[go: up one dir, main page]

CN107819628B - A kind of certificate server escape system and method based on the backup of reciprocal loop - Google Patents

A kind of certificate server escape system and method based on the backup of reciprocal loop Download PDF

Info

Publication number
CN107819628B
CN107819628B CN201711134808.9A CN201711134808A CN107819628B CN 107819628 B CN107819628 B CN 107819628B CN 201711134808 A CN201711134808 A CN 201711134808A CN 107819628 B CN107819628 B CN 107819628B
Authority
CN
China
Prior art keywords
server
backup
authentication
servers
escape
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201711134808.9A
Other languages
Chinese (zh)
Other versions
CN107819628A (en
Inventor
岳宝强
魏洪昌
黄倩
张永超
李绵鹏
徐子瞬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Shandong Electric Power Co Ltd
Jinan Power Supply Co of State Grid Shandong Electric Power Co Ltd
Linyi Power Supply Co of State Grid Shandong Electric Power Co Ltd
Shandong Luneng Software Technology Co Ltd
Taian Power Supply Co of State Grid Shandong Electric Power Co Ltd
Liaocheng Power Supply Co of State Grid Shandong Electric Power Co Ltd
Qufu Power Supply Co of State Grid Shandong Electric Power Co Ltd
Original Assignee
State Grid Shandong Electric Power Co Ltd
Jinan Power Supply Co of State Grid Shandong Electric Power Co Ltd
Linyi Power Supply Co of State Grid Shandong Electric Power Co Ltd
Shandong Luneng Software Technology Co Ltd
Taian Power Supply Co of State Grid Shandong Electric Power Co Ltd
Liaocheng Power Supply Co of State Grid Shandong Electric Power Co Ltd
Qufu Power Supply Co of State Grid Shandong Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Shandong Electric Power Co Ltd, Jinan Power Supply Co of State Grid Shandong Electric Power Co Ltd, Linyi Power Supply Co of State Grid Shandong Electric Power Co Ltd, Shandong Luneng Software Technology Co Ltd, Taian Power Supply Co of State Grid Shandong Electric Power Co Ltd, Liaocheng Power Supply Co of State Grid Shandong Electric Power Co Ltd, Qufu Power Supply Co of State Grid Shandong Electric Power Co Ltd filed Critical State Grid Shandong Electric Power Co Ltd
Priority to CN201711134808.9A priority Critical patent/CN107819628B/en
Publication of CN107819628A publication Critical patent/CN107819628A/en
Application granted granted Critical
Publication of CN107819628B publication Critical patent/CN107819628B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0654Management of faults, events, alarms or notifications using network fault recovery
    • H04L41/0668Management of faults, events, alarms or notifications using network fault recovery by dynamic selection of recovery network elements, e.g. replacement by the most appropriate element after failure
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • H04L67/1008Server selection for load balancing based on parameters of servers, e.g. available memory or workload

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明涉及一种认证服务器环形逃生系统,包括服务器组S={S1,S2……SN},所述服务器组S中包括N个相互连接的认证服务器S1,S2……SN;服务器组S中的每一个认证服务器Si,都在服务器组S中具有第一备份服务器Sj和第二备份服务器Sk;而且,都是服务器组S中某个认证服务器Sp的第一备份服务器,以及某个认证服务器Sq的第二备份服务器;服务器组S中所有认证服务器的第一备份关系构成环形,第二备份关系均构成第一备份关系的逆环形。通过该认证服务器逃生系统和方法,能够在有效快速恢复业务应用,提高抗灾难打击能力的同时,降低逃生系统的拓扑复杂度。

The present invention relates to an authentication server circular escape system, comprising a server group S={S 1 , S 2 ... S N }, wherein the server group S includes N interconnected authentication servers S 1 , S 2 ... S N ; each authentication server S i in the server group S has a first backup server S j and a second backup server S k in the server group S; The first backup server, and the second backup server of a certain authentication server S q ; the first backup relationship of all authentication servers in the server group S forms a ring, and the second backup relationship forms an inverse ring of the first backup relationship. Through the authentication server escape system and method, it is possible to effectively and quickly restore business applications and improve the ability to resist disaster strikes, while reducing the topology complexity of the escape system.

Description

一种基于互逆环路备份的认证服务器逃生系统和方法An authentication server escape system and method based on reciprocal loop backup

技术领域technical field

本发明涉及认证服务器技术领域,特别涉及一种认证服务器逃生方法和系统。The invention relates to the technical field of authentication servers, in particular to an authentication server escape method and system.

背景技术Background technique

随着社会的发展和技术的进步,计算机网络在日常生活中起到越来越重要的作用,认证服务器是网络系统中的重要节点,认证服务器网络系统的安全性日益凸显。例如,在电力网络的认证网络中,采用802.1x认证,这种认证方式一般采用双机热备份,一台认证服务器出现故障,可由剩下的认证服务器接替故障设备提供相应的服务,如果两台认证服务器都瘫痪了,则启动逃生服务器。With the development of society and the advancement of technology, computer networks play an increasingly important role in daily life. The authentication server is an important node in the network system, and the security of the authentication server network system is increasingly prominent. For example, in the authentication network of the power network, 802.1x authentication is adopted. This authentication method generally adopts dual-machine hot backup. If one authentication server fails, the remaining authentication server can take over from the failed device to provide corresponding services. If the authentication servers are all paralyzed, then start the escape server.

