName", "SerialNumber", and "DeviceType").
[0075] According to embodiments of this application, the extended information field is a field that can contain multiple key-value pairs of data items, and the identification information of the target device type is stored in the field in the form of key-value pairs. For example, taking the certificate subject alias field as an example, this field can contain multiple identification items of different types, such as DNS name, IP address, etc. Based on this, embodiments of this application can organize and store the device type identification information in the form of key-value pairs in this field. The key in each key-value pair is used to identify the type of information (such as "MachineName" indicating device model), and the value is used to store the specific identification information content (such as "ThinkSystem SR650").
[0076] In one specific implementation, taking the X.509V3 digital certificate as an example, the subject alias field supports multiple types of identification items, each with a corresponding tag. This application embodiment utilizes the extensibility of this field to store device identification information in key-value pairs by customizing tags or using extended forms of existing tags. For example:
[0077] subjectAltName =
[0078] DNS: device1.company.com
[0079] IP Address: 192.168.1.100
[0080] otherName: 1.3.6.1.4.1.12345.1 = {
[0081] MachineName: "ThinkSystem ST650",
[0082] SerialNumber: "7D7AMT110D",
[0083] DeviceType: "Server"
[0084] }
[0085] Specifically, the device identification information is organized into multiple key-value pairs and stored in the main alias field through the "otherName" type extension item.
[0086] According to the embodiments of this application, the digital certificate can be issued by an enterprise certificate authority. The hybrid cloud management platform pre-stores the root certificate of the enterprise certificate authority and then uses the root certificate to verify whether the digital certificate is valid.
[0087] As is understandable, an enterprise Certificate Authority (CA) is a certificate issuing authority deployed internally or trusted by the enterprise, responsible for issuing digital certificates for all manageable devices within the enterprise environment. This enterprise CA can be a root CA or an intermediate CA trusted by the root CA. The enterprise CA's root certificate is pre-imported into the trust store of the hybrid cloud management platform, serving as a trusted anchor for subsequent verification of device certificates.
[0088] The following combination Figure 4 The certificate configuration method of this application embodiment will be further illustrated below.
[0089] Figure 4 A schematic diagram illustrating a certificate configuration method according to an embodiment of this application is shown.
[0090] like Figure 4 As shown, the certificate configuration method 400 of this embodiment is applied to a certificate authority, and the method includes operations S410 to S450.
[0091] When operating S410, receive a certificate issuance request from the target device.
[0092] According to an embodiment of this application, a Certificate Authority (CA) receives a Certificate Signing Request (CSR) from a target device. This CSR is generated by the target device and may contain the device's public key and identity information, such as device name, network address, and device identifier. When generating the CSR, the target device simultaneously generates a public and private key pair, with the private key always stored locally on the device. The CSR generation process can follow standard Public Key Infrastructure (PKI) procedures; the device uses its private key to sign the information in the CSR to prove its possession of the private key.
[0093] According to embodiments of this application, in actual deployment scenarios, the receipt of certificate issuance requests can be achieved in various ways: for example, the target device uploads the CSR file to the certificate authority via security protocols such as HTTPS or SCP; or, the administrator manually imports the CSR file into the certificate issuance system out-of-band. This application does not limit the specific transmission method of the certificate issuance request.
[0094] When operating the S420, a digital certificate to be signed is generated based on the certificate issuance request.
[0095] According to an embodiment of this application, after receiving the CSR from the target device, the Certificate Authority (CA) parses and verifies the CSR. Verification may include checking whether the CSR signature is correct and whether the device information contained in the CSR is complete. Upon successful verification, the CA generates a digital certificate to be signed based on the information in the CSR.
[0096] When operating S430, set the identification information of the target device type in the digital certificate to be signed.
[0097] According to the embodiments of this application, the identification information is used by the hybrid cloud management platform to determine the device type of the target device after verifying the digital certificate, so that the hybrid cloud management platform can use the device management protocol corresponding to the device type and establish a user access channel with the target device.
[0098] For example, a certificate authority might store device type identification information as key-value pairs in the body alias field of the certificate. Alternatively, a certificate authority might define a private extended field to store array type identification information. Or, a certificate authority might organize device identification information into JSON format and store it as a whole in an extended field of the certificate.
