Web portal service that supports establishing and maintaining a websocket connection
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- LENOVO GLOBAL TECH (TAIWAN) LTD
- Filing Date
- 2024-12-27
- Publication Date
- 2026-07-02
Smart Images

Figure CN2024143024_02072026_PF_FP_ABST
Abstract
Description
WEB PORTAL SERVICE THAT SUPPORTS ESTABLISHING AND MAINTAINING A WEBSOCKET CONNECTIONBACKGROUNDThe present disclosure relates to a method of building trust between a baseboard management controller and a system management application to support establishment of a WebSocket connection there between.Background of the Related ArtA baseboard management controller, such as Lenovo’s Controller (XCC) , is a microcontroller embedded on the motherboard of a computer, most often a server. The baseboard management controller manages an interface between system management software, such as Lenovo’s Administrator, and computer hardware.On-premises baseboard management controllers that are installed on local computers or servers in an edge store are able to initiate a network connection to system management software in a public cloud network, but the system management software running in the public cloud network is typically unable to initiate a network connection back to the on-premises baseboard management controllers. The reason that the system management software is unable to initiate a network connection to the baseboard management controller is that the edge store uses network address translation (NAT) and / or a firewall for security, whereas the system management software is installed in a public cloud.BRIEF SUMMARYSome embodiments provide a computer program product comprising a non-transitory computer readable medium and non-transitory program instructions embodied therein, the program instructions being configured to be executable by a processor to cause the processor to perform various operations. The operations comprise receiving a uniform resource locator and a first root certificate from a system management application running in a cloud computing environment and accessible over a wide area network using the uniform resource locator, wherein the first root certificate includes a first public encryption key of a first public-private encryption key pair for the system management application, an identity of the system management application, and a digital signature of a root certificate authority that issued the first root certificate. The operations further comprise receiving a second root certificate from a baseboard management controller of a server, wherein the second root certificate includes a second public encryption key of a second public-private encryption key pair for the baseboard management controller, an identity of the baseboard management controller, and a digital signature of a root certificate authority that issued the second root certificate. Furthermore, the operations comprise providing the baseboard management controller with the uniform resource locator of the system management application, the first root certificate of the system management application, a Time-based One-Time Password algorithm and a Time-based One-Time Password key, and providing the system management application with the second root certificate of the baseboard management controller, the Time-based One-Time Password algorithm and the Time-based One-Time Password key. Still further, the operations comprise providing a time value to the system management application and the baseboard management controller enabling time synchronization between the system management application and the baseboard management controller, wherein the Time-based One-Time Password algorithm outputs a password value as a function of the Time-based One-Time Password key and a current value of the time. In addition, the operations comprise periodically updating the Time-based One-Time Password algorithm and the Time-based One-Time Password key, and providing the most recently updated Time-based One-Time Password algorithm and the most recently updated Time-based One-Time Password key to the system management application and the baseboard management controller.Some embodiments provide a method comprising a web portal receiving a uniform resource locator and a first root certificate from a system management application running in a cloud computing environment and accessible over a wide area network using the uniform resource locator, wherein the first root certificate includes a first public encryption key of a first public-private encryption key pair for the system management application, an identity of the system management application, and a digital signature of a root certificate authority that issued the first root certificate. The method further comprises the web portal receiving a second root certificate from a baseboard management controller of a server, wherein the second root certificate includes a second public encryption key of a second public-private encryption key pair for the baseboard management controller, an identity of the baseboard management controller, and a digital signature of a root certificate authority that issued the second root certificate. Furthermore, the method comprises the web portal providing the baseboard management controller with the uniform resource locator of the system management application, the first root certificate of the system management application, a Time-based One-Time Password algorithm and a Time-based One-Time Password key, and the web portal providing the system management application with the second root certificate of the baseboard management controller, the Time-based One-Time Password algorithm and the Time-based One-Time Password key. Still further, the method comprises the web portal providing a time value to the system management application and the baseboard management controller enabling time synchronization between the system management application and the baseboard management controller, wherein the Time-based One-Time Password algorithm outputs a Time-based One-Time Password value as a function of the Time-based One-Time Password key and a current value of the time. In addition, the method comprises the web portal periodically updating the Time-based One-Time Password algorithm and the Time-based One-Time Password key, and providing the most recently updated Time-based One-Time Password algorithm and the most recently updated Time-based One-Time Password key to the system management application and the baseboard management controller.BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGSFIG. 1 is a diagram of a system according to some embodiments.FIG. 2A is a diagram of a system according to some embodiments.FIG. 2B is a diagram of a system according to some embodiments.FIG. 3 is a diagram of a server having a baseboard management controller according to some embodiments.FIG. 4 is a diagram of a baseboard management controller according to some embodiments.FIG. 5 is a flowchart of operations according to some embodiments.DETAILED DESCRIPTIONSome embodiments provide a computer program product comprising a non-transitory computer readable medium and non-transitory program instructions embodied therein, the program instructions being configured to be executable by a processor to cause the processor to perform various operations. The operations comprise receiving a uniform resource locator and a first root certificate from a system management application running in a cloud computing environment and accessible over a wide area network using the uniform resource locator, wherein the first root certificate includes a first public encryption key of a first public-private encryption key pair for the system management application, an identity of the system management application, and a digital signature of a root certificate authority that issued the first root certificate. The operations further comprise receiving a second root certificate from a baseboard management controller of a server, wherein the second root certificate includes a second public encryption key of a second public-private encryption key pair for the baseboard management controller, an identity of the baseboard management controller, and a digital signature of a root certificate authority that issued the second root certificate. Furthermore, the operations comprise providing the baseboard management controller with the uniform resource locator of the system management application, the first root certificate of the system management application, a Time-based One-Time Password algorithm and a Time-based One-Time Password key, and providing the system management application with the second root certificate of the baseboard