但是,当前电力通信网络系统中,两台认证服务器和逃生服务器一般具有相同的机房物理位置(例如同一个县或市的单位机房中),因此在机房环境出现不理想的状况时,认证服务器和逃生服务器会一同丧失或部分丧失工作能力,给网络通信的连续性带来重大影响。而且,为了确保网络通信的畅通,电力网络系统中也需要至少三台服务器实现认证和逃生功能,即认证服务器、备份认证服务器和逃生服务器,从而导致认证成本较高。However, in the current power communication network system, the two authentication servers and the escape server generally have the same physical location in the computer room (for example, in the computer room of the same county or city), so when the computer room environment is not ideal, the authentication server and The escape server will lose all or part of its ability to work, which will have a major impact on the continuity of network communication. Moreover, in order to ensure the smooth flow of network communication, at least three servers are required to implement authentication and escape functions in the power network system, namely the authentication server, backup authentication server and escape server, resulting in high authentication costs.

国网系统提交的申请号为201710388516.1,发明名称为“一种认证服务器环形逃生系统和方法”的专利申请中介绍的技术方案能够有效提高认证服务器系统的抗风险能力,在认证服务器遭受打击时,可以快速恢复业务使用。但是,该技术方案中的对于服务器组S的拓扑结构,以及逃生策略的设置均较为复杂,具有一定的实施难度。The application number submitted by the State Grid System is 201710388516.1, and the technical solution introduced in the patent application titled "An Authentication Server Ring Escape System and Method" can effectively improve the anti-risk ability of the authentication server system. When the authentication server is hit, Business usage can be restored quickly. However, the topology structure of the server group S and the setting of the escape strategy in this technical solution are relatively complicated and difficult to implement.

本申请中,申请号为201710388516.1的专利申请的全部内容均被引入。In this application, the entire content of the patent application with application number 201710388516.1 is incorporated.

发明内容Contents of the invention

为解决上述问题,本发明涉及一种认证服务器环形逃生系统,包括服务器组S={S1,S2……SN},所述服务器组S中包括N个相互连接的认证服务器S1,S2……SN;服务器组S中的每一个认证服务器Si,都在服务器组S中具有第一备份服务器Sj和第二备份服务器Sk;而且,都是服务器组S中某个认证服务器Sp的第一备份服务器,以及某个认证服务器Sq的第二备份服务器;服务器组S中所有认证服务器的第一备份关系构成环形,第二备份关系均构成第一备份关系的逆环形。通过该认证服务器逃生系统和方法,能够在有效快速恢复业务应用,提高抗灾难打击能力的同时,降低逃生系统的拓扑复杂度。In order to solve the above problems, the present invention relates to a circular escape system for authentication servers, which includes a server group S={S 1 , S 2 ... S N }, the server group S includes N authentication servers S 1 connected to each other, S 2 ... S N ; each authentication server S i in the server group S has a first backup server S j and a second backup server S k in the server group S; The first backup server of the authentication server S p , and the second backup server of a certain authentication server S q ; the first backup relationship of all authentication servers in the server group S forms a ring, and the second backup relationship constitutes the inverse of the first backup relationship. ring. Through the authentication server escape system and method, it is possible to effectively and quickly restore business applications and improve the ability to resist disaster strikes, while reducing the topology complexity of the escape system.

本发明还提供了认证服务器环形逃生方法。The invention also provides a circular escape method for the authentication server.

附图说明Description of drawings

图1是认证服务器环形逃生系统的示意性结构图;Fig. 1 is a schematic structural diagram of an authentication server circular escape system;

图2是使用认证服务器对接入网络的待认证设备进行认证的认证方法的流程图。Fig. 2 is a flowchart of an authentication method for authenticating a device to be authenticated accessing a network by using an authentication server.

具体实施方式Detailed ways

为使本发明的目的、技术方案和优点更加清楚,将结合附图对本发明作进一步地详细描述。这种描述是通过示例而非限制的方式介绍了与本发明的原理相一致的具体实施方式,这些实施方式的描述是足够详细的,以使得本领域技术人员能够实践本发明,在不脱离本发明的范围和精神的情况下可以使用其他实施方式并且可以改变和/或替换各要素的结构。因此,不应当从限制性意义上来理解以下的详细描述。In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail with reference to the accompanying drawings. This description presents, by way of illustration and not limitation, specific embodiments consistent with the principles of the invention in sufficient detail to enable those skilled in the art to practice the invention without departing from this disclosure. Other embodiments may be utilized and the structure of elements may be changed and/or substituted within the scope and spirit of the invention. Accordingly, the following detailed description should not be read in a limiting sense.

如图1所示,根据本发明的一个方面,提供了一种认证服务器环形逃生系统,包括服务器组S={S1,S2……SN},所述服务器组S中包括N个(例如N>=3,优选N>=6)相互连接的认证服务器S1,S2……SNAs shown in Fig. 1, according to one aspect of the present invention, a circular escape system for authentication servers is provided, including a server group S={S 1 , S 2 ... S N }, and the server group S includes N ( For example N>=3, preferably N>=6) authentication servers S 1 , S 2 . . . SN connected to each other.

在图1所示的示意性结构图中,仅显示了具有6台认证服务器(N=6)的情况,而且在具体实施方式中,主要以6台认证服务器作为示例介绍本发明的具体技术方案,但是本领域技术人员清楚N取其他数值时候也能够实现的逃生系统也会落在本发明的保护范围之内。In the schematic structural diagram shown in Figure 1, only the situation with 6 authentication servers (N=6) is shown, and in the specific implementation, the specific technical solution of the present invention is mainly introduced by taking 6 authentication servers as an example , but those skilled in the art know that the escape system that can also be realized when N takes other values will also fall within the protection scope of the present invention.