[0099] When operating the S440, the certificate to be signed is signed to generate a digital certificate.
[0100] According to an embodiment of this application, after completing the content settings of the certificate to be signed, the Certificate Authority (CA) can sign the certificate using its private key. The signing process may include: calculating the hash value of the certificate content to be signed, encrypting the hash value using the CA's private key, and generating a digital signature. The generated digital signature is then appended to the certificate to form a complete digital certificate. After signing, the generated digital certificate contains the following complete content: certificate subject information (device public key, identity information, etc.), extended field information (including device type identification information), and the CA's signature.
[0101] When operating the S450, the digital certificate is sent to the target device.
[0102] According to an embodiment of this application, the Certificate Authority sends the signed digital certificate to the target device. The sending method can correspond to the method of receiving the CSR, such as transmitting the certificate file to the target device via security protocols such as HTTPS or SCP, or being manually imported by the administrator.
[0103] According to an embodiment of this application, after receiving the digital certificate, the target device imports it into its local certificate storage area and pairs it with the previously generated private key. Thus, the target device obtains a valid digital certificate containing device type identification information that can be used to establish a secure connection.
[0104] This application also provides a device access method for a target device in a hybrid cloud environment. The method includes: receiving a secure connection request from a hybrid cloud management platform; and providing a digital certificate to the hybrid cloud management platform during the process of establishing a secure connection with the hybrid cloud management platform, so that the hybrid cloud management platform can determine the device type of the target device based on the identification information of the target device type, use the device management protocol corresponding to the device type, and establish a user access channel with the target device.
[0105] Figure 5 A timing diagram of a device access system according to an embodiment of this application is illustrated.
[0106] like Figure 5As shown, the device access system 500 in this embodiment includes a certificate authority, a target device, and a hybrid cloud management platform. The signaling interaction process between the components of the system 500 includes operations S1 to S7. The certificate authority receives a certificate issuance request from the target device, issues a digital certificate containing target device type identification information, and sends the issued digital certificate to the target device. The target device stores the digital certificate issued by the certificate authority and provides the digital certificate to the hybrid cloud management platform during the establishment of a secure connection. The hybrid cloud management platform responds to a user's access request and establishes a secure connection with the target device. During the establishment of the secure connection, it obtains the digital certificate provided by the target device, verifies the validity of the digital certificate, determines the device type of the target device based on the type identification information in the digital certificate after successful verification, and establishes a user access pipeline with the target device using a management protocol corresponding to the device type.
[0107] Through the aforementioned device access system, this embodiment of the application enables an end-to-end automated device access process, forming a complete automated chain from certificate pre-configuration to device access, effectively reducing manual intervention and improving device management efficiency in a hybrid cloud environment. The system uses a Certificate Authority (CA) as a unified device identity issuance and management center, ensuring that all target devices possess a trusted digital identity, facilitating centralized management and security auditing for enterprises. During device access, the hybrid cloud management platform verifies the device identity by checking the digital certificate issued by the CA. This certificate-based authentication mechanism replaces the traditional username and password authentication method, eliminating the security risk of password leakage during transmission and storage. Simultaneously, since the digital certificate contains built-in device type identification information, the hybrid cloud management platform can automatically parse and identify the device type after verifying the certificate's validity, thereby adapting to the corresponding device management protocol. This eliminates the need for manual pre-specification of device types or attempts at multiple discovery protocols, achieving intelligent and automated device access. Furthermore, the system has excellent scalability; the CA can issue certificates in batches, and the hybrid cloud management platform can concurrently process access requests from a large number of devices, meeting the management needs of heterogeneous device clusters in a large-scale hybrid cloud environment.
[0108] Figure 6 A block diagram illustrating an electronic device suitable for implementing a hybrid cloud environment according to an embodiment of this application is shown schematically.
