CN114125827A - Terminal management method, device and centralized management system - Google Patents
Terminal management method, device and centralized management system Download PDFInfo
- Publication number
- CN114125827A CN114125827A CN202111406400.9A CN202111406400A CN114125827A CN 114125827 A CN114125827 A CN 114125827A CN 202111406400 A CN202111406400 A CN 202111406400A CN 114125827 A CN114125827 A CN 114125827A
- Authority
- CN
- China
- Prior art keywords
- console
- target
- path
- terminal
- access point
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000007726 management method Methods 0.000 title claims abstract description 114
- 230000006854 communication Effects 0.000 claims abstract description 84
- 238000004891 communication Methods 0.000 claims abstract description 83
- 238000013507 mapping Methods 0.000 claims abstract description 20
- 230000004044 response Effects 0.000 claims description 26
- 238000000034 method Methods 0.000 claims description 22
- 238000004590 computer program Methods 0.000 claims description 14
- 230000001360 synchronised effect Effects 0.000 claims description 12
- 238000012790 confirmation Methods 0.000 claims description 8
- 230000000977 initiatory effect Effects 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 7
- 230000009286 beneficial effect Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000011664 signaling Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
- 230000002269 spontaneous effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000004083 survival effect Effects 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/068—Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Telephonic Communication Services (AREA)
Abstract
A terminal management method, a device and a centralized management system relate to the technical field of communication, and the terminal management method comprises the following steps: when a target terminal accesses a centralized management and control system, acquiring an access certificate of a target access point; then, after the access authentication is successfully carried out according to the access certificate, a return path from the first console to the target access point and a target path from the target terminal to the target access point are determined according to a preset path label mapping relation; then, splicing the target path and the return path to obtain the full path information from the target terminal to the first console; and finally, a communication session is established between the first control console and the full-path information, so that the first control console manages the target terminal through the communication session, the terminal management control can be realized, gateway equipment is not needed, the exposure of the actual positions and IP of the terminal and the management terminal is avoided, and the communication safety is ensured.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a terminal management method, an apparatus, and a centralized management system.
Background
Under the big environment of internet, with the help of the centralized management of terminal and equipment, enterprise's production office efficiency has obtained very big promotion. The terminal and device management model gradually evolves from the initial point-to-point to the now distributed, centralized. The existing terminal management method is generally connected with equipment and equipment management respectively through an intelligent gateway, so that the equipment is directly controlled by a management terminal. However, in practice, it is found that the intelligent gateway exposes the actual location and IP of the management end, and there is a risk of being attacked and rendered unusable.
Disclosure of Invention
An object of the embodiments of the present application is to provide a terminal management method, an apparatus, and a centralized management system, which can implement management control on a terminal without requiring a gateway device, thereby being beneficial to avoiding exposing actual positions and IPs of the terminal and a management terminal, and ensuring communication security.
A first aspect of an embodiment of the present application provides a terminal management method, including:
when a target terminal accesses a centralized management and control system, acquiring an access certificate of a target access point;
after the access authentication is successfully carried out according to the access certificate, determining a return path from the first console to the target access point and a target path from the target terminal to the target access point according to a preset path label mapping relation;
splicing the target path and the return path to obtain the full path information from the target terminal to the first console;
and establishing a communication session with the first control console according to the full path information so that the first control console manages the target terminal through the communication session.
In the implementation process, when a target terminal accesses a centralized management and control system, an access certificate of a target access point is acquired; then, after the access authentication is successfully carried out according to the access certificate, a return path from the first console to the target access point and a target path from the target terminal to the target access point are determined according to a preset path label mapping relation; then, splicing the target path and the return path to obtain the full path information from the target terminal to the first console; and finally, a communication session is established between the first control console and the full-path information, so that the first control console manages the target terminal through the communication session, the terminal management control can be realized, gateway equipment is not needed, the exposure of the actual positions and IP of the terminal and the management terminal is avoided, and the communication safety is ensured.