management controller, the Time-based One-Time Password algorithm and the Time-based One-Time Password key. Still further, the operations comprise providing a time value to the system management application and the baseboard management controller enabling time synchronization between the system management application and the baseboard management controller, wherein the Time-based One-Time Password algorithm outputs a password value as a function of the Time-based One-Time Password key and a current value of the time. In addition, the operations comprise periodically updating the Time-based One-Time Password algorithm and / or the Time-based One-Time Password key and providing the most recently updated Time-based One-Time Password algorithm and / or the most recently updated Time-based One-Time Password key to the system management application and the baseboard management controller.In some embodiments, the computer program product may be performed by the processor or processors to form a web portal. A web portal is a website that provides a broad array of services. For example, the web portal may serve as an intermediate entity for building trust between the system management application and the baseboard management controller. A non-limiting example of such a web portal is Lenovo’s ThinkShield web portal that communicates with Lenovo XClarity Administrator (LXCA) and the baseboard management controllers (BMCs) within any number of servers in a computing system under management by the LXCA.A uniform resource locator (URL) is a human-readable string, such as https: / / www. lenovo. com / us / en / pc / , whereas an Internet Protocol (IP) address is a numerical identifier that determines a device location on the Internet. A URL may include a protocol identifier (https: / / ) , a subdomain (www. ) , domain name (lenovo. com) and optional path or page information ( / us / en / pc / ) . The URL contains information that allows the Domain Name System (DNS) to translate the human readable domain name into a corresponding IP address.A “root certificate” is a public key certificate that identifies a root certificate authority. A public key certificate includes both a public key and information to validate the public key, such as the identity of the owner and the digital signature of the issuer. The root certificate authority is an entity that certifies that a public key is associated with a given owner. The owner of the root certificate will also have a private key that is kept secret from the public and enables the owner to decrypt messages that are encrypted by a third party using the owner’s public key. Collectively, the owner’s public key and private key may be referred to as a “public-private encryption key pair. ” The digital signature is used to verify the authenticity of the root certificate. For example, the root certificate authority that issues the root certificate may publish their public key for the use of third parties but use their private key to sign a message (i.e., produce a signature) . Subsequently, a third party may use the public key to decrypt the signature to verify the message.A system management application is software that provides centralized resource management for server systems, networking devices and storage hardware. In one non-limiting example, the system management application may automate discovery, inventory, tracking, monitoring, and provisioning of servers, networking devices and / or storage hardware in a secure environment. Examples of the system management application include Administrator (LXCA) and One, both available from Lenovo. Embodiments support thousands or millions of baseboard management controllers (BMCs) , such as Controllers (XCCs) , communicating with one or more instances of a system management application, such as Lenovo Administrator (LXCA) or One, running in the public cloud, private cloud, or a hybrid cloud.A cloud computing environment provides on-demand availability of computer system resources, such as data storage and computing power, without requiring the user to provide direct active management of the resources. A public cloud computing system is a computing infrastructure that is managed by a cloud service provider and offered as a service to the public. Accordingly, the public cloud computing system may host a particular user’s application and make it available to others over a wide area network, such as the Internet. A private cloud computing system is a dedicated computing infrastructure operated solely for a single organization, whether managed internally or by a third party, and is designed to provide enhanced control over data and resources. A hybrid cloud computing system combines the features of both public and private clouds, enabling organizations to leverage the scalability of public clouds while retaining the flexibility to keep sensitive workloads on private infrastructure. A cloud computing system may provide one or more of on-demand self-service provisioning of computing capabilities such as server time and network storage, broad network access, resource pooling, rapid elasticity of capabilities according to a current of demand, and resource usage monitoring and reporting.A wide area network (WAN) is a computer network spanning long distances, such as regions, countries, or the world, using computer networking technologies that transmit data over long distances and between different networks. By contrast, a local area network (LAN) operates at lower layers of the Open Systems Interconnection (OSI) model (such as using Ethernet or Wi-Fi) and are typically designed for physically proximal networks. WANs are often used to connect LANs and other types of networks so that computers in one LAN can communicate with computers in another LAN. While a WAN may be built for a particular private organization, the Internet is the world’s largest WAN connecting numerous international networks. A private network is any computer network that uses a private address space of Internet Protocol (IP) addresses. Such private IP addresses are commonly implemented in a LAN.A baseboard management controller (BMC) is a component or system installed on the motherboard of a server or other computing device to manage an interface between system management software and the installed hardware devices. The baseboard management controller includes a processor that operates independent of the host processor or central processing unit of the server or other computing device. The baseboard management controller may monitor various types of sensors built into the server, provide alerts to a system administrator over a network, and control various operational aspects of the server or other computing device. Furthermore, a remote system management application may communicate with the baseboard management controller to cause the baseboard management controller to take corrective actions within the device. One example of a baseboard management controller (BMC) is anController (XCC) available from Lenovo. In a computing system with multiple servers, each server may have its own baseboard management controller.Time-based One-Time Password (TOTP) is a technique for generating time-based authentication tokens. In some embodiments, the TOTP algorithm relies on the current time and a shared secret key to generate a one-time password that changes at fixed intervals, such as every 30 seconds. The TOTP password value is only valid for a short period, hence "one-time. " The underlying mechanism may leverage other components, such as Hash-based Message Authentication Code (HMAC) and / or a hashing algorithm, such as SHA-1, SHA-256 or SHA-512.A baseboard management controller may function as a client and the system management application may function as a server, where the client and server share a secret key (TOTP key) obtained from the web portal. The client and server maintain a clock to provide a current time value to be input into a TOTP algorithm along with the TOTP key. The client and server clocks are synchronized, such as by the client and the server both synchronizing their clocks with the web portal. A time step or interval is established to have a fixed length or duration, such as 30 seconds, before a new one-time password must be generated and verified.The TOTP algorithm involves several steps. First, time is converted into a counter value. For example, the current Unix timestamp (number of seconds since January 1, 1970) may be divided by the time step to compute a time-based counter value `T`. The counter value is an integer that represents how many time intervals have passed and increases after the passage of each additional time step. Second, a Hash-based