服务器组S中的每一个认证服务器Si,都在服务器组S中具有第一备份服务器Sj和第二备份服务器Sk;而且,都是服务器组S中某个认证服务器Sp的第一备份服务器,以及某个认证服务器Sq的第二备份服务器。如图1所示的认证服务器S2为例,其具有第一备份服务器S3(实线箭头指向),也具有第二备份服务器S1(虚线箭头指向),同时S2还是S1的第一备份服务器,也是S3的第二备份服务器。Each authentication server S i in the server group S has a first backup server S j and a second backup server S k in the server group S; backup server, and a second backup server of a certain authentication server S q . The authentication server S2 shown in Figure 1 is an example, it has the first backup server S3 (pointed by the solid line arrow), also has the second backup server S1 (pointed by the dotted line arrow), and S2 is also the first backup server of S1 at the same time. The second backup server of S3.

服务器组S中所有认证服务器的第一备份关系构成环形,第二备份关系均构成第一备份关系的逆环形。如图1所示,第一备份关系为实线构成的环形{S1,S2,S3,S4,S5,S6,S1},第二备份关系为虚线构成的环形{S1,S6,S5,S4,S3,S2,S1}。显然,第二备份关系为第一备份关系的逆环形。The first backup relationship of all authentication servers in the server group S forms a ring, and the second backup relationships form an inverse ring of the first backup relationship. As shown in Figure 1, the first backup relationship is a ring {S1, S2, S3, S4, S5, S6, S1} formed by solid lines, and the second backup relationship is a ring formed by dotted lines {S1, S6, S5, S4, S3, S2, S1}. Obviously, the second backup relationship is an inverse ring of the first backup relationship.

可见作为一般性要求,Sj和Sk是不同的认证服务器;Sj和Sq是相同的认证服务器;Sk和Sp是相同的认证服务器。仍以如图1所示的认证服务器S2为例,与之相关的四个服务器S3,S1,S1,S3满足上述关系。It can be seen that as a general requirement, S j and S k are different authentication servers; S j and S q are the same authentication server; S k and S p are the same authentication server. Still taking the authentication server S2 shown in FIG. 1 as an example, the four related servers S3, S1, S1, and S3 satisfy the above relationship.

根据本发明,N个认证服务器在物理位置上是相隔一定距离的。如图1所示为例,在电力通信网络系统中,6台认证服务器可以分别放置在6个不同地区的机房中。当某台认证服务器(例如S2)无法工作时,可以将S2对应的终端迁移到其第一备份服务器S3或者第二备份服务器S1上进行认证,由于S2,S3和S1在物理上分别属于三个不同的地区,因此同时出现无法工作(例如停电或服务器软硬件故障)的概率非常低,通过这种方式,保证了终端网络通信的连续性。此外,由于任何认证服务器(例如S2)都有2个备份服务器,即对于本应由S2进行认证的终端可以通过S2,S3和S1共三台认证服务器进行认证,因此在环形逃生系统中,损失任意两台认证服务器都不会影响系统的认证。According to the present invention, the N authentication servers are physically separated by a certain distance. As shown in Figure 1 as an example, in the electric power communication network system, six authentication servers can be respectively placed in computer rooms in six different regions. When an authentication server (such as S2) fails to work, the terminal corresponding to S2 can be migrated to its first backup server S3 or second backup server S1 for authentication, since S2, S3 and S1 physically belong to three Different regions, so the probability of being unable to work at the same time (such as power failure or server software and hardware failure) is very low. In this way, the continuity of terminal network communication is guaranteed. In addition, since any authentication server (such as S2) has two backup servers, that is, the terminal that should be authenticated by S2 can be authenticated by three authentication servers, S2, S3 and S1, so in the circular escape system, the loss Any two authentication servers will not affect the authentication of the system.

在本发明的一种实现方式中,认证服务器(S2)包括两个网卡,其中第一个网卡用于对对应的终端进行认证时的通信,第二个网卡被虚拟为两个网卡,第一虚拟网卡用于以S2为第一备用服务器(S1)对应的终端进行认证时的通信,第二虚拟网卡用于以S2为第二备用服务器(S3)对应的终端进行认证时的通信。这种设计可以使得每个物理机房处仅保留一台具有两个网卡的服务器,一般情况下,每个认证服务器负责相应区域内终端的负载,备份服务器使用的频率较小,因此不必单独设置备份服务器以在兼顾性能的情况下节约成本。In one implementation of the present invention, the authentication server (S2) includes two network cards, wherein the first network card is used for communication when authenticating the corresponding terminal, and the second network card is virtualized as two network cards. The virtual network card is used for communication when S2 is used as the terminal corresponding to the first backup server (S1) for authentication, and the second virtual network card is used for communication when S2 is used as the terminal corresponding to the second backup server (S3) for authentication. This design allows only one server with two network cards to be reserved in each physical computer room. Generally, each authentication server is responsible for the load of terminals in the corresponding area, and the backup server is used less frequently, so there is no need to set up backup separately Servers to save costs without compromising performance.

本发明的环形逃生系统,还包括一个逃生服务器。在服务器组S中出现大面积系统性的认证服务器无法工作的情况时,逃生服务器启动,促使无法认证的终端逃生(即修改网络节点设备的权限,允许终端不经过认证直接登录局域网或互联网)。显然,对于服务器组S中的N台认证服务器,只需要一台逃生服务器即可。The circular escape system of the present invention also includes an escape server. When a large area of systemic authentication server fails to work in the server group S, the escape server starts to prompt the unauthenticated terminal to escape (that is, modify the authority of the network node device, allowing the terminal to directly log in to the local area network or the Internet without authentication). Obviously, for the N authentication servers in the server group S, only one escape server is needed.