Further, the obtaining the access credential of the target access point includes:
acquiring public key information of the target terminal, and determining a target access point of the target terminal accessing the centralized management and control system;
and informing the first control console to distribute the access certificate of the target access point for the target terminal according to the public key information.
In the implementation process, the access certificate is acquired through public key information, and the public and private keys are used as the unique identity of the terminal and the equipment and participate in negotiation authentication of bottom layer communication, so that configuration encryption is realized.
Further, the determining a return path from the first console to the target access point and a target path from the target terminal to the target access point according to a preset path label mapping relationship includes:
sending a console path request command to the target access point;
receiving response information fed back by the target access point aiming at the console path request command;
determining a response node from the target access point according to the response information;
acquiring a return path which is determined by the response node through automatic addressing according to the console path request command, the public key information and a preset path label mapping relation, wherein the return path is a communication path from the first console to the response node;
and determining a target path from the target terminal to the response node.
Further, the establishing a communication session with the first console according to the full path information includes:
initiating a session establishment request to the first console according to the full path information;
when the first console detects that the target terminal is a legal terminal according to the session establishment request, receiving session establishment confirmation information sent by the first console;
and establishing a communication session with the first console according to the session establishment confirmation information.
Further, the method further comprises:
when the first console fails, receiving control path information to be replaced, which is sent by a second console; the second console synchronizes device information on the first console in a timing manner, wherein the device information comprises device information of the target terminal;
and replacing the full path information with the control path information, and establishing a new communication session with the second console according to the control path information so that the second console manages the target terminal through the new communication session.
A second aspect of the embodiments of the present application provides a centralized management system, which includes a first console, a target terminal, and a target access point, wherein,
the target terminal is used for accessing the centralized management and control system from the target access point and acquiring an access certificate of the target access point; after the access authentication is successfully carried out according to the access certificate, determining a return path from the first console to the target access point and a target path from the target terminal to the target access point according to a preset path label mapping relation;
the target terminal is used for splicing the target path and the return path to obtain the full path information from the target terminal to the first console; and establishing a communication session with the first console according to the full path information;
the first console is used for establishing the communication session with the target terminal and managing the target terminal through the communication session.
In the implementation process, the target terminal is used for accessing the centralized management and control system from the target access point and acquiring an access certificate of the target access point; after the access authentication is successfully carried out according to the access certificate, a return path from the first console to the target access point and a target path from the target terminal to the target access point are determined according to a preset path label mapping relation; then, splicing the target path and the return path to obtain the full path information from the target terminal to the first console; establishing a communication session with the first console according to the full path information; the first console is used for establishing a communication session with the target terminal and managing the target terminal through the communication session, so that the terminal management control can be realized, gateway equipment is not needed, the exposure of the actual positions and IP of the terminal and the management terminal is avoided, and the communication safety is ensured.
Further, the centralized management system further comprises a second console and a console access point, wherein,
the second console is used for accessing the centralized management system through the console access point, acquiring an access certificate of the console access point, searching communication path information from the second console to the first console after access authentication is successfully performed according to the access certificate, and establishing a synchronous session with the first console through the communication path information; and the equipment information on the first console is synchronized in a timing mode through the synchronous session; wherein the device information includes device information of the target terminal.
A third aspect of the embodiments of the present application provides a terminal management apparatus, where the terminal management apparatus includes:
the acquisition unit is used for acquiring an access certificate of a target access point when a target terminal accesses the centralized management and control system;
a path determining unit, configured to determine, according to a preset path label mapping relationship, a return path from the first console to the target access point and a target path from the target terminal to the target access point after access authentication is successfully performed according to the access credential;
the path splicing unit is used for splicing the target path and the return path to obtain the full path information from the target terminal to the first console;
and the session establishing unit is used for establishing a communication session with the first control console according to the full path information so that the first control console manages the target terminal through the communication session.