Message Authentication Code (HMAC) may be calculated by inputting the shared secret key `K` and the counter value `T` into a cryptographic hash function, such as SHA-1, SHA-256, or SHA-512. Note that the HMAC combines the counter value `T` with the secret key `K` in a way that ensures the resulting hash is dependent on both the time-based counter value and the secret key. Using the HMAC in this manner ensures that the one-time password cannot be guessed easily without knowing the secret key and that the one-time password will expire after the time step interval.Since the HMAC output is typically longer than the desired token length (e.g., HMAC-SHA-1 produces a 160-bit (20-byte) output) , a third step may include dynamic truncation of the HMAC output to obtain a smaller, more manageable number TOTP value (typically a 6 or 8-digit code) . For example, dynamic truncation may take the last 4 bits of the HMAC output to choose a starting index, extract a 4-byte (32-bit) segment from the HMAC output starting at that index, then convert the extracted 32-bit value to an integer. Accordingly, the dynamic truncation may ensure that the resulting number is always within a predictable range. To limit the token to a specific number of digits (e.g., a 6-digit code) , the extracted integer from the previous step may be reduced using a modulo operation.The baseboard management controller (client) generates the current TOTP value using the shared secret and the current time (counter value) and the system management application (server) generates the expected TOTP value based on the shared secret and its own current time (counter value) . When the baseboard management controller submits a TOTP code, the system management application compares the submitted code with the expected value and verifies the identity of the baseboard management controller when there is a match. In some embodiments, some amount of time window tolerance may be accepted to account for slight time drift between the baseboard management controller and the system management application. For example, the system management application might be set up to accept codes from immediately previous and / or immediately subsequent time intervals.In some embodiments, the operations may further comprise periodically receiving a request for the most recently updated Time-based One-Time Password algorithm and the most recently updated Time-based One-Time Password key from the baseboard management controller, wherein the most recently updated Time-based One-Time Password algorithm and the most recently updated Time-based One-Time Password key are provided to the baseboard management controller in response to receiving the request from the baseboard management controller. Similarly, the operations may further comprise periodically receiving a request for the most recently updated Time-based One-Time Password algorithm and the most recently updated Time-based One-Time Password key from the system management application, wherein the most recently updated Time-based One-Time Password algorithm and the most recently updated Time-based One-Time Password key are provided to the system management application in response to receiving the request from the system management application. Accordingly, the baseboard management controller and the system management application may request the most recently updated (i.e., current) TOTP algorithm and TOTP key from the web port that serves as the intermediary for building and maintaining trust between the baseboard management controller and the system management application. The most recently updated Time-based One-Time Password algorithm and the most recently updated Time-based One-Time Password key provided to the system management application and the baseboard management controller may be used to support mutual verification between the system management application and the baseboard management controller. In embodiments where the web portal periodically generates one or the other of the TOTP key or the TOTP algorithm, then the web portal could respond to the request, or even push without receiving a request, the most recently updated version of whichever of the TOTP key and / or TOTP algorithm was actually updated. Alternatively, the most recently updated version of the TOTP key and the most recently updated version of the TOTP algorithm may both be provided to the system management application and the baseboard management controller regardless of whether or not both were just updated.In some embodiments, the operations may further comprise periodically updating the time value to the system management application and the baseboard management controller to maintain the time synchronization between the system management application and the baseboard management controller. In other words, in order to prevent any drift between the clocks maintained by the system management application and the baseboard management controller from accumulating and causing verification errors, the clocks of the system management application and the baseboard management controller may be periodically synchronized such as by resetting their clocks to match an updated time value provided by the web portal that is serving as the intermediary.In some embodiments, the operations may further comprise storing the uniform resource locator and the first root certificate received from the system management application and storing the second root certificate received from a baseboard management controller. For example, the web portal may temporarily or permanently store this information about the system management application and / or the baseboard management controller. In one option, the web portal may be the intermediary between the system management application and any number of baseboard management controllers across the servers and other devices of a computing system. Accordingly, the web portal may reuse the stored uniform resource locator and the stored first root certificate received from the system management application when supporting the trust building process with other baseboard management controllers.In some embodiments, the operation of periodically updating the Time-based One-Time Password algorithm and the Time-based One-Time Password key may include periodically generating a new Time-based One-Time Password algorithm and / or a new Time-based One-Time Password key. Accordingly, the web portal may generate an updated TOTP algorithm and updated TOTP key as needed. In other embodiments, the operation of periodically updating the Time-based One-Time Password algorithm and the Time-based One-Time Password key may include periodically selecting a different Time-based One-Time Password algorithm from a predetermined plurality of Time-based One-Time Password algorithms and periodically selecting a different Time-based One-Time Password key from a predetermined plurality of Time-based One-Time Password keys.Some embodiments provide a method comprising a web portal receiving a uniform resource locator and a first root certificate from a system management application running in a cloud computing environment and accessible over a wide area network using the uniform resource locator, wherein the first root certificate includes a first public encryption key of a first public-private encryption key pair for the system management application, an identity of the system management application, and a digital signature of a root certificate authority that issued the first root certificate. The method further comprises the web portal receiving a second root certificate from a baseboard management controller of a server, wherein the second root certificate includes a second public encryption key of a second public-private encryption key pair for the baseboard management controller, an identity of the baseboard management controller, and a digital signature of a root certificate authority that issued the second root certificate. Furthermore, the method comprises the web portal providing the baseboard management controller with the uniform resource locator of the system management application, the first root certificate of the system management application, a Time-based One-Time Password algorithm and a Time-based One-Time Password key, and the web portal providing the system management application with the second root certificate of the baseboard management controller, the Time-based One-Time Password algorithm and the Time-based One-Time Password key. Still further, the method comprises the web portal providing a time value to the system management application and the baseboard management controller enabling time synchronization between the system management application