[go: up one dir, main page]

CN112953932B - Identity authentication gateway integration design method and system based on CA certificate - Google Patents

Identity authentication gateway integration design method and system based on CA certificate Download PDF

Info

Publication number
CN112953932B
CN112953932B CN202110179636.7A CN202110179636A CN112953932B CN 112953932 B CN112953932 B CN 112953932B CN 202110179636 A CN202110179636 A CN 202110179636A CN 112953932 B CN112953932 B CN 112953932B
Authority
CN
China
Prior art keywords
gateway
identity authentication
load balancing
devices
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110179636.7A
Other languages
Chinese (zh)
Other versions
CN112953932A (en
Inventor
霍瑞才
黄威
何士炜
孙亚红
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Shipbuilding It Corp ltd
Original Assignee
China Shipbuilding It Corp ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Shipbuilding It Corp ltd filed Critical China Shipbuilding It Corp ltd
Priority to CN202110179636.7A priority Critical patent/CN112953932B/en
Publication of CN112953932A publication Critical patent/CN112953932A/en
Application granted granted Critical
Publication of CN112953932B publication Critical patent/CN112953932B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to the technical field of identity authentication gateways, and discloses an identity authentication gateway integration design method and an integration system based on a CA (certificate authority) certificate, which comprise an identity authentication gateway design method and a load balance design method, wherein in the identity authentication gateway design method, a plurality of gateway devices are adopted by an identity authentication gateway for cluster deployment, and the identity authentication gateway provides safety service for a whole network user when accessing an application system; the load balancing design method comprises the step of integrating two gateway load balancing devices positioned at the front ends of a plurality of gateway devices and two application load balancing devices positioned at the rear ends of the plurality of gateway devices to realize effective sharing of the identity authentication access request. By implementing cluster design on the identity authentication gateway and introducing a load balancing mechanism, the invention solves the problems of performance, stability and single point of failure of the identity authentication gateway, improves the resource utilization rate of the identity authentication gateway equipment, and ensures the safety, high availability and stability of the operation of an information system.