In the implementation process, when the target terminal accesses the centralized management and control system, the acquisition unit acquires an access certificate of the target access point; after the access authentication is successfully carried out according to the access certificate, a path determining unit determines a return path from the first console to the target access point and a target path from the target terminal to the target access point according to a preset path label mapping relation; the path splicing unit splices the target path and the return path to obtain the full path information from the target terminal to the first console; the session establishing unit establishes a communication session with the first console according to the full path information, so that the first console manages the target terminal through the communication session, the terminal management control can be realized, gateway equipment is not needed, the exposure of the actual positions and IP of the terminal and the management terminal is avoided, and the communication safety is ensured.
A fourth aspect of the embodiments of the present application provides an electronic device, including a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to enable the electronic device to execute the terminal management method according to any one of the first aspect of the embodiments of the present application.
A fifth aspect of the embodiments of the present application provides a computer-readable storage medium, which stores computer program instructions, and when the computer program instructions are read and executed by a processor, the computer program instructions perform the terminal management method according to any one of the first aspect of the embodiments of the present application.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a system framework structure diagram related to a terminal management method provided in an embodiment of the present application;
fig. 2 is a schematic flowchart of a terminal management method according to an embodiment of the present application;
fig. 3 is a system architecture diagram of a centralized management system according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a terminal management device according to an embodiment of the present application;
fig. 5 is a system deployment topology diagram provided in an embodiment of the present application.
Icon: 210-a first console; 220-target terminal; 230-a target access point; 240-a second console; 250-a console access point; 260-forwarding nodes; 1. 2, 3, 4, 5, 6, 7, 8-nodes.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
Referring to fig. 1, fig. 1 is a system framework structure diagram related to a terminal management method according to an embodiment of the present application. As shown in fig. 1, the terminals, the intermediate nodes, and the console perform identity identification according to public key information, each of the terminals, the console, and the intermediate forwarding service node are the same from the outside, and a bottom communication layer performs session negotiation and encryption by using a public and private key pair between the nodes.
In this embodiment, the terminal may specifically be a computing device such as a computer and a server, and this embodiment is not limited in any way.
In this embodiment, the terminal may also be an intelligent device such as a smart phone, a tablet computer, and an intelligent wearable device, which is not limited in this embodiment.
As shown in fig. 1, from the bottom layer communication among nodes to the interface with the terminal and the console of the upper layer, for each communication participating node, the data processing in the communication process includes 5 layers:
(1) identity and addressing
An identity module is arranged in each terminal or equipment node, and the identity of each node comprises an IP address, a communication port and public and private key authentication information of the node; the public and private key information is initialized when the node is configured for the first time and is generated by comprehensive calculation according to the equipment or terminal hardware information. The public and private keys are used as the unique identity of the terminal and the equipment, participate in the negotiation authentication of the bottom layer communication (the communication with the intermediate node and the console), and are encrypted in a configuration mode.
Addressing is mainly aimed at discovery of a control console, each terminal carries out session negotiation and remote communication with the control console after jumping through one or more intermediate nodes, due to multi-source control deployment, the control console and centralized management services are multiple, and the control console corresponding to each terminal node in different periods (link change and intermediate node disconnection) is possible to happen as the intermediate node, a path from the terminal node to one control console is dynamically maintained, the terminal node can be accessed for the first time to quickly acquire path information from the intermediate node to the control console, and then communication sessions are established with the remote control console and the management services. The synchronization of a plurality of control platforms is also configured in the same addressing mode, and each control platform searches paths of other available control platforms from nodes interconnected with the control platform at regular time.
(2) Route forwarding
The method comprises the steps that edge nodes such as a terminal and a node do not participate in routing forwarding of data, an intermediate node is mapped and associated with a bottom IP address through a public key, received data are decrypted point to point according to a private key of the intermediate node and a public key of a directly connected node, a communication public key address marked by a data head is obtained after decryption, whether the node is judged, and if not, the node is forwarded to other adjacent nodes. The forwarding node mainly selects a corresponding bottom layer communication link for forwarding according to the path label (conversion mapping is carried out among the IP address, the public key and the link label).
