Browse Prior Art Database

Secure provision of adminsterable server in shared environment

IP.com Disclosure Number: IPCOM000247118D
Publication Date: 2016-Aug-08
Document File: 3 page(s) / 74K

Publishing Venue

The IP.com Prior Art Database

Abstract

This article describes a method to enable a user to provision an administrable server on provisioned infrastructure in such a way to enable the administrable server to start securely.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 48% of the total text.

Page 01 of 3

Secure provision of adminsterable server in shared environment

An administrable server is any software component that allows a user to connect in order to manage or control it. When an administrable server starts for the first time it

will be listening for administrative commands. Often, due to the control that is exposed via these administrative commands, it is necessary to only allow them to be sent over a secure link. This would involve the requester (the sender of the administrative command) and the server to establish a secure connection by exchanging some credentials. The server must be configured with details of what credentials to expect. However, the server must be running, listening for administrative commands in order for this configuration to be done. There is a

window, therefore, where the server is unsecured.

    This article describes a way to start the server in a secure mode immediately and in a way that the only the person who has asked for the server knows the credentials.

    There are some existing solutions but they each have limitations (1) Server starts with a hard coded default that is known by everyone who has access to the public documentation of the server.

    (2) The credentials are configured on the server before it is started - e.g. via a command line argument on the start command. This is fine if the person who starts the server is the same person who administers it. In a shared environment such as a PaaS or IaaS, it is unlikely to be the case. So this means that at least one other person besides the administrator knows - or has the potential to know - the credentials. It also requires the infrastructure provider to have some knowledge of how to administer that particular server and in many cases that is not true. The infrastructure provider simply provisions the operating system and starts the server.


(3) To avoid the issue in (2) where another human being knows the

password, the installation and starting of the server - including choosing a random password and sending it to the server administrator - is scripted. This still has the issue that the infrastructure provider is required to know technical details of how to do (or write a script to do) administrative tasks, such as configuring initial credentials on all servers that it supports. In cases where the infrastructure provider simply want to run a binary executable, and provide the server administrator with a host name, then this approach is not appropriate.

    (4) Installation and provisioning is automated and the server administrator configures that automation by providing a script that includes the command line arguments required to initialise the credentials on start-up. This is fine if that process is trusted to be secure enough that no human can ever gain access to the credentials that were provided. In some cases, it is not appropriate for the server administrator to assume that level of trust from the infrastructure provider. In some cases, the inf...