Description

Identity authentication gateway integration design method and system based on CA certificate
Technical Field
The invention relates to the technical field of identity authentication gateway integration, in particular to a CA certificate-based identity authentication gateway integration design method and an integration system.
Background
With the continuous increase of the number of enterprise application systems and users and the increasing of high concurrent access volume and data volume, a single identity authentication gateway has the risks of performance and single point of failure, and cannot meet the future business requirements. Once the service of the in-use authentication gateway device is interrupted due to performance reasons, all the authentication information requests are synchronously transmitted to the standby gateway device, and the standby gateway device also has the service interruption due to excessive access pressure within a certain time range. The dual-computer hot standby deployment mode only solves the problem of high availability of the authentication gateway and cannot effectively solve the problem of performance bottleneck. Therefore, a new integrated design method needs to be considered for the identity authentication gateway to better meet the requirement of the current service on identity authentication.
Disclosure of Invention
The invention provides an identity authentication gateway integration design method and an identity authentication gateway integration system based on a CA certificate, so that the problems in the prior art are solved.
In the method for designing the identity authentication gateway, a plurality of gateway devices are adopted as cluster deployment in the identity authentication gateway, the identity authentication gateway authenticates an authentication request sent by an access terminal device based on a CA digital certificate authentication system and by adopting a hardware feature code identifier, and a plurality of safety services are provided for a whole network user to access an application system through the identity authentication gateway; the load balancing design method comprises the steps that two gateway load balancing devices located at the front ends of a plurality of pieces of gateway equipment and two application load balancing devices located at the rear ends of the plurality of pieces of gateway equipment are integrated to achieve effective sharing of identity authentication access requests, the two gateway load balancing devices located at the front ends of the plurality of pieces of gateway equipment and the two application load balancing devices located at the rear ends of the plurality of pieces of gateway equipment are deployed in a main route, a dual-active mode is adopted between the two gateway load balancing devices, and a dual-active mode is adopted between the two application load balancing devices.
Further, the plurality of security services include unified identity authentication, access control and/or single sign-on.
Further, the method for providing a plurality of security services for the whole network user to access the application system through the identity authentication gateway comprises the following steps:
s1) a user accesses an identity authentication gateway URL address through a browser and logs in the identity authentication gateway by using a password key USBKey, and the user puts forward an authentication request;
s2) the gateway load balancing equipment polls the authentication request to one of the gateway equipment according to a load balancing strategy, and the identity authentication gateway synchronizes the request session of the user to the gateway equipment of all cluster configurations through the cluster service configuration;
s3) the gateway equipment receiving the authentication request requires the user to show a CA certificate for signature verification, the user inputs a certificate PIN code in a popup box of a browser webpage, and the identity authentication gateway reads certificate information and performs user identity authentication; judging whether the user identity authentication is successfully verified, if so, entering a step S4); if not, returning to the step S1);
s4) after the user identity authentication is successfully verified, a communication link to an agent application system is opened, and the identity authentication gateway sends the authenticated CA certificate information and the authentication passing information to the agent application system through application load balancing equipment positioned at the rear ends of the plurality of pieces of gateway equipment;
and S5) after receiving the certificate information and the authentication passing information sent by the identity authentication gateway, the application system of the agent opens a corresponding page to the user according to the authority of the user, and the user performs single sign-on according to the corresponding page.
Further, in step S5), the application system further includes the proxy maintaining the session information of the user through a secure Cookie mechanism, and the user does not need to authenticate again when logging in the application system.
Further, two gateway load balancing devices integrated at the front ends of the plurality of gateway devices realize effective sharing of identity authentication access requests, the method comprises the steps of respectively configuring an identity authentication gateway authentication port and an application access port address in real services of the gateway load balancing devices, adding the real services into a real service group, then configuring load external virtual services in the real service group, carrying out load balancing on the identity authentication gateway devices at the rear ends of the gateway load balancing devices through virtual IP addresses by the gateway load balancing devices, receiving user authentication requests, and then sending the user authentication requests to one gateway device at the rear ends through a polling algorithm; the gateway load balancing equipment detects the state of the gateway equipment through a health detection mechanism, and when the gateway equipment is detected to be abnormal, the gateway load balancing equipment automatically removes the abnormal gateway equipment from the polling node; the gateway load balancing equipment ensures that a user can access the same gateway equipment within the session holding time through a session holding mechanism; the two gateway load balancing devices ensure zero interruption of the service through a dual active mode; two network ports of each gateway device in the identity authentication gateway cluster configuration are respectively connected with two gateway load balancing devices, and the two network ports work simultaneously and transmit and receive data simultaneously; when one network port of the gateway equipment fails, the gateway load balancing equipment sends data to the other network port of the gateway equipment through a detection mechanism.