根据本发明,服务器组S中各认证服务器之间的通信连接路径为P={p1,p2……pN},每个通信连接路径pi用于连接两个认证服务器。例如,图1中,p1可以是S1和S2之间的通信连接路径,p2可以是S1和S2之间的通信连接路径,……,以此类推。According to the present invention, the communication connection paths among the authentication servers in the server group S are P={p 1 , p 2 . . . p N }, and each communication connection path p i is used to connect two authentication servers. For example, in Fig. 1, p 1 may be the communication connection path between S1 and S2, p 2 may be the communication connection path between S1 and S2, ..., and so on.

P={p1,p2……pN}中各通信连接路径的通信速度为B={b1,b2……bN},本领域技术人员知晓,通信速度可以采用各认证服务器之间的网络贷款、网络跳数、历史上一段特定内平均网络传输速度之任一或者加权组合进行表征。The communication speed of each communication connection path in P={p 1 ,p 2 ...p N } is B={b 1 ,b 2 ...b N }, and those skilled in the art know that the communication speed can be adopted by each authentication server It can be characterized by any one or weighted combination of network loans, network hops, average network transmission speed in a specific period of history.

各认证服务器之间的物理距离为D={d1,d2……dN},优选的,物理距离为空间直线物理距离。The physical distance between the authentication servers is D={d 1 , d 2 . . . d N }, preferably, the physical distance is a spatial linear physical distance.

根据本发明,在设置服务器组S的备份关系时,应当根据通信速度B和物理距离D,在构造第一、二备份关系时,使得其所构成的环形和逆环形的通信路径的加权权重W的取值最高,从而最大限度的保证在实际应用过程中,出现宕机的认证服务器的数量最少。显然,由于通信速度B和物理距离D的可逆性,环形的通信路径的加权权重和逆环形的通信路径的加权权重是一致的。According to the present invention, when setting the backup relationship of the server group S, according to the communication speed B and the physical distance D, when constructing the first and second backup relationships, the weighted weight W of the ring and reverse ring communication paths formed by it should be The value of is the highest, so as to ensure to the greatest extent that in the actual application process, the number of authentication servers that go down is the least. Obviously, due to the reversibility of the communication speed B and the physical distance D, the weighted weight of the circular communication path is consistent with the weighted weight of the inverse circular communication path.

根据本发明,加权权重 According to the present invention, the weighted weight

其中,min(D)和max(D)为服务器组S中任意两个服务器之间物理距离的最小值和最大值,min(B)为服务器组S中任意两个服务器之间通信速度的最小值。Among them, min(D) and max(D) are the minimum and maximum physical distances between any two servers in the server group S, and min(B) is the minimum communication speed between any two servers in the server group S value.

根据本发明,由于通信速度B和物理距离D具有不同的物理单位,因此在使用时先通过函数f1和f2进行归一化处理,并且使得通信速度B和物理距离D的取值范围限定在[1,2]之间,以方便后续操作。According to the present invention, since the communication speed B and the physical distance D have different physical units, they are first normalized by the functions f1 and f2 when used, and the value ranges of the communication speed B and the physical distance D are limited to [ 1,2] to facilitate subsequent operations.

根据本发明,第一类认证服务器为容易受到自然条件干扰而出现宕机的认证服务器,例如但不限于处于地震断裂带、泄洪区或者易发生山体滑坡的区域;第二类认证服务器为不容易受到自然条件干扰而出现宕机的认证服务器。According to the present invention, the first type of authentication server is an authentication server that is easily disrupted by natural conditions, such as but not limited to an earthquake fault zone, a flood discharge area, or an area prone to landslides; the second type of authentication server is not easily An authentication server that is down due to interference from natural conditions.

第一、二类认证服务器由用户指定,例如通过专家指定;或者由环形逃生系统自动获得,例如根据历史地震、洪水等自然灾害的统计数据获得,或者根据地理位置与地震断裂带、泄洪区的地理位置比较获得。The first and second types of authentication servers are designated by users, for example, by experts; or they are automatically obtained by the circular escape system, for example, according to the statistical data of historical earthquakes, floods and other natural disasters, or according to the geographical location and the earthquake fault zone and flood discharge area. Geographical comparisons are obtained.

根据本发明,希望第一类认证服务器之间尽量不构成备份关系,因此如果某条通信路径pi连接的是两个第一类认证服务器,则该通信路径的权重将设置的较低,进一步的,在本发明中,该通信路径的权重仅与通信路径的物理距离相关,从而尽可能的避免通信路径连接的两个认证服务器同时出现宕机。相应的,根据本发明,希望第一类认证服务器和第二类认证服务器之间尽量构成备份关系,因此对于连接第一、二类认证服务器的通信路径,设置有较高的权重;而且权重还有通信速度正相关,从而使得在认证服务器宕机时,尽快迁移到备份服务器。最后,根据本发明,对于两个第二类认证服务器,主要考虑宕机时能够尽快迁移,因此使用通信速度作为权重设置的主要依据,并根据两个第二类认证服务器的距离进行微调,也希望在一定程度上避免二者距离过近,同时受到自然条件的干扰。According to the present invention, it is hoped that the first-type authentication servers do not form a backup relationship as much as possible, so if a certain communication path p i is connected to two first-type authentication servers, the weight of the communication path will be set lower, further Yes, in the present invention, the weight of the communication path is only related to the physical distance of the communication path, so as to avoid simultaneous downtime of the two authentication servers connected by the communication path as much as possible. Correspondingly, according to the present invention, it is hoped that the backup relationship between the first type of authentication server and the second type of authentication server should be formed as much as possible, so for the communication path connecting the first type and the second type of authentication server, a higher weight is set; and the weight is also There is a positive correlation with the communication speed, so that when the authentication server goes down, it can be migrated to the backup server as soon as possible. Finally, according to the present invention, for the two second-type authentication servers, it is mainly considered that they can migrate as soon as possible when they are down, so the communication speed is used as the main basis for weight setting, and fine-tuning is performed according to the distance between the two second-type authentication servers. It is hoped that the distance between the two will be avoided to a certain extent, and at the same time, it will be disturbed by natural conditions.