[0109] like Figure 6As shown, the electronic device according to embodiments of this application is configured with a hybrid cloud management platform and / or an enterprise certificate authority, or the electronic device is a target device. The electronic device includes a processor 601, which can perform various appropriate actions and processes according to a program stored in read-only memory (ROM) 602 or a program loaded from storage portion 608 into random access memory (RAM) 603. The processor 601 may include, for example, a general-purpose microprocessor (e.g., a CPU), an instruction set processor and / or an associated chipset and / or a special-purpose microprocessor (e.g., an application-specific integrated circuit (ASIC)), etc. The processor 601 may also include onboard memory for caching purposes. The processor 601 may include a single processing unit or multiple processing units for performing different actions of the method flow according to embodiments of this application.
[0110] RAM 603 stores various programs and data required for the operation of electronic device 600. Processor 601, ROM 602, and RAM 603 are interconnected via bus 604. Processor 601 executes various operations of the method flow according to embodiments of this application by executing programs in ROM 602 and / or RAM 603. It should be noted that programs may also be stored in one or more memories other than ROM 602 and RAM 603. Processor 601 may also execute various operations of the method flow according to embodiments of this application by executing programs stored in one or more memories.
[0111] According to embodiments of this application, the electronic device may further include an input / output (I / O) interface 605, which is also connected to a bus 604. The electronic device 600 may also include one or more of the following components connected to the input / output (I / O) interface 605: an input section 606 including a keyboard, mouse, etc.; an output section 607 including a cathode ray tube (CRT), liquid crystal display (LCD), etc., and a speaker, etc.; a storage section 608 including a hard disk, etc.; and a communication section 609 including a network interface card such as a LAN card, modem, etc. The communication section 609 performs communication processing via a network such as the Internet. A drive 610 is also connected to the input / output (I / O) interface 605 as needed. A removable medium 611, such as a disk, optical disk, magneto-optical disk, semiconductor memory, etc., is installed on the drive 610 as needed so that computer programs read from it can be installed into the storage section 608 as needed.
[0112] This application also provides a computer-readable storage medium, which may be included in the device / apparatus / system described in the above embodiments; or it may exist independently and not assembled into the device / apparatus / system. The computer-readable storage medium carries one or more programs, which, when executed, implement the method according to the embodiments of this application.
[0113] According to embodiments of this application, the computer-readable storage medium can be a non-volatile computer-readable storage medium, such as including but not limited to: portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof. In this application, the computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. For example, according to embodiments of this application, the computer-readable storage medium may include ROM 602 and / or RAM 603 and / or one or more memories other than ROM 602 and RAM 603 described above.
[0114] Embodiments of this application also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowchart. When the computer program product is run on a computer system, the program code is used to cause the computer system to implement the methods provided in the embodiments of this application.
[0115] When the computer program is executed by the processor 601, it performs the functions defined in the system / apparatus of this application embodiment. According to the embodiments of this application, the systems, apparatuses, modules, units, etc., described above can be implemented by computer program modules.
[0116] In one embodiment, the computer program may rely on a tangible storage medium such as an optical storage device or a magnetic storage device. In another embodiment, the computer program may also be transmitted and distributed in the form of signals over a network medium, and downloaded and installed via the communication section 609, and / or installed from the removable medium 611. The program code contained in the computer program can be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination thereof.
[0117] In such an embodiment, the computer program can be downloaded and installed from a network via the communication section 609, and / or installed from the removable medium 611. When the computer program is executed by the processor 601, it performs the functions defined in the system of this application embodiment. According to the embodiments of this application, the systems, devices, apparatuses, modules, units, etc., described above can be implemented by computer program modules.
[0118] According to embodiments of this application, program code for executing the computer programs provided in the embodiments of this application can be written in any combination of one or more programming languages. Specifically, these computational programs can be implemented using high-level procedural and / or object-oriented programming languages, and / or assembly / machine languages. Programming languages include, but are not limited to, languages such as Java, C++, "C", or similar programming languages. The program code can be executed entirely on the user's computing device, partially on the user's device, partially on a remote computing device, or entirely on a remote computing device or server. In cases involving remote computing devices, the remote computing device can be connected to the user's computing device via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (e.g., via the Internet using an Internet service provider).
[0119] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in a block diagram or flowchart, and combinations of blocks in a block diagram or flowchart, may be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.