Further, two application load balancing devices positioned at the rear ends of the plurality of pieces of gateway equipment are integrated to realize effective sharing of the identity authentication access request, wherein the identity authentication gateway sends the authenticated CA certificate information and the authentication passing information to one application system in the plurality of agent application systems through the application load balancing devices positioned at the rear ends of the plurality of pieces of gateway equipment; the application load balancing equipment at the rear end of the plurality of gateway equipment sends the CA certificate information and the authentication passing information to one of the application systems of the plurality of agents through a polling algorithm, the application load balancing equipment ensures that a user can access the same application system within the session holding time through a session holding mechanism, and the application load balancing equipment monitors the health condition of the application systems of the plurality of agents in real time; when any one application system of the application systems of the agents breaks down, the application load balancing equipment switches the access request of the user to other normal application systems in real time.
Further, the identity authentication gateway adopts a main path authentication working mode and a bypass authentication working mode; the application system adopted in the main road authentication working mode comprises a comprehensive management platform, a business and property integration platform and/or office automation; the application system adopted in the bypass authentication working mode comprises a NAS network disk system.
Furthermore, two gateway load balancing devices at the front ends of the plurality of pieces of gateway devices and two application load balancing devices at the rear ends of the plurality of pieces of gateway devices are deployed in a main road, and an application system adopted in the main road deployment comprises a comprehensive management platform, a business and property integration platform and/or office automation.
Furthermore, the CA digital certificate authentication system is located in a CA certificate server, the CA certificate server is deployed in a safe area according to a network hierarchical domain principle, the hardware feature code identification comprises an MAC address and a hard disk serial number, and the real service comprises a server address, a server port, a service type, an application access control rule and a server role.
On the other hand, the invention provides an identity authentication gateway integration system based on a CA certificate, which comprises a plurality of access terminal devices, two gateway load balancing devices, an identity authentication gateway cluster, two application load balancing devices, a plurality of application area servers and a CA certificate server, wherein the identity authentication gateway cluster comprises a plurality of gateway devices, the access terminal devices are sequentially connected with the two gateway load balancing devices through a plurality of network devices, the network devices comprise a plurality of access layer switches, a plurality of core layer switches and a firewall, the gateway devices are respectively connected with the two application load balancing devices, the two application load balancing devices are respectively connected with the application area servers through the application area switches, the application area servers respectively comprise a plurality of agent application systems, the CA certificate server comprises a CA digital certificate authentication system, and the CA certificate server is deployed in a safety area according to a network classification domain division principle.
The invention has the beneficial effects that: the invention provides a method for deploying identity authentication gateways in a cluster mode, which integrates gateway load balancing equipment at the front end of the gateway and application load balancing equipment at the rear end of the gateway to realize effective sharing of identity authentication access requests. By carrying out capacity expansion design on the existing gateway, the invention solves the problems of performance, stability, single point fault and the like of the identity authentication gateway, strengthens the safety operation guarantee capability of the information system, and effectively improves the safety, high availability and stability of the information system; by cluster design of the existing gateway, the invention can relieve the use pressure of the application system, reduce the service interruption probability caused by overlarge service pressure and improve the expansibility of the deployment architecture of the application system; by introducing a load balancing mechanism, the network architecture is further optimized, the resource utilization rate of the identity authentication gateway is improved, and the rapidity and the stability of user access are ensured; the invention can switch the gateway equipment with problems to the normal gateway equipment through the detection mechanism, thereby avoiding the single-point failure of the gateway equipment.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the embodiments are briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a schematic flow chart illustrating how an identity authentication gateway provides a plurality of security services according to a first embodiment of the present invention.
Fig. 2 is a schematic flow chart of the user access integrated management platform according to the first embodiment.
Fig. 3 is a schematic structural diagram of an identity authentication gateway integrated system based on a CA certificate according to the first embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the invention, are intended for purposes of illustration only and are not intended to limit the scope of the invention. It is noted that the terms "comprises" and "comprising," and any variations thereof, in the description and claims of the present invention and the above-described drawings are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of elements is not necessarily limited to those elements, but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