and the baseboard management controller, wherein the Time-based One-Time Password algorithm outputs a Time-based One-Time Password value as a function of the Time-based One-Time Password key and a current value of the time. In addition, the method comprises the web portal periodically updating the Time-based One-Time Password algorithm and the Time-based One-Time Password key, and providing the most recently updated Time-based One-Time Password algorithm and the most recently updated Time-based One-Time Password key to the system management application and the baseboard management controller.In some embodiments, the method may further comprise the baseboard management controller periodically requesting and receiving the most recently updated Time-based One-Time Password algorithm and the most recently updated Time-based One-Time Password key from the web portal, and the system management application periodically requesting and receiving the most recently updated Time-based One-Time Password algorithm and the most recently updated Time-based One-Time Password key from the web portal. Alternatively, the web portal may send or push the most recently updated Time-based One-Time Password algorithm and the most recently updated Time-based One-Time Password key to the baseboard management controller and / or the system management application.In some embodiments, the baseboard management controller and the system management application may obtain the updated TOTP algorithm and the updated TOTP key on a preconfigured, repeating time interval. This may occur either by the baseboard management controller and the system management application each requesting the updated TOTP algorithm and TOTP key at the preconfigured, repeating time interval, or by the web portal sending or pushing the updated TOTP algorithm and the updated TOTP key to the baseboard management controller and the system management application at the preconfigured, repeating time interval.Embodiments may require that the system management application and the baseboard management controller have synchronized clocks. In one example, the web portal may provide a time value from its own clock, and the system management application and the baseboard management controller may each use the time value provided by the web portal to synchronize their own local clocks.In some embodiments, the baseboard management controller may initiate a WebSocket connection with the system management application by sending a WebSocket request to the system management application addressed to the uniform resource locator associated with the system management application that was provided by the web portal. The WebSocket connection is a computer communication connection formed using the WebSocket computer communications protocol. The WebSocket computer communications protocol provides simultaneous two-way communication channels over a single Transmission Control Protocol (TCP) connection. Although the WebSocket computer communications protocol is distinct from the Hypertext Transfer Protocol (HTTP) , the WebSocket protocol works over HTTP ports 443 and 80 and supports HTTP proxies and intermediaries, thus making WebSocket compatible with HTTP. To achieve compatibility, the WebSocket handshake uses the HTTP Upgrade header to change from the HTTP protocol to the WebSocket protocol.A WebSocket connection may be established between a client application (i.e., software running on the baseboard management controller) and a web server (the system management application) and its underlying hardware. The computer acting as the WebSocket server listens for incoming WebSocket connections from the WebSocket client at the server’s URL on port 8080, which is reserved for web servers. While a Uniform Resource Locator (URL) is a human-readable string, such as https: / / www. lenovo. com / us / en / pc / , an Internet Protocol (IP) address is a numerical identifier that determines a device location on the Internet. However, the URL may include a protocol identifier (https: / / ) , a subdomain (www. ) , domain name (lenovo. com) and optional path or page information ( / us / en / pc / ) . The URL contains information that allows the Domain Name System (DNS) to translate the human readable domain name into a corresponding IP address.Embodiments of the method may further comprise the baseboard management controller and the system management application performing mutual authentication. For example, the mutual authentication may include the baseboard management controller using the public encryption key of the system management application to verify the identity of the system management application and the system management application using the public encryption key of the baseboard management controller to verify the identity of the baseboard management controller. Mutual authentication or two-way authentication (not to be confused with two-factor authentication) refers to two parties authenticating each other at the same time in an authentication protocol. The Transport Layer Security (TLS) cryptographic protocol provides communications security over a computer network, including securing HTTPS communications, and enables mutual authentication as an optional mode referred to as mutual TLS (mTLS) .Mutual authentication schemes may use different methods of encryption, communication, and verification, but all mutual authentication schemes involve both entities involved in the communication becoming verified. For example, if a first user / device (A) wants to communicate with a second user / device (B) , they will both authenticate the other entity and verify that the entity is who the entity is expecting to communicate with before any data or messages are transmitted. A mutual authentication process that exchanges user IDs may be implemented as follows:1. A sends a message (including A’s ID) encrypted with B's public key to B to show that A is a valid user.2. B verifies message:1. B checks the format and timestamp. If either is incorrect or invalid, the session is aborted.2. The message is then decrypted with B's secret key, giving A's ID.1. B checks if the message matches a valid user. If not, the session is aborted.3. B sends a message (including B’s ID) back to A to show that B is a valid user.4. A verifies the message:1. A checks the format and timestamp. If either is incorrect or invalid, the session is aborted.2. Then, the message is decrypted with A's secret key, giving B's ID.1. A checks if the message matches a valid user. If not, the session is aborted.5. At this point, both parties are verified to be who they claim to be and safe for the other to communicate with.To verify that mutual authentication has occurred successfully, Burrows-Abadi-Needham logic (BAN logic) is a well-regarded and widely accepted method to use, because it verifies that a message came from a trustworthy entity. BAN logic is a set of rules for defining and analyzing information exchange protocols. Specifically, BAN logic helps its users determine whether exchanged information is trustworthy, secured against eavesdropping, or both. BAN logic starts with the assumption that all information exchanges happen on media vulnerable to tampering and public monitoring. A typical BAN logic sequence includes verification of message origin, verification of message freshness, and verification of the origin's trustworthiness.In some embodiments, the method may further comprise the baseboard management controller calculating an initial client TOTP value using the TOTP algorithm, the TOTP key and the current time value; the baseboard management controller sending the initial client TOTP value to the system management application; the system management application calculating an initial server TOTP value using the TOTP algorithm, the TOTP key, and the current time value; and the system management application verifying that the initial client TOTP value matches the initial server TOTP value. Preferably, the requested WebSocket connection between the baseboard management controller and the system management application is established in response to successful mutual authentication (afirst authentication factor) and successful verification of the client and server TOTP values (asecond authentication factor) . A process that involves multiple authentication factors may be referred to as Multi-Factor Authentication (2FA) .In some embodiments, the method may further comprise the baseboard management controller periodically calculating an updated client TOTP value using the most recently updated TOTP algorithm, the most recently updated TOTP key and the current time value according to a local clock of the baseboard management controller