与申请号为201710388516.1的背景专利申请相比,本发明的环形逃生系统中,一方面,环形和逆环形是一一对应的,简化了拓扑结构,另一方面,在确定环形备份关系时,通过加权权重来强调避免同时出现多个宕机的认证服务器,而不是背景专利申请中仅强调从宕机服务器到备份服务器的迁移速度。Compared with the background patent application with application number 201710388516.1, in the ring escape system of the present invention, on the one hand, the ring and the reverse ring are in one-to-one correspondence, which simplifies the topology; on the other hand, when determining the ring backup relationship, through Weighted weights to emphasize avoiding multiple downtime authentication servers at the same time, instead of only emphasizing the migration speed from downtime servers to backup servers in the background patent application.

如图2所示,本发明还提供了一种使用上述环形逃生系统进行环形逃生的方法,包括以下步骤:As shown in Figure 2, the present invention also provides a method for circular escape using the above-mentioned circular escape system, comprising the following steps:

步骤S100,判断服务器组中有几台认证服务器同时宕机,如果判断没有宕机,执行步骤S200;如果判断有一台宕机,执行步骤S300;如果判断有两台宕机,执行步骤S400;如果判断有三台宕机,执行步骤S500;如果判断有四台或四台以上宕机,则执行步骤S600。Step S100, judging how many authentication servers in the server group are down at the same time, if it is judged that there is no downtime, go to step S200; if it is judged that one is down, go to step S300; If it is judged that there are three downtimes, execute step S500; if it is judged that there are four or more downtimes, then execute step S600.

步骤S200,各认证服务器对相应的终端进行认证。Step S200, each authentication server authenticates the corresponding terminal.

步骤S300,将宕机的认证服务器Se的终端迁移到Se的第一、二备份服务器中负载量较小的备份服务器中进行认证。当有一台认证服务器宕机时,例如服务器S2宕机,则将S2对应的终端迁移到第一备份服务器S3或第二备份服务器S1中负载量较小的终端,待S2恢复工作后,再将对应的终端迁移回S2。负载量为通过认证服务器进行认证的终端数量。Step S300, migrating the terminal of the downtime authentication server Se to the backup server with a smaller load among the first and second backup servers of Se for authentication. When an authentication server goes down, for example, server S2 goes down, the terminal corresponding to S2 is migrated to the terminal with a smaller load in the first backup server S3 or the second backup server S1, and after S2 resumes work, the The corresponding terminal migrates back to S2. The load is the number of terminals authenticated by the authentication server.

本领域技术人员清楚,对于终端的迁移可采用多种现有技术中已经存在的技术方案,因此在本发明中不再对如何迁移进行介绍。本领域技术人员也清楚,负载量的判断依据可以根据额定负载量计算,也可以根据实际负载量计算,还可以根据额定负载量与实际负载量的差值计算,但优选的根据实际负载量计算,即在S3和S1中选择实际负载量较小的完成S2的迁移。Those skilled in the art know that various existing technical solutions in the prior art can be used for the migration of the terminal, so how to do the migration will not be introduced in the present invention. It is also clear to those skilled in the art that the basis for judging the load can be calculated based on the rated load, or the actual load, or the difference between the rated load and the actual load, but is preferably calculated based on the actual load , that is, select the one with the smaller actual load in S3 and S1 to complete the migration of S2.

步骤S400,判断宕机的认证服务器Se和Sf是否具备备份关系,即Se是第一或第二备份服务器是Sf;如果存在备份关系,则将Se和Sf的终端分别迁移到不同于Se和Sf的备份服务器中进行认证;如果不存在备份关系,则执行步骤S450。仍以图1为例说明,例如当S1和S2宕机时,简单的,S1对应的终端无法迁移到S2(因为S2也宕机),S2对应的终端也无法迁移到S1(因为S1也宕机),因此,只能够将S1对应的终端迁移到S6,S2对应的终端迁移到S3。Step S400, judging whether the downtime authentication servers S e and S f have a backup relationship, that is, Se is the first or the second backup server is S f ; if there is a backup relationship, then migrate the terminals of Se and S f to Authentication is performed in a backup server different from S e and S f ; if there is no backup relationship, execute step S450. Still take Figure 1 as an example. For example, when S1 and S2 are down, simply, the terminal corresponding to S1 cannot be migrated to S2 (because S2 is also down), and the terminal corresponding to S2 cannot be migrated to S1 (because S1 is also down. machine), therefore, only the terminal corresponding to S1 can be migrated to S6, and the terminal corresponding to S2 can be migrated to S3.

步骤S450,将Se的终端迁移到Se的第一、二备份服务器中负载量较小的备份服务器中进行认证,将Sf的终端迁移到Sf的第一、二备份服务器中负载量较小的备份服务器中进行认证。仍以图1为例说明,例如当S1和S4宕机时,S1可选择S2和S6进行迁移,S4可以选择S3和S5进行迁移。与步骤S300中的方式类似,在S2和S6中选择负载量较小的作为S1的迁移对象,在S3和S5中选择负载量较小的作为S4的迁移对象,以进一步达到负载平衡。Step S450, migrate the terminal of S e to the backup server with a smaller load among the first and second backup servers of S e for authentication, and migrate the terminal of S f to the first and second backup servers of S f Authentication is performed on a smaller backup server. Still taking Figure 1 as an example, for example, when S1 and S4 are down, S1 can choose S2 and S6 for migration, and S4 can choose S3 and S5 for migration. Similar to the method in step S300, the one with a smaller load is selected as the migration object of S1 in S2 and S6, and the one with a smaller load is selected as the migration object of S4 in S3 and S5, so as to further achieve load balance.