The identity authentication gateway design method comprises an identity authentication gateway design method and a load balancing design method, wherein the identity authentication gateway is deployed in a cluster mode by adopting a plurality of gateway devices, is based on a CA digital certificate authentication system and adopts a hardware feature code identifier to authenticate an authentication request sent by access terminal equipment, and provides a plurality of safety services for a whole network user to access an application system through the identity authentication gateway; the load balancing design method comprises the steps that two gateway load balancing devices located at the front ends of a plurality of gateway devices and two application load balancing devices located at the rear ends of the plurality of gateway devices are integrated to achieve effective sharing of identity authentication access requests, the two gateway load balancing devices located at the front ends of the plurality of gateway devices and the two application load balancing devices located at the rear ends of the plurality of gateway devices are deployed in a main route, a dual-active mode is adopted between the two gateway load balancing devices, and the dual-active mode is adopted between the two application load balancing devices.
Several security services include identity authentication, access control, and/or single sign-on. Single sign-on is that in a plurality of application systems, a user only needs to log on once to access all mutually trusted application systems.
The single performance of the identity authentication gateway is 3400 of newly-built connection number, 20000 of concurrent connection number and 840M of throughput. The future target performance of the existing network is 10000 of newly-built connection number, 60000 of concurrent connection number and 3000M of throughput. The identity authentication gateway adopts four gateway devices for cluster deployment, the performance can reach 13600 of newly-built connection number, 80000 of concurrent connection number and 3360M of throughput. The identity authentication gateway provides uniform security services such as identity authentication, access control, single sign-on and the like for the whole network user to access the application system through the identity authentication gateway on the basis of a CA certificate authentication system. The identity authentication gateway has two working modes of a main path and a bypass. The identity authentication gateway supports a CA digital certificate authentication mode, and adopts a hardware feature code identifier to authenticate the access terminal equipment.
Providing a plurality of security services for a full-network user accessing an application system through an identity authentication gateway, as shown in fig. 1, includes the following steps:
s1) a user accesses an URL address of an identity authentication gateway through a browser and logs in the identity authentication gateway by using a password key USBKey, and the user provides an authentication request;
s2) the gateway load balancing equipment polls the authentication request to one of the gateway equipment according to a load balancing strategy, and the identity authentication gateway synchronizes the request session of the user to the gateway equipment of a plurality of gateway equipment configured by all clusters through the cluster service configuration;
s3) the gateway equipment receiving the authentication request requires the user to show a CA certificate for signature verification, the user inputs a certificate PIN code in a popup box of a browser webpage, and the identity authentication gateway reads certificate information and performs user identity authentication; judging whether the user identity authentication is successfully verified, if so, entering a step S4); if not, returning to the step S1);
s4) after the user identity authentication is successfully verified, a communication link to an agent application system is opened, and the identity authentication gateway sends the authenticated CA certificate information and the authentication passing information to the agent application system through application load balancing equipment positioned at the rear ends of the plurality of pieces of gateway equipment;
and S5) the application system of the agent opens a corresponding page to the user according to the authority of the user after receiving the certificate information and the authentication passing information sent by the identity authentication gateway.
In step S5), the application system further including the proxy maintains the session information of the user through the secure Cookie mechanism, and the user does not need to authenticate again when logging in the application system.
Integrating two gateway load balancing devices positioned at the front ends of a plurality of gateway devices to realize effective sharing of identity authentication access requests, wherein the method comprises the steps of respectively configuring an identity authentication gateway authentication port and an application access port address in real services of the gateway load balancing devices, adding the real services into a real service group, then configuring load external virtual services in the real service group, carrying out load balancing on the identity authentication gateway devices positioned at the rear ends of the gateway load balancing devices through virtual IP addresses by the gateway load balancing devices, receiving user authentication requests, and then sending the user authentication requests to one gateway device positioned at the rear end through a polling algorithm; the gateway load balancing equipment detects the state of the gateway equipment through a health detection mechanism, and when the gateway equipment is detected to be abnormal, the gateway load balancing equipment automatically removes the abnormal gateway equipment from the polling node; the gateway load balancing equipment ensures that a user can access the same gateway equipment within the session holding time through a session holding mechanism; the two gateway load balancing devices ensure zero interruption of the service through a dual active mode; two network ports of each gateway device in the identity authentication gateway cluster configuration are respectively connected with two gateway load balancing devices, and the two network ports work simultaneously and transmit and receive data simultaneously; when one network port of the gateway equipment fails, the gateway load balancing equipment sends data to the other network port of the gateway equipment through a detection mechanism.
Integrating two application load balancing devices positioned at the rear ends of a plurality of pieces of gateway equipment to realize effective sharing of identity authentication access requests, wherein the identity authentication gateway sends authenticated CA certificate information and authentication passing information to one application system in a plurality of agent application systems through the application load balancing devices positioned at the rear ends of the plurality of pieces of gateway equipment; the application load balancing equipment at the rear end of the plurality of gateway equipment sends the CA certificate information and the authentication passing information to one of the application systems of the plurality of agents through a polling algorithm, the application load balancing equipment ensures that a user can access the same application system within the session holding time through a session holding mechanism, and the application load balancing equipment monitors the health condition of the application systems of the plurality of agents in real time; when any one application system of the application systems of the agents breaks down, the application load balancing equipment switches the access request of the user to other normal application systems in real time.