(3) Data processing layer
For a terminal or a control console, forwarding data from an intermediate node is received, and service layers are mainly divided into three types of terminal service data, control signaling of the control console to the terminal and synchronous data between an upstream control console and a downstream control console.
The terminal service data comprises information of different types of terminals and equipment; the control signaling is used for authentication between the terminal and the access point, control information and keep-alive communication between the terminal and the console; the synchronous data is used for cooperation of a bottom layer database among a plurality of control consoles and synchronization of control commands, and unified management and control of other console associated equipment can be realized under different control consoles.
(4) Session layer
The communication between the nodes can adopt a point-to-point and end-to-end double-layer encryption mechanism, a session layer is established on the basis of bottom layer communication, and the states of the terminal, the equipment nodes and the intermediate forwarding node, and the authentication and survival states between the terminal, the equipment nodes and a remote console are maintained. When the link changes due to the intermediate node failure, the session state changes to trigger the addressing service to the console, and the path information to the console is updated quickly.
(5) Interface layer
And on the session layer, the service is distinguished from the terminal or the console, and the interface is divided into an application layer and a management layer, so that the management and control expansion requirements on multiple types of equipment and terminals are met. The application layer performs unified description extension on different types of equipment and terminals, and different API interfaces can be developed specifically for different equipment and terminals to perform management and control. The management layer is used for controlling and storing the extension console and the management service aiming at different terminals and equipment.
Referring to fig. 2, fig. 2 is a schematic flowchart of a terminal management method according to an embodiment of the present application. The terminal management method comprises the following steps:
s101, when a target terminal is accessed to a centralized management and control system, public key information of the target terminal is obtained, and a target access point of the target terminal accessed to the centralized management and control system is determined.
In the embodiment of the application, the method can be applied to centralized management and control design of desktop EDR terminals of an enterprise intranet, cloud security and situation awareness distributed probe nodes and the like, and the embodiment of the application is not limited.
In the embodiment of the application, the method is based on the autonomous definition of a safe communication system product, and the safe multisource centralized control platform system is built and realized, so that the safety of the centralized control platform can be greatly improved.
In the embodiment of the present application, the main execution body of the method is the target terminal, and the embodiment of the present application is not limited thereto.
Referring to fig. 5, fig. 5 is a schematic diagram of a system deployment topology according to an embodiment of the present application. As shown in fig. 5, a single device or console may access through multiple nodes, different devices and consoles may also access through the same access point, and access points are flexibly deployed within the reach of the internet through 1-to-1, 1-to-N modes; meanwhile, the deployment number of the control consoles is not limited to 2, and a plurality of control consoles can be deployed according to different positions and areas.
After step S101, the following steps are also included:
and S102, informing the first control station to distribute the access certificate of the target access point for the target terminal according to the public key information.
In the embodiment of the present application, taking one of the terminals (i.e., the target terminal) as an example to access the centralized management and control system, the steps of accessing the terminal and the console, forwarding the intermediate node, and addressing the path are explained in detail. The public key information of the target terminal is obtained first, and then the first console is informed to allocate the access credentials of the target access point (i.e. the node 6 and the node 7 shown in fig. 5) to the target terminal according to the public key information of the target terminal.
In this embodiment, the access credential includes public key information of the first console, public key information of the target access point, an IP address and communication port information corresponding to the target terminal, and the like.
In the embodiment of the application, after the access certificate is acquired, the target terminal loads the access certificate to start access authentication with the target access point.
In the embodiment of the present application, by implementing the steps S101 to S102, when the target terminal accesses the centralized management and control system, the access credential of the target access point can be obtained.
After step S102, the method further includes the following steps:
s103, after the access authentication is successfully carried out according to the access certificate, a console path request command is sent to the target access point.
And S104, receiving response information fed back by the target access point according to the console path request command.
And S105, determining a response node from the target access point according to the response information.
And S106, acquiring a return path which is determined by the response node through automatic addressing according to the console path request command, the public key information and the preset path label mapping relation, wherein the return path is a communication path from the first console to the response node.