根据本发明的一个方面,优选的,在步骤S450中还进行以下步骤:According to one aspect of the present invention, preferably, the following steps are also performed in step S450:

判断认证服务器Se和Sf是否具有相同的备份服务器,如果没有(例如S1和S4宕机),则按照上述处理方式进行处理;如果有相同的备份服务器,例如S1和S3宕机时,S1的第一备份服务器和S3的第二部分服务器均为S2。如果S2的负载量即小于S1的第二备份服务器S6,又小于S3的第一备份服务器S4,则容易将S1和S3的终端均迁移到S2,从而使得S2的负载量过大。Judging whether the authentication servers S e and S f have the same backup server, if not (for example, S1 and S4 are down), then proceed according to the above processing method; if there are the same backup servers, for example, when S1 and S3 are down, S1 The first backup server of S3 and the second part server of S3 are both S2. If the load of S2 is smaller than the second backup server S6 of S1 and smaller than the first backup server S4 of S3, it is easy to migrate the terminals of S1 and S3 to S2, thereby making the load of S2 too large.

因此,在这种情况下,本发明优选的要求Se和Sf迁移的备份服务器不是同一个备份服务器。一种可选的方式是,S2的负载量即小于S1的第二备份服务器S6,又小于S3的第一备份服务器S4时,将Se和Sf(该例子中即S1和S3)中随机选择一个(例如S1)的终端迁移到S2,另一个(例如S3)的终端迁移到S4。但是优选的,获取Se和Sf(该例子中即S1和S3)的历史负载量,将历史负载量较大的一个认证服务器的终端迁移到S2,从而使得逃生系统的整体负载更为均衡。Therefore, in this case, the present invention preferably requires that the backup servers for migration of S e and S f are not the same backup server. An optional way is that, when the load of S2 is less than the second backup server S6 of S1, and smaller than the first backup server S4 of S3, the load of S e and S f (that is, S1 and S3 in this example) is randomly selected. Select one terminal (such as S1) to migrate to S2, and another terminal (such as S3) to migrate to S4. But preferably, obtain the historical loads of S e and S f (ie S1 and S3 in this example), and migrate the terminal of an authentication server with a larger historical load to S2, so that the overall load of the escape system is more balanced .

根据本发明的一个方面,对三台认证服务器同时宕机的处理过程如下:According to one aspect of the present invention, the processing process of simultaneous downtime of three authentication servers is as follows:

步骤S500,获得宕机的认证服务器集合{Su、Sv、Sw},如果宕机的某个认证服务器Su的第一、第二备份服务器Sv、Sw均宕机(例如S1,S2,S3均宕机,此时S2的第一、二备份服务器S1和S3均宕机),则启动逃生服务器,对Su对应的终端进行逃生操作,并将Sv、Sw对应的终端分别迁移到相应的认证服务器;否则执行步骤S520。Step S500, obtain the downtime authentication server set {S u , S v , S w }, if the first and second backup servers S v , S w of a certain downtime authentication server Su are down (such as S1 , S2, S3 are both down, and at this time the first and second backup servers S1 and S3 of S2 are both down), then start the escape server, perform an escape operation on the terminal corresponding to Su , and transfer the terminal corresponding to S v , S w The terminals are respectively migrated to corresponding authentication servers; otherwise, step S520 is performed.

步骤S520,如果{Su、Sv、Sw}中存在具备备份关系的认证服务器{Su、Sv},则将Su和Sv的终端分别迁移到不同于Su和Sv的备份服务器中进行认证;将Sw的终端迁移到Sw的第一、二备份服务器中负载量较小的备份服务器中进行认证;否则执行步骤S540。例如S1,S2和S5宕机,由于S1和S2之间具备备份关系,因此只能将S1的终端迁移到S6,S2的终端迁移到S3,S5则选择S4和S6中负载较小的进行迁移。Step S520, if there is an authentication server {S u , S v } with a backup relationship in { S u , S v , S w }, then migrate the terminals of Su and S v to different The authentication is performed in the backup server; the terminal of S w is migrated to the backup server with a smaller load among the first and second backup servers of S w for authentication; otherwise, step S540 is performed. For example, S1, S2, and S5 are down. Since there is a backup relationship between S1 and S2, the terminal of S1 can only be migrated to S6, the terminal of S2 can be migrated to S3, and S5 will choose the one with the lighter load among S4 and S6 for migration. .

步骤S540,将{Su、Sv、Sw}的终端分别迁移到{Su、Sv、Sw}的第一、二备份服务器中负载量较小的备份服务器中进行认证。Step S540, the terminals of {S u , S v , S w } are respectively migrated to the backup servers with a smaller load among the first and second backup servers of {S u , S v , S w } for authentication.

根据本发明的另一个优选方面,由于环形逃生系统中同时出现三个认证服务器宕机的概率极小,因此步骤S500中即启动逃生服务器,对宕机的认证服务器对应的终端进行逃生操作,以允许终端均能够访问网络。According to another preferred aspect of the present invention, since the probability of simultaneous failure of three authentication servers in the circular escape system is extremely small, the escape server is started in step S500, and the escape operation is performed on the terminal corresponding to the downtime authentication server to All terminals are allowed to access the network.

最后,如果判断有四台以上(含四台)宕机,则执行步骤S600,启动逃生服务器,对宕机的认证服务器对应的终端进行逃生操作,以允许终端均能够访问网络。Finally, if it is judged that more than four (including four) are down, execute step S600, start the escape server, and perform an escape operation on the terminal corresponding to the downtime authentication server, so as to allow all terminals to access the network.