The session hold time was set at 10 minutes. The throughput performance of the gateway load balancing equipment and the application load balancing equipment is ten trillion, and the throughput performance of the gateway equipment in the identity authentication gateway is kilomega. The identity authentication gateway adopts a main path authentication working mode and a bypass authentication working mode; the application system adopted in the main road authentication working mode comprises a comprehensive management platform, a business and property integration platform and/or office automation; the application system adopted in the bypass authentication working mode comprises a NAS network disk system.
Two gateway load balancing devices at the front ends of a plurality of gateway devices and two application load balancing devices at the rear ends of a plurality of gateway devices are deployed in a main road, and an application system adopted in the main road deployment comprises a comprehensive management platform, a business and property integration platform and/or office automation.
The CA digital certificate authentication system is located in a CA certificate server, the CA certificate server is deployed in a safety area according to a network hierarchical domain principle, the hardware feature code identification comprises an MAC address and a hard disk serial number, and the real service comprises a server address, a server port, a service type, an application access control rule and a server role.
On the other hand, an embodiment of the present invention provides an identity authentication gateway integration system based on a CA certificate, as shown in fig. 3, including a plurality of access terminal devices, two gateway load balancing devices, an identity authentication gateway cluster, two application load balancing devices, a plurality of application area servers, and a CA certificate server, where the identity authentication gateway cluster includes a plurality of gateway devices, the plurality of access terminal devices are sequentially connected to the two gateway load balancing devices through a plurality of network devices, the plurality of network devices include a plurality of access layer switches, a plurality of core layer switches, and a firewall, the plurality of application area servers are respectively connected to the two application load balancing devices, the two application load balancing devices are respectively connected to the plurality of application area servers through the plurality of application area switches, the plurality of application area servers respectively include application systems of a plurality of proxies, the CA certificate server includes a CA digital certificate authentication system, and the CA certificate server is deployed in a security area according to a network hierarchical domain division principle.
In this embodiment, the application system adopted in the main authentication operating mode when the user accesses the application system through the identity authentication gateway and the gateway load balancing is a comprehensive management platform, and the whole flow is as shown in fig. 2, and includes the following steps:
(1) A user accesses the URL address of the identity authentication gateway through a browser;
(2) When a user request is sent to the load balancing equipment, the load balancing equipment reasonably distributes an access request to a corresponding identity authentication gateway according to a preset load strategy;
(3) The load balancing equipment monitors the health condition of the identity authentication gateway in real time, can find a fault gateway in real time and switch the access request of a user to other normal identity authentication gateways in time;
(4) The identity authentication gateway selected by the load balancing strategy requires a user to show a digital certificate after receiving a user access request, at the moment, the user inputs a certificate PIN code in a pop-up frame of a webpage, the identity authentication gateway reads certificate information and performs user identity authentication, after the identity authentication is passed, a gateway portal is popped up, and a comprehensive management platform system link is clicked;
(5) When the gateway transmits the authentication passing information (flow) to the application load balancing device, the application load balancing device reasonably and quickly distributes the flow to one of the comprehensive management platform systems according to a preset load strategy (if the comprehensive management platform systems have three sets, namely, any one of the comprehensive management platform 1\ the comprehensive management platform 2\ the comprehensive management platform 3);
(6) The load balancing equipment is used for monitoring the health condition of the integrated management platform system in real time, so that the fault integrated management platform system can be found in real time, and the access request of a user is switched to other normal integrated management platform systems in time;
(7) After receiving the certificate information and the authentication passing information transmitted by the gateway, the comprehensive management platform system opens a corresponding page to the user according to the authority of the user;
(8) And when the whole process is finished, the user normally logs in the comprehensive management platform system in a certificate mode.
By adopting the technical scheme disclosed by the invention, the following beneficial effects are obtained:
the invention adopts a cluster type deployment design for the identity authentication gateway, and integrates gateway load balancing equipment at the front end of the gateway and application load balancing equipment at the front end of the gateway to realize effective sharing of the identity authentication access request. By implementing cluster design on the identity authentication gateway and introducing a load balancing mechanism, the invention solves the problems of performance, stability and single point of failure of the identity authentication gateway, improves the resource utilization rate of the identity authentication gateway equipment, and ensures the safety, high availability and stability of the operation of an information system.
The above is only a preferred embodiment of the present invention, and it should be noted that it is obvious to those skilled in the art that a plurality of modifications and embellishments can be made without departing from the principle of the present invention, and these modifications and embellishments should also be viewed as the protection scope of the present invention.