[0120] Those skilled in the art will understand that the features described in the various embodiments of this application can be combined and / or combined in various ways, even if such combinations or combinations are not explicitly described in this application. In particular, the features described in the various embodiments of this application can be combined and / or combined in various ways without departing from the spirit and teachings of this application. All such combinations and / or combinations fall within the scope of this application.
Claims
1. A device access method in a hybrid cloud environment, applied to a hybrid cloud management platform, the method comprising: In response to a user's access request for a target device in the hybrid cloud management platform, the hybrid cloud management platform establishes a secure connection with the target device; During the process of establishing a secure connection with the target device, a digital certificate provided by the target device is obtained, the digital certificate including identification information representing the type of the target device; Confirm that the digital certificate is valid; If the digital certificate is determined to be valid, the device type of the target device is determined based on the identification information of the target device type, so that the hybrid cloud management platform uses the device management protocol corresponding to the device type and establishes a user access channel with the target device.
2. The method according to claim 1, wherein the process of establishing a secure connection with the target device includes a handshake process, and the step of obtaining the digital certificate provided by the target device during the process of establishing a secure connection with the target device includes: During the handshake process, the digital certificate of the target device is received; Before the handshake process is completed, the digital certificate of the target device is parsed to obtain the identification information of the target device type.
3. The method according to claim 2, wherein the digital certificate includes at least one extended information field, and the identification information of the target device type is stored in the extended information field; The step of parsing the digital certificate of the target device to obtain the identification information of the target device type includes: Parse the extended information field to extract the identification information of the target device type; The extended information field is the digital certificate subject alias field, and the identification information includes at least one of the following: device model, serial number, and device type.
4. The method according to claim 3, wherein the extended information field is a field that can contain multiple key-value pairs of data items, and the identification information of the target device type is stored in the field in the form of key-value pairs.
5. The method according to claim 1, wherein the hybrid cloud management platform is used to manage heterogeneous device clusters deployed across multiple subnets, the heterogeneous device clusters including at least one of servers, storage arrays, and intelligent network devices.
6. The method according to any one of claims 1 to 5, wherein the digital certificate is issued by an enterprise certificate authority, the hybrid cloud management platform pre-stores the root certificate of the enterprise certificate authority, and the confirmation of the validity of the digital certificate includes: Use the root certificate to verify whether the digital certificate is valid.
7. A certificate configuration method, applied to a certificate authority, comprising: Receive certificate issuance request from the target device; Based on the certificate issuance request, a digital certificate to be signed is generated; The identification information of the target device type is set in the digital certificate to be signed. The identification information is used by the hybrid cloud management platform to determine the device type of the target device after verifying the digital certificate, so that the hybrid cloud management platform can use the device management protocol corresponding to the device type and establish a user access channel with the target device. The certificate to be signed is signed to generate a digital certificate; Send the digital certificate to the target device.
8. A device access method in a hybrid cloud environment, applied to a target device, the target device storing a digital certificate, the digital certificate being issued by a trusted certificate authority and including identification information representing the type of the target device, the method comprising: Receive a secure connection request from the hybrid cloud management platform; During the process of establishing a secure connection with the hybrid cloud management platform, the digital certificate is provided to the hybrid cloud management platform so that the hybrid cloud management platform can determine the device type of the target device based on the identification information of the target device type, use the device management protocol corresponding to the device type, and establish a user access channel with the target device.
9. A hybrid cloud management platform, comprising: Network interface; Memory, which stores computer programs; The processor, when executing the computer program, implements: In response to a user's access request to a target device in the hybrid cloud management platform, the hybrid cloud management platform establishes a secure connection with the target device through the network interface; During the process of establishing a secure connection with the target device, a digital certificate provided by the target device is obtained, the digital certificate including identification information representing the type of the target device; Confirm that the digital certificate is valid; If the digital certificate is determined to be valid, then based on the identification information of the target device type, the device management protocol corresponding to the device type is used to establish a user access channel with the target device.
10. A device access system, comprising: The certificate authority is configured to perform the certificate configuration method as described in claim 7; The target device is configured to store a digital certificate issued by the certificate authority and to perform the device access method as described in claim 8; A hybrid cloud management platform is configured to access the target device by performing the device access method as described in any one of claims 1 to 6.