and the baseboard management controller sending the updated client TOTP value to the system management application. Subsequently, the system management application may calculate an updated server TOTP value using the most recently updated TOTP algorithm, the most recently updated TOTP key, and the current time value according to a local clock of the system management application and verify that the updated client TOTP value matches the updated server TOTP value. These updated TOTP values are preferably calculated for each of the preconfigured intervals and matching TOTP values may verify the identity of the baseboard management controller to the system management application such that the WebSocket connection is maintained.In some embodiments, the method may further comprise periodically maintaining the established WebSocket connection between the baseboard management controller and the system management application in response to a successful verification of the updated client and server TOTP values. Optionally, while two factors of authentication may have been required to establish the WebSocket connection, only the matching TOTP values (i.e., only one of the original two factors of authentication) may be required to maintain a WebSocket connection that has already been established. Conversely, the method may drop the established WebSocket connection between the baseboard management controller and the system management application in response to an unsuccessful verification of the updated TOTP value.In some embodiments, it is a technical benefit that the foregoing embodiments may be implemented in environments where the baseboard management controller is located in a private subnet including a router for communicating over the Internet. Furthermore, the router may have a private IP address for communication with the server and other devices in the private subnet and a public IP address for communication with the system management application and other devices on the Internet. Accordingly, the router may perform network address translation on outbound and inbound traffic through the router. Network address translation at the subnet router will often prevent applications or devices outside the subnet from initiating communication with applications or devices inside the subnet. However, establishing a WebSocket connection between the baseboard management application and the system management application as described in reference to embodiments herein allows the system management application to initiate communication with the baseboard management.The foregoing computer program products described herein may further include program instructions for implementing or initiating any one or more aspects of the methods described herein. Furthermore, the operations of the computer program products may be implemented as operations in one or more of the methods described herein. Still further, embodiments may include a system including the web portal, system management application and one or more baseboard management controller as described herein, where the entities are configured to perform the operations of the method and / or execute the operations of the computer program product.FIG. 1 is a diagram of a system 10 according to some embodiments. The system 10 includes a web portal 20 that provides an authentication service 22. The authentication service 22 and many other services of the web portal 20 are available to authorized entities via a wide area network (WAN) 12, such as the Internet.The system 10 further includes an edge store 30 that supports the operation of one or more edge servers 32. Each edge server 32 includes a baseboard management controller (BMC) 34 that runs a WebSocket client application 36. Furthermore, the system 10 includes a router or similar networking hardware and software that perform Network Address Translation (NAT) 38.Still further, the system 10 includes a cloud computing environment 40, such as Amazon Web Services (AWS) or Microsoft Azure, that provides computer system resources that are available on demand. The cloud computing resources may be shared among various users and will typically be managed by a cloud service provider rather than the user themselves. It should be recognized that the cloud computing environment is a non-limiting example of a computing environment for running a system management application, and the cloud computing environment may be a public, private, or hybrid cloud computing environment. The system management application 50 may be run in the cloud computing environment 40 and may include a WebSocket server application 52.
[0001] Embodiments of the invention may be carried out between the authentication service 22 of the web portal 20, the WebSocket client 36 of a baseboard management controller 34 and server 32, and the WebSocket server 52 of the system management application 50. However, these applications and / or logic modules may utilize other applications and / or logic modules that are available in order to perform the functions described in reference to the various embodiments. For example, the applications may utilize services provided by an operating system or other authentication modules that are not specifically identified herein. FIG. 2A is a diagram of the system 10 according to some embodiments. The illustrated arrows 1-5C (numbers appearing encircled over the arrows) represent communications or operations between the authentication service 22, the WebSocket client 36 and the WebSocket server 52, although other resources and logic modules may be involved in the communications. The authentication service 22 acts as an intermediary between the WebSocket client 36 and the WebSocket server 52 to support the building of trust that is needed to establish a WebSocket between the WebSocket client 36 and the WebSocket server 52. In communication 1, the WebSocket server 52 synchronizes its time (T) with the web portal 20 and sends the URL and root certificate of the system management application 50 to the web portal 20. In communication 2, the WebSocket client 36 synchronizes its time (T) with the web portal 20 and sends its root certificate to the web portal 20. Accordingly, the clocks of the WebSocket client 36 and the WebSocket server 52 should be synchronized. In communication 3, the WebSocket client 36 retrieves: (1) the URL of the system management application 50, (2) the root certificate of the system management application 50, (3) a TOTP key provided by the authentication service 22, and (4) a TOTP algorithm also provided by the authentication service 22. In communication 4, the WebSocket server 52 queries the web portal 20 periodically to get: (1) the uploaded root certificate of the baseboard management controller 34, (2) the TOTP key and (3) the TOTP algorithm. After communications 3 and 4, the WebSocket client 36 and the WebSocket server 52 both have the root certificate of the other entity to support mutual authentication and the same TOTP key, the same TOTP algorithm, and synchronized clocks to support exchange of TOTP values. In reference to communications 5A-C, the WebSocket client 36 initiates and forms a WebSocket connection with the WebSocket server 52. In communication 5A, the WebSocket client 36 sends a request for a WebSocket connection to the URL of the system management application 50. The WebSocket client 36 and WebSocket server 52 then utilize the root certificates of the other entity to perform mutual TLS (Transport Layer Security) to verify the identity of the other entity. Mutual TLS (mTLS) involves exchanging messages that are encrypted with the other entity’s public key, which only the other entity can decrypt with their private key to read the message, such as the identity of the other entity. In communication 5B, the WebSocket client 36 uses the TOTP key and TOTP algorithm that it obtained from the authentication server 22, and the current time to generate a TOTP value, and sends this TOTP value to the WebSocket server 52. WebSocket server 52 uses the TOTP key and TOTP algorithm, which were obtained by the WebSocket server 52 in step 4, to generate its TOTP, and verifies that its generated TOTP matched the TOTP received from the WebSocket client 36. In communication 5C, if the mutual TLS verification and the TOTP verification pass, the WebSocket connection is established. Data may then be transmitted bidirectionally on the WebSocket connection between the WebSocket client 36 and the WebSocket server 52. FIG. 2B is a diagram of the system 10 according to some embodiments. The illustrated arrows 6-7B (numbers appearing encircled over the arrows) represent communications or operations between the authentication