Claims (9)

1. An identity authentication gateway integrated design method based on a CA certificate is characterized by comprising an identity authentication gateway design method and a load balance design method, wherein the identity authentication gateway in the identity authentication gateway design method adopts a plurality of gateway devices for cluster deployment, is based on a CA digital certificate authentication system and adopts a hardware feature code identifier to authenticate an authentication request sent by access terminal equipment, and provides a plurality of safety services for a whole network user when accessing an application system through the identity authentication gateway; the load balancing design method comprises the steps that two gateway load balancing devices located at the front ends of the gateway devices and two application load balancing devices located at the rear ends of the gateway devices are integrated to achieve effective sharing of identity authentication access requests, the two gateway load balancing devices located at the front ends of the gateway devices and the two application load balancing devices located at the rear ends of the gateway devices are deployed through a main route, a dual-active mode is adopted between the two gateway load balancing devices, and the dual-active mode is adopted between the two application load balancing devices;
the method for providing a plurality of safety services for the whole network user to access the application system through the identity authentication gateway comprises the following steps:
s1) a user accesses an URL address of an identity authentication gateway through a browser and logs in the identity authentication gateway by using a password key USBKey, and the user provides an authentication request;
s2) the gateway load balancing equipment polls the authentication request to one of the gateway equipment according to a load balancing strategy, and the identity authentication gateway synchronizes the request session of the user to the gateway equipment configured by all clusters through the cluster service configuration;
s3) the gateway equipment receiving the authentication request requires the user to show a CA certificate for signature verification, the user inputs a certificate PIN code in a pop-up box of a browser webpage, and the identity authentication gateway reads certificate information and performs user identity authentication; judging whether the user identity authentication is successfully verified, if so, entering a step S4); if not, returning to the step S1);
s4) after the user identity authentication verification is successful, a communication link to the agent application system is opened, and the identity authentication gateway sends the authenticated CA certificate information and the authenticated pass information to the agent application system through application load balancing equipment located at the rear ends of the plurality of gateway equipment;
and S5) after receiving the certificate information and the authentication passing information sent by the identity authentication gateway, the application system of the agent opens a corresponding page to the user according to the authority of the user, and the user performs single sign-on according to the corresponding page.
2. The CA certificate-based identity authentication gateway integrated design method according to claim 1, wherein the plurality of security services comprise unified identity authentication, access control and/or single sign-on.
3. The CA certificate-based identity authentication gateway integrated design method of claim 1, wherein in step S5), the proxy application system maintains the session information of the user through a secure Cookie mechanism, and the user does not need to authenticate again when logging in the application system.
4. The CA certificate-based identity authentication gateway integration design method according to claim 1 or 3, wherein two gateway load balancing devices integrated at the front ends of the plurality of gateway devices realize effective sharing of identity authentication access requests, and the method comprises the steps of respectively configuring an identity authentication gateway authentication port and an application access port address in real services of the gateway load balancing devices, adding the real services into a real service group, then configuring load external virtual services in the real service group, and the gateway load balancing devices perform load balancing on the identity authentication gateway devices at the rear ends of the gateway load balancing devices through virtual IP addresses, and after receiving user authentication requests, sending the user authentication requests to one gateway device at the rear ends through a polling algorithm; the gateway load balancing equipment detects the state of the gateway equipment through a health detection mechanism, and when the gateway equipment is detected to be abnormal, the gateway load balancing equipment automatically removes the abnormal gateway equipment from the polling node; the gateway load balancing equipment ensures that a user can access the same gateway equipment within the session holding time through a session holding mechanism; the two gateway load balancing devices ensure zero interruption of the service through a dual active mode; two network ports of each gateway device in the identity authentication gateway cluster configuration are respectively connected with two gateway load balancing devices, and the two network ports work simultaneously and receive and transmit data simultaneously; when one network port of the gateway equipment fails, the gateway load balancing equipment sends data to the other network port of the gateway equipment through a detection mechanism.