本发明公开的方法包括用于实现本发明目的的一个或多个步骤,方法步骤可彼此相互交换而没有离开本发明的范围。换言之,除非实施例的正常操作需要特定顺序的步骤,可修改具体步骤的顺序,而不会离开本发明精神的范围。尽管本发明主要描述了具体实施例和应用,但本领域技术人员应理解本发明并不局限于此。根据本发明公开的方法和系统,对于本领域技术人员明显的各种修改、变化以及改变均不背离本发明的精神和范围。The method disclosed in the present invention includes one or more steps for achieving the purpose of the present invention, and the method steps can be interchanged with each other without departing from the scope of the present invention. In other words, unless a specific order of steps is required for proper operation of the embodiment, the order of specific steps may be modified without departing from the scope of the spirit of the invention. While the present invention has primarily been described with respect to specific embodiments and applications, those skilled in the art will understand that the invention is not limited thereto. According to the methods and systems disclosed in the present invention, various modifications, changes and changes will be apparent to those skilled in the art without departing from the spirit and scope of the present invention.

Claims (4)

1.一种认证服务器环形逃生系统,包括服务器组S={S1,S2……SN},所述服务器组S中包括N个相互连接的认证服务器S1,S2……SN,其中,N>=6;服务器组S中的每一个认证服务器Si,都在服务器组S中具有第一备份服务器Sj和第二备份服务器Sk;而且,都是服务器组S中某个认证服务器Sp的第一备份服务器,以及某个认证服务器Sq的第二备份服务器;其特征在于:1. An authentication server circular escape system, comprising a server group S={S 1 , S 2 ... S N }, said server group S including N interconnected authentication servers S 1 , S 2 ... S N , where N>=6; each authentication server S i in the server group S has a first backup server S j and a second backup server S k in the server group S; A first backup server of an authentication server S p , and a second backup server of a certain authentication server S q ; it is characterized in that: 服务器组S中所有认证服务器的第一备份关系构成环形,第二备份关系均构成第一备份关系的逆环形;所述环形逃生系统还包括一个逃生服务器,用于对服务器组S无法认证的终端逃生;The first backup relationship of all authentication servers in the server group S forms a ring, and the second backup relationship forms an inverse ring of the first backup relationship; the ring escape system also includes an escape server for terminals that cannot be authenticated by the server group S escape; 其中,服务器组S中各认证服务器之间的通信连接路径为P={p1,p2……pN},各通信连接路径的通信速度为B={b1,b2……bN},各认证服务器之间的物理距离为D={d1,d2……dN};第一、二备份关系所构成的环形和逆环形使得加权权重W的取值最高;Among them, the communication connection path between the authentication servers in the server group S is P={p 1 , p 2 ...p N }, and the communication speed of each communication connection path is B={b 1 , b 2 ...b N }, the physical distance between each authentication server is D={d 1 , d 2 ... d N }; the ring and inverse ring formed by the first and second backup relationships make the value of the weighted weight W the highest; 其中,min(D)和max(D)为服务器组S中任意两个服务器之间物理距离的最小值和最大值,min(B)为服务器组S中任意两个服务器之间通信速度的最小值;第一类认证服务器为容易受到自然条件干扰而出现宕机的认证服务器;第二类认证服务器为不容易受到自然条件干扰而出现宕机的认证服务器,第一、二类认证服务器由用户指定,或者由环形逃生系统自动获得。Among them, min(D) and max(D) are the minimum and maximum physical distances between any two servers in the server group S, and min(B) is the minimum communication speed between any two servers in the server group S value; the first type of authentication server is an authentication server that is susceptible to downtime due to interference from natural conditions; the second type of authentication server is an authentication server that is not prone to downtime due to interference from natural conditions. specified, or obtained automatically by the circular escape system. 2.一种使用权利要求1所述的环形逃生系统进行环形逃生的方法,其特征在于包括以下步骤:2. A method for circular escape using the circular escape system according to claim 1, characterized in that it comprises the following steps: 步骤S100,判断服务器组中有几台认证服务器同时宕机,如果判断没有宕机,执行步骤S200;如果判断有一台宕机,执行步骤S300;如果判断有两台宕机,执行步骤S400;Step S100, judging how many authentication servers in the server group are down at the same time, if it is judged that there is no downtime, go to step S200; if it is judged that one is down, go to step S300; if it is judged that there are two downtimes, go to step S400; 步骤S200,各认证服务器对相应的终端进行认证;Step S200, each authentication server authenticates the corresponding terminal; 步骤S300,将宕机的认证服务器Se的终端迁移到Se的第一、二备份服务器中负载量较小的备份服务器中进行认证;Step S300, migrating the terminal of the downtime authentication server S e to the backup server with a smaller load among the first and second backup servers of S e for authentication; 步骤S400,判断宕机的认证服务器Se和Sf是否具备备份关系;如果存在备份关系,则将Se和Sf的终端分别迁移到不同于Se和Sf的备份服务器中进行认证;如果不存在备份关系,则执行步骤S450;Step S400, judging whether the downtime authentication servers S e and S f have a backup relationship; if there is a backup relationship, then migrate the terminals of S e and S f to backup servers different from S e and S f for authentication; If there is no backup relationship, execute step S450; 步骤S450,将Se的终端迁移到Se的第一、二备份服务器中负载量较小的备份服务器中进行认证,将Sf的终端迁移到Sf的第一、二备份服务器中负载量较小的备份服务器中进行认证。Step S450, migrate the terminal of S e to the backup server with a smaller load among the first and second backup servers of S e for authentication, and migrate the terminal of S f to the first and second backup servers of S f Authentication is performed on a smaller backup server. 3.根据权利要求2所述的环形逃生的方法,其特征在于所述步骤S100中还包括,如果判断有三台宕机,执行步骤S500;3. The circular escape method according to claim 2, characterized in that said step S100 also includes, if it is judged that there are three downtimes, execute step S500; 步骤S500,获得宕机的认证服务器集合{Su、Sv、Sw},如果宕机的某个认证服务器Su的第一、第二备份服务器Sv、Sw均宕机,则启动逃生服务器,对Su对应的终端进行逃生操作,并将Sv、Sw对应的终端分别迁移到不同于Su的备份服务器中进行认证;否则执行步骤S520;Step S500, obtain the downtime authentication server set {S u , S v , S w }, if the first and second backup servers S v , S w of a downtime authentication server Su are down, start The escape server performs an escape operation on the terminal corresponding to Su , and migrates the terminals corresponding to Sv and Sw to a backup server different from Su for authentication; otherwise, execute step S520; 步骤S520,如果{Su、Sv、Sw}中存在具备备份关系的认证服务器{Su、Sv},则将Su和Sv的终端分别迁移到不同于Su和Sv的备份服务器中进行认证;将Sw的终端迁移到Sw的第一、二备份服务器中负载量较小的备份服务器中进行认证;否则执行步骤S540;Step S520, if there is an authentication server {S u , S v } with a backup relationship in { S u , S v , S w }, then migrate the terminals of Su and S v to different Perform authentication in the backup server; migrate the terminal of S w to the backup server with a smaller load among the first and second backup servers of S w for authentication; otherwise, perform step S540; 步骤S540,将{Su、Sv、Sw}的终端分别迁移到{Su、Sv、Sw}的第一、二备份服务器中负载量较小的备份服务器中进行认证。Step S540, the terminals of {S u , S v , S w } are respectively migrated to the backup servers with a smaller load among the first and second backup servers of {S u , S v , S w } for authentication. 4.根据权利要求3所述的环形逃生的方法,其特征在于所述步骤S100中还包括,如果判断有四台以上宕机,则执行步骤S600;4. The circular escape method according to claim 3, characterized in that said step S100 also includes, if it is judged that more than four machines are down, then execute step S600; 步骤S600,启动逃生服务器,对宕机的认证服务器对应的终端进行逃生操作,以允许所述终端均能够访问网络。Step S600, start the escape server, and perform an escape operation on the terminal corresponding to the downtime authentication server, so as to allow the terminal to access the network.
CN201711134808.9A 2017-11-16 2017-11-16 A kind of certificate server escape system and method based on the backup of reciprocal loop Expired - Fee Related CN107819628B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711134808.9A CN107819628B (en) 2017-11-16 2017-11-16 A kind of certificate server escape system and method based on the backup of reciprocal loop