service 22, the WebSocket client 36 and the WebSocket server 52, although other resources and logic modules may be involved in the communications. The authentication service 22 acts as an intermediary between the WebSocket client 36 and the WebSocket server 52 to support a periodic verification of trust that is needed to maintain the previously established WebSocket connection between the WebSocket client 36 and the WebSocket server 52. In the two communications 6, the authentication service 22 of the web portal 20 periodically rotates or generates a new or updated TOTP key and a new or updated TOTP algorithm, then provides the new or updated TOTP key and algorithm to both the WebSocket client 36 and the WebSocket server 52. For example, the WebSocket client 36 and WebSocket server 52 may retrieve, request or otherwise receive the new or updated TOTP key and algorithm in a configured interval. In communication 7A, the WebSocket client 36 periodically sends this a TOTP value calculated with the most-recently received TOTP key, the most-recently received TOTP algorithm, and the current time to the WebSocket server 52 for trust verification periodically. For verification, the system management application 50, perhaps as part of the WebSocket server 52, will also calculate a new TOTP value using the most-recently received TOTP key, the most-recently received TOTP algorithm, and the current time, then determine whether the resulting TOTP value is the same as the TOTP value received from the WebSocket client 36. In communication 7B, if the TOTP verification passes (i.e., the TOTP values match) , then the WebSocket connection is maintained until the next time interval. FIG. 3 is a diagram of a server 100 having a baseboard management controller 34 according to some embodiments. The server 100 may be representative of a server 32 in the edge store 30, representative of a server in the cloud computing environment 40 that runs the system management application 50, and / or representative of a server that supports the web portal 20 that runs the authentication service 22 as shown in FIGS. 1-2B. The server 100 includes a processor unit 104 that is coupled to a system bus 106. The processor unit 104 may utilize one or more processors, each of which has one or more processor cores. An optional graphics adapter 108, which may or may not drive / support an optional display 120, is also coupled to the system bus 106. The graphics adapter 108 may, for example, include a graphics processing unit (GPU) . The system bus 106 may be coupled via a bus bridge 112 to an input / output (I / O) bus 114. An I / O interface 116 is coupled to the I / O bus 114, where the I / O interface 116 affords a connection with various optional I / O devices, such as a camera 110, a keyboard 118 (such as a touch screen virtual keyboard) , and a USB mouse 124 via USB port (s) 126 (or other type of pointing device, such as a trackpad) . As depicted, the computer 100 is able to communicate with other network devices over a network, such as the wide area network 12, using a network adapter or network interface controller 105. A hard drive interface 132 is also coupled to the system bus 106. The hard drive interface 132 interfaces with a hard drive 134. In a preferred embodiment, the hard drive 134 may communicate with system memory 136, which is also coupled to the system bus 106. The system memory may be volatile or non-volatile and may include additional higher levels of volatile memory (not shown) , including, but not limited to, cache memory, registers and buffers. Data that populates the system memory 136 may include the operating system (OS) 140 and application programs 144. The hardware elements depicted in the server 100 are not intended to be exhaustive, but rather are representative. The operating system 114 includes a shell 141 for providing transparent user access to resources such as application programs 144. Generally, the shell 141 is a program that provides an interpreter and an interface between the user and the operating system. More specifically, the shell 141 may execute commands that are entered into a command line user interface or from a file. Thus, the shell 141, also called a command processor, is generally the highest level of the operating system software hierarchy and serves as a command interpreter. The shell may provide a system prompt, interpret commands entered by keyboard, mouse, or other user input media, and send the interpreted command (s) to the appropriate lower levels of the operating system (e.g., a kernel 142) for processing. Note that while the shell 141 may be a text-based, line-oriented user interface, the present invention may support other user interface modes, such as graphical, voice, gestural, etc. As depicted, the operating system 140 also includes the kernel 142, which includes lower levels of functionality for the operating system 140, including providing essential services required by other parts of the operating system 140 and application programs 144. Such essential services may include memory management, process and task management, disk management, and mouse and keyboard management. In addition, the computer server 100 may include application programs 144 stored in the system memory 136. Where the server 100 represents a server 32 in the edge store 30 of FIGS. 1-2A, the baseboard management controller 32 may store and run the WebSocket client 36 (not shown; see FIGS. 1-2A) . Where the server 100 represents a server in the cloud computing environment 40, the application programs 144 may include the system management application 50. Where the server 100 represents a server that supports the web portal 20, the application programs 144 may include the authentication service 22. The server 100 further includes a baseboard management controller 32 (BMC) . The baseboard management controller 30 is considered to be an out-of-band controller and may monitor and control various components of the server 100. However, the baseboard management controller 30 may also communicate with various devices via the network interface 105 and network (s) 12. For example, where the server 100 represents a server 32 in the edge store 30, the baseboard management controller 34 may use the NIC 105 to communicate with the system management application 20 and / or the web portal 20. FIG. 4 is a diagram of a baseboard management controller (BMC) according to some embodiments. The BMC 34 is similar to a small computer or system on a chip (SoC) , including a central processing unit (CPU) 160 (which is a separate entity from the central processing units 104 in FIG. 6) , memory 161 (such as random-access memory (RAM) on a double data rate (DDR) bus) , firmware 162 on a flash memory (such as an embedded multi-media card (eMMC) flash memory or a serial peripheral interface (SPI) flash memory) , and a root of trust (RoT) chip 164. The BMC 30 further includes a wide variety of input / output ports. For example, the input / output (I / O) ports may include I / O ports 166 to the hardware components of the servers and / or a network interface controller (NIC) , such as a Peripheral Component Interconnect Express (PCIe) port; I / O ports 167 that connect to a USB port; and I / O ports 168 to a network that is accessible to an external user, such as an Ethernet port. The BMC 34 may use any one or more of these I / O ports to interact with hardware devices installed on the server for purposes of monitoring and control. FIG. 5 is a flowchart of operations 80 according to some embodiments. Operation 82 includes receiving a uniform resource locator and a first root certificate from a system management application running in a cloud computing environment and accessible over a wide area network using the uniform resource locator, wherein the first root certificate includes a first public encryption key of a first public-private encryption key pair for the system management application, an identity of the system management application, and a digital signature of a root certificate authority that issued the first root certificate. Operation 84 includes receiving a second root certificate from a baseboard management controller of a server, wherein the second root certificate includes a second public encryption key of a second public-private encryption key pair for the baseboard management controller, an identity of the baseboard management controller, and a digital signature of a root certificate authority that issued the second root certificate. Operation 86 includes providing the baseboard management controller with the uniform resource locator of the system management application, the first root certificate of the system management