5. The CA certificate-based identity authentication gateway integrated design method as claimed in claim 4, wherein two application load balancing devices integrated at the rear ends of a plurality of gateway devices realize effective sharing of identity authentication access requests, including the identity authentication gateway sending authenticated CA certificate information and authentication pass information to one of a plurality of agent application systems through the application load balancing devices at the rear ends of the plurality of gateway devices; the application load balancing equipment at the rear end of the gateway equipment sends the CA certificate information and the authentication passing information to one of the application systems of the agents through a polling algorithm, the application load balancing equipment ensures that a user can access the same application system within the session holding time through a session holding mechanism, and the application load balancing equipment monitors the health condition of the application systems of the agents in real time; when any one application system of the application systems of the agents breaks down, the application load balancing equipment switches the access request of the user to other normal application systems in real time.
6. The CA certificate-based identity authentication gateway integrated design method according to claim 5, wherein the identity authentication gateway adopts a main authentication operating mode and a bypass authentication operating mode; the application system adopted in the main road authentication working mode comprises a comprehensive management platform, a business and property integration platform and/or office automation; the application system adopted in the bypass authentication working mode comprises a NAS network disk system.
7. The CA certificate-based identity authentication gateway integrated design method of claim 6, wherein two gateway load balancing devices at the front ends of the plurality of gateway devices and two application load balancing devices at the back ends of the plurality of gateway devices are deployed in a main road, and an application system adopted in the main road deployment comprises a comprehensive management platform, a business and financial integration platform and/or office automation.
8. The CA certificate-based identity authentication gateway integrated design method of claim 4, wherein the CA digital certificate authentication system is located in a CA certificate server, the CA certificate server is deployed in a security area according to a network hierarchical domain principle, the hardware feature code identifier comprises an MAC address and a hard disk serial number, and the real service comprises a server address, a server port, a service type, an application access control rule and a server role.
9. An identity authentication gateway integration system based on a CA certificate is characterized by comprising a plurality of access terminal devices, two gateway load balancing devices, an identity authentication gateway cluster, two application load balancing devices, a plurality of application area servers and a CA certificate server, wherein the identity authentication gateway cluster comprises a plurality of gateway devices, the access terminal devices are sequentially connected with the two gateway load balancing devices through a plurality of network devices, the network devices comprise a plurality of access layer switches, a plurality of core layer switches and a firewall, the gateway devices are respectively connected with the two application load balancing devices, the two application load balancing devices are respectively connected with the application area servers through the application area switches, the application area servers respectively comprise a plurality of agent application systems, the CA certificate server comprises the CA digital certificate authentication system, and the CA certificate server is deployed in a safety area according to a network classification domain division principle.
CN202110179636.7A 2021-02-07 2021-02-07 Identity authentication gateway integration design method and system based on CA certificate Active CN112953932B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110179636.7A CN112953932B (en) 2021-02-07 2021-02-07 Identity authentication gateway integration design method and system based on CA certificate