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711134808.9A CN107819628B (en) 2017-11-16 2017-11-16 A kind of certificate server escape system and method based on the backup of reciprocal loop

Publications (2)

Publication Number Publication Date
CN107819628A CN107819628A (en) 2018-03-20
CN107819628B true CN107819628B (en) 2018-07-13

Family

ID=61609841

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711134808.9A Expired - Fee Related CN107819628B (en) 2017-11-16 2017-11-16 A kind of certificate server escape system and method based on the backup of reciprocal loop

Country Status (1)

Country Link
CN (1) CN107819628B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106878139A (en) * 2017-03-17 2017-06-20 迈普通信技术股份有限公司 Certification escape method and device based on 802.1X agreements
CN107204878A (en) * 2017-05-27 2017-09-26 国网山东省电力公司 A kind of annular escape system of certificate server and method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012097015A2 (en) * 2011-01-11 2012-07-19 A10 Networks Inc. Virtual application delivery chassis system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106878139A (en) * 2017-03-17 2017-06-20 迈普通信技术股份有限公司 Certification escape method and device based on 802.1X agreements
CN107204878A (en) * 2017-05-27 2017-09-26 国网山东省电力公司 A kind of annular escape system of certificate server and method

Also Published As

Publication number Publication date
CN107819628A (en) 2018-03-20

Similar Documents

Publication Publication Date Title
Akella et al. A highly available software defined fabric
Radojević et al. Analysis of issues with load balancing algorithms in hosted (cloud) environments
CN112671882A (en) Same-city double-activity system and method based on micro-service
US11095476B2 (en) Spanning tree protocol enabled n-node link aggregation system
US10303532B1 (en) Application programming interface as a service
CN109919801B (en) Coupling method and device based on node importance of power system
CN113242299B (en) Disaster recovery system, method, computer equipment and medium for multiple data centers
CN113254205B (en) Load balancing system, method, device, electronic equipment and storage medium
US20210028977A1 (en) Reduced quorum for a distributed system to provide improved service availability
CN107124317A (en) A kind of disaster tolerance system
Xiao et al. A multidomain survivable virtual network mapping algorithm
US8812632B2 (en) Arrangement for operating a computer cluster
US20240187765A1 (en) Passive optical network for utility infrastructure resiliency
CN104320551A (en) Service processing method for call center routing and network equipment
CN110445803A (en) A smooth business migration method for heterogeneous cloud platforms
CN107819628B (en) A kind of certificate server escape system and method based on the backup of reciprocal loop
CN107204878B (en) A kind of certificate server annular escape system and method
CN116192885A (en) High-availability cluster architecture artificial intelligence experiment cloud platform data processing method and system
CN113490231A (en) Network slice availability guarantee method and device
CN114221899B (en) Fault processing method and device
CN107094099B (en) High-reliability service function chain and construction method thereof
US8176526B1 (en) Configurable redundant security device failover
CN104486455A (en) Routing address switching method and device
Houidi et al. Exact adaptive virtual network embedding in cloud environments
Meling et al. When you don't trust clients: Byzantine proposer fast paxos

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20180713

Termination date: 20201116