application, a Time-based One-Time Password algorithm and a Time-based One-Time Password key. Operation 88 includes providing the system management application with the second root certificate of the baseboard management controller, the Time-based One-Time Password algorithm and the Time-based One-Time Password key. Operation 90 includes providing a time value to the system management application and the baseboard management controller enabling time synchronization between the system management application and the baseboard management controller, wherein the Time-based One-Time Password algorithm outputs a password value as a function of the Time-based One-Time Password key and a current value of the time. Operation 92 includes periodically updating the Time-based One-Time Password algorithm and the Time-based One-Time Password key. Operation 94 includes providing the most recently updated Time-based One-Time Password algorithm and the most recently updated Time-based One-Time Password key to the system management application and the baseboard management controller. As will be appreciated by one skilled in the art, embodiments may take the form of a system, method or computer program product. Accordingly, embodiments may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc. ) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit, ” “module” or “system. ” Furthermore, embodiments may take the form of a computer program product embodied in one or more computer readable medium (s) having computer readable program code embodied thereon. Any combination of one or more computer readable storage medium (s) may be utilized. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (anon-exhaustive list) of the computer readable storage medium would include the following: a portable computer diskette, a hard disk, a random access memory (RAM) , a read-only memory (ROM) , an erasable programmable read-only memory (EPROM or Flash memory) , a portable compact disc read-only memory (CD-ROM) , an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain or store a program for use by or in connection with an instruction execution system, apparatus, or device. Furthermore, any program instruction or code that is embodied on such computer readable storage media (including forms referred to as volatile memory) that is not a transitory signal are, for the avoidance of doubt, considered “non-transitory” . Program code embodied on a computer readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing. Computer program code for carrying out various operations may be written in any combination of one or more programming languages, including an object-oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN) , or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider) . Embodiments may be described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems) and computer program products. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general-purpose computer, special purpose computer, and / or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions / acts specified in the flowchart and / or block diagram block or blocks. These computer program instructions may also be stored on computer readable storage media is not a transitory signal, such that the program instructions can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, and such that the program instructions stored in the computer readable storage medium produce an article of manufacture. The computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions / acts specified in the flowchart and / or block diagram block or blocks. The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function (s) . It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and / or flowchart illustration, and combinations of blocks in the block diagrams and / or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. The terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit the scope of the claims. As used herein, the singular forms “a” , “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” and / or “comprising, ” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, components and / or groups, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and / or groups thereof. The terms “preferably, ” “preferred, ” “prefer, ” “optionally, ” “may, ” and similar terms are used to indicate that an item, condition or step being referred to is an optional (not required) feature of the embodiment. The corresponding structures, materials, acts, and equivalents of all means or steps plus function elements in the claims below are intended to include any structure, material, or act for performing the function in combination with other claimed elements as specifically claimed. Embodiments have been presented for purposes of illustration and description, but it is not intended to be exhaustive or limited to the embodiments in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art after reading this disclosure. The disclosed embodiments were chosen and described as non-limiting examples to enable others of ordinary skill in the art to understand these embodiments and other embodiments involving modifications suited to a particular implementation.
Claims
1.A computer program product comprising a non-volatile computer readable medium and non-transitory program instructions embodied therein, the program instructions being configured to be executable by a processor to cause the processor to perform operations comprising:receiving a uniform resource locator and a first root certificate from a system management application running in a cloud computing environment and accessible over a wide area network using the uniform resource locator, wherein the first root certificate includes a first public encryption key of a first public-private encryption key pair for the system management application, an identity of the system management application, and a digital signature of a root certificate authority that issued the first root certificate;receiving a second root certificate from a baseboard management controller of a server, wherein the second root certificate includes a second public encryption key of a second public-private encryption key pair for the baseboard management controller, an identity of the baseboard management controller, and a digital signature of a root certificate authority that issued the second root certificate;providing the baseboard management controller with the uniform resource locator of the system management application, the first root certificate of the system management application, a Time-based One-Time Password algorithm and a Time-based One-Time Password key;providing the system management application with the second root certificate of the baseboard management controller, the Time-based One-Time Password algorithm and the Time-based One-Time Password key;providing a time value to the system management application and the baseboard management controller enabling time synchronization between the system management application and the baseboard management controller, wherein the Time-based One-Time Password algorithm outputs a password value as a function of the Time-based One-Time Password key and a current value of the time;periodically updating the Time-based One-Time Password algorithm and / or the Time-based One-Time Password key; andproviding the most recently updated Time-based One-Time Password algorithm and / or the most recently updated Time-based One-Time Password key to the system management application and the baseboard management controller.2.The computer program product of claim 1, further comprising:periodically receiving a request for the most recently updated Time-based One-Time Password algorithm and / or the most recently updated Time-based One-Time Password key from the baseboard management controller, wherein the most recently updated Time-based One-Time Password algorithm and / or the most recently updated Time-based One-Time Password key are provided to the baseboard management controller in response to receiving the request from the baseboard management controller; andperiodically receiving a request for the most recently updated Time-based One-Time Password algorithm and / or the most recently updated Time-based One-Time Password key from the system management application, wherein the most recently updated Time-based One-Time Password algorithm and / or the most recently updated Time-based One-Time Password key are provided to the system management application in response to receiving the request from the system management application.3.The computer program product of claim 1, wherein the most recently updated Time-based One-Time Password algorithm and / or the