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110179636.7A CN112953932B (en) 2021-02-07 2021-02-07 Identity authentication gateway integration design method and system based on CA certificate

Publications (2)

Publication Number Publication Date
CN112953932A CN112953932A (en) 2021-06-11
CN112953932B true CN112953932B (en) 2022-12-20

Family

ID=76244897

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110179636.7A Active CN112953932B (en) 2021-02-07 2021-02-07 Identity authentication gateway integration design method and system based on CA certificate

Country Status (1)

Country Link
CN (1) CN112953932B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114548904A (en) * 2022-01-17 2022-05-27 北京思特奇信息技术股份有限公司 CRM (customer relationship management) business handling method and system under user's knowledge
CN118484311B (en) * 2024-07-09 2024-09-27 天翼云科技有限公司 Session synchronization device in high-performance load balancing cluster environment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7386721B1 (en) * 2003-03-12 2008-06-10 Cisco Technology, Inc. Method and apparatus for integrated provisioning of a network device with configuration information and identity certification
CN101330494A (en) * 2007-06-19 2008-12-24 瑞达信息安全产业股份有限公司 Method for implementing computer terminal safety admittance based on credible authentication gateway
CN104468293A (en) * 2014-11-28 2015-03-25 国家信息中心 VPN access method
CN109672612A (en) * 2018-12-13 2019-04-23 中国电子科技集团公司电子科学研究院 API gateway system
CN110213246A (en) * 2019-05-16 2019-09-06 南瑞集团有限公司 A wide-area multi-factor authentication system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7386721B1 (en) * 2003-03-12 2008-06-10 Cisco Technology, Inc. Method and apparatus for integrated provisioning of a network device with configuration information and identity certification
CN101330494A (en) * 2007-06-19 2008-12-24 瑞达信息安全产业股份有限公司 Method for implementing computer terminal safety admittance based on credible authentication gateway
CN104468293A (en) * 2014-11-28 2015-03-25 国家信息中心 VPN access method
CN109672612A (en) * 2018-12-13 2019-04-23 中国电子科技集团公司电子科学研究院 API gateway system
CN110213246A (en) * 2019-05-16 2019-09-06 南瑞集团有限公司 A wide-area multi-factor authentication system

Also Published As

Publication number Publication date
CN112953932A (en) 2021-06-11

Similar Documents

Publication Publication Date Title
US11190491B1 (en) Method and apparatus for maintaining a resilient VPN connection
CN113949573B (en) Zero-trust service access control system and method
US10581907B2 (en) Systems and methods for network access control
US7613131B2 (en) Overlay network infrastructure
US10476906B1 (en) System and method for managing formation and modification of a cluster within a malware detection system
CN101557405B (en) Portal authentication method and corresponding gateway equipment and server thereof
US20160337372A1 (en) Network system, controller and packet authenticating method
US20080222267A1 (en) Method and system for web cluster server
US20220210130A1 (en) Method and apparatus for maintaining a resilient vpn connection
CN109271776A (en) Micro services system single-point logging method, server and computer readable storage medium
US20060224897A1 (en) Access control service and control server
JP2004528609A (en) Inter-application communication with filtering
CN112953932B (en) Identity authentication gateway integration design method and system based on CA certificate
CN111385326B (en) Rail transit communication system
CN111818081B (en) Virtual encryption machine management method, device, computer equipment and storage medium
CN107454050B (en) Method and device for accessing network resources
US8639741B2 (en) Method for distributing requests to server computers
CN112153050A (en) Active anti-intrusion big data network security equipment and anti-intrusion method
CN202309766U (en) Online service system based on activity catalog verification
JP5345651B2 (en) Secure tunneling platform system and method
CN103001931A (en) Communication system of terminals interconnected among different networks
CN114070830A (en) Internet agent single-arm deployment architecture and internet agent remote deployment system
CN116074125B (en) End-to-end password middle station zero trust security gateway system
CN115174361A (en) Information transmission method, system and device based on authentication gateway
Rubayet Cross-layer design in Software Defined Networks (SDNs): issues and possible solution

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information

Inventor after: Huo Ruicai

Inventor after: Huang Wei

Inventor after: He Shiwei

Inventor after: Sun Yahong

Inventor before: Huo Ruicai

Inventor before: Huang Wei

Inventor before: He Shiwei

CB03 Change of inventor or designer information
GR01 Patent grant
GR01 Patent grant