most recently updated Time-based One-Time Password key provided to the system management application and the baseboard management controller supports mutual verification between the system management application and the baseboard management controller.4.The computer program product of claim 1, further comprising:periodically updating the time value to the system management application and the baseboard management controller to maintain the time synchronization between the system management application and the baseboard management controller.5.The computer program product of claim 1, further comprising:storing the uniform resource locator and the first root certificate received from the system management application; andstoring the second root certificate received from a baseboard management controller.6.The computer program product of claim 1, wherein periodically updating the Time-based One-Time Password algorithm and / or the Time-based One-Time Password key includes periodically generating a new Time-based One-Time Password algorithm and / or a new Time-based One-Time Password key.7.The computer program product of claim 1, wherein periodically updating the Time-based One-Time Password algorithm and / or the Time-based One-Time Password key includes:periodically selecting a different Time-based One-Time Password algorithm from a predetermined plurality of Time-based One-Time Password algorithms; andperiodically selecting a different Time-based One-Time Password key from a predetermined plurality of Time-based One-Time Password keys.8.A method, comprising:a web portal receiving a uniform resource locator and a first root certificate from a system management application running in a cloud computing environment and accessible over a wide area network using the uniform resource locator, wherein the first root certificate includes a first public encryption key of a first public-private encryption key pair for the system management application, an identity of the system management application, and a digital signature of a root certificate authority that issued the first root certificate;the web portal receiving a second root certificate from a baseboard management controller of a server, wherein the second root certificate includes a second public encryption key of a second public-private encryption key pair for the baseboard management controller, an identity of the baseboard management controller, and a digital signature of a root certificate authority that issued the second root certificate;the web portal providing the baseboard management controller with the uniform resource locator of the system management application, the first root certificate of the system management application, a Time-based One-Time Password algorithm and a Time-based One-Time Password key;the web portal providing the system management application with the second root certificate of the baseboard management controller, the Time-based One-Time Password algorithm and the Time-based One-Time Password key;the web portal providing a time value to the system management application and the baseboard management controller enabling time synchronization between the system management application and the baseboard management controller, wherein the Time-based One-Time Password algorithm outputs a Time-based One-Time Password value as a function of the Time-based One-Time Password key and a current value of the time;the web portal periodically updating the Time-based One-Time Password algorithm and / or the Time-based One-Time Password key; andthe web portal providing the most recently updated Time-based One-Time Password algorithm and / or the most recently updated Time-based One-Time Password key to the system management application and the baseboard management controller.9.The method of claim 8, further comprising:the baseboard management controller periodically requesting and receiving the most recently updated Time-based One-Time Password algorithm and / or the most recently updated Time-based One-Time Password key from the web portal; andthe system management application periodically requesting and receiving the most recently updated Time-based One-Time Password algorithm and / or the most recently updated Time-based One-Time Password key from the web portal.10.The method of claim 8, wherein the baseboard management controller and the system management application obtain the updated Time-based One-Time Password algorithm and / or the updated Time-based One-Time Password key on a preconfigured, repeating time interval.11.The method of claim 8, further comprising:the system management application and the baseboard management controller each using the time value provided by the web portal to synchronize a local clock.12.The method of claim 8, further comprising:the baseboard management controller initiating a WebSocket connection with the system management application by sending a WebSocket request to the system management application addressed to the uniform resource locator provided by the web portal.13.The method of claim 12, further comprising:the baseboard management controller and the system management application performing mutual authentication.14.The method of claim 13, wherein the mutual authentication includes:the baseboard management controller using the public encryption key of the system management application to verify the identity of the system management application; andthe system management application using the public encryption key of the baseboard management controller to verify the identity of the baseboard management controller.15.The method of claim 14, further comprising:the baseboard management controller calculating an initial client Time-based One-Time Password value using the Time-based One-Time Password algorithm, the Time-based One-Time Password key and the current time value;the baseboard management controller sending the initial client Time-based One-Time Password value to the system management application;the system management application calculating an initial server Time-based One-Time Password value using the Time-based One-Time Password algorithm, the Time-based One-Time Password key, and the current time value; andthe system management application verifying that the initial client Time-based One-Time Password value matches the initial server Time-based One-Time Password value.16.The method of claim 15, further comprising:establishing the requested WebSocket connection between the baseboard management controller and the system management application in response to successful mutual authentication and successful verification of the client and server Time-based One-Time Password values.17.The method of claim 16, further comprising:the baseboard management controller periodically calculating an updated client Time-based One-Time Password value using the most recently updated Time-based One-Time Password algorithm, the most recently updated Time-based One-Time Password key and the current time value according to a local clock of the baseboard management controller;the baseboard management controller sending the updated client Time-based One-Time Password value to the system management application;the system management application calculating an updated server Time-based One-Time Password value using the most recently updated Time-based One-Time Password algorithm, the most recently updated Time-based One-Time Password key, and the current time value according to a local clock of the system management application; andthe system management application verifying that the updated client Time-based One-Time Password value matches the updated server Time-based One-Time Password value.18.The method of claim 17, further comprising:periodically maintaining the established WebSocket connection between the baseboard management controller and the system management application in response to a successful verification of the updated client and server Time-based One-Time Password values.19.The method of claim 18, further comprising:dropping the established WebSocket connection between the baseboard management controller and the system management application in response to an unsuccessful verification of the updated Time-based One-Time Password value.20.The method of claim 8, wherein the server is located in a private subnet including a router for communicating over the Internet, wherein the router has a private IP address for communication with the server and other devices in the private subnet and a public IP address for communication with the system management application and other devices on the Internet, and wherein the router performs network address translation on outbound and inbound traffic through the router.