And S107, determining a target path from the target terminal to the response node.
In the embodiment of the application, after the target terminal successfully performs access authentication according to the access certificate, a console path request command is sent to the target access point.
In this embodiment of the present application, the target access point includes at least one node, and as shown in fig. 5, the topology includes a node 1, a node 2, a node 3, a node 4, a node 5, a node 6, a node 7, and a node 8, where the target access point includes a node 6 and a node 7, the target terminal may send a console path request command to both the node 6 and the node 7, respectively, and then, when receiving response information of either the node 6 or the node 7, execute steps S105 to S107 to determine a target path from the target terminal to the response node. For example, assuming that the response information of the node 6 is received, the response node is the node 6, and then it may be determined that the path from the target terminal itself to the node 6 is the target path.
In the embodiment of the present application, after the access authentication is successfully performed according to the access credential, the return path from the first console to the target access point and the target path from the target terminal to the target access point can be determined according to the preset path label mapping relationship by implementing the steps S103 to S107.
After step S107, the following steps are also included:
and S108, splicing the target path and the return path to obtain the full path information from the target terminal to the first console.
In the embodiment of the application, the target path and the return path from the first console to the response node are spliced, so that the information of the whole path from the target terminal to the first console can be obtained.
And S109, establishing a communication session with the first control console according to the full path information so that the first control console manages the target terminal through the communication session.
In the embodiment of the application, after the target terminal acquires the full path information from the target terminal to the first console, the target terminal can initiate a session establishment request to the first console.
As an optional implementation, establishing a communication session with the first console according to the full-path information includes:
initiating a session establishment request to a first console according to the full path information;
when the first console detects that the target terminal is a legal terminal according to the session establishment request, receiving session establishment confirmation information sent by the first console;
and establishing a communication session with the first console according to the session establishment confirmation information.
In the above embodiment, after the communication session is established between the target terminal and the first console, after receiving the session establishment request sent by the target terminal, the node 6 first decrypts the session establishment request to determine that the session establishment request does not belong to its own packet, if not, the session establishment request is forwarded to the upper node 4 layer by layer according to the path information, the node 4 receives the packet and forwards the packet to the node 1, and the node 1 is finally forwarded to the first console. Then, the first console decrypts and judges that the message belongs to the first console after receiving the session establishment request, if so, the first console compares whether the target terminal is a legal terminal from the background database according to the session establishment request, and if so, a normal communication session is established.
In the embodiment of the application, after the session is established, the first console can realize the control of the remote target terminal.
As shown in fig. 5, other terminals may also access the centralized management and control system through the terminal management method. Other terminals may access the centralized management and control system by using the node 7 and the node 8 as access points.
After step S109, the following steps are further included:
s110, receiving control path information to be replaced sent by a second console when the first console fails; and the second console synchronizes the equipment information on the first console in a timing mode, wherein the equipment information comprises the equipment information of the target terminal.
And S111, replacing the full path information with the control path information, and establishing a new communication session with the second console according to the control path information so that the second console manages the target terminal through the new communication session.
As shown in fig. 5, for the second console, similar to the target terminal access, the first access is credential issued through the first console. After the second console is successfully accessed, the path of the first console is automatically searched from the node 5 and the node 8, then a synchronous session is established with the first console, and the device information of the target terminal stored in the first console is synchronized in a timing manner. If the first console fails, all node control paths can be automatically updated to the second console, and the second console also has the equipment information of the target terminal, so that seamless switching of control over the target terminal can be realized.
As an alternative implementation, if the intermediate forwarding node fails, the nodes interconnected with the intermediate forwarding node are also updated to the corresponding console paths synchronously.
According to the embodiment of the application, the centralized control center and the platform can be operated in a multi-source mode by implementing the method, and the safety level and the reliability are greatly improved.
According to the embodiment of the application, the method can realize management and terminal identity unification, the path addressing is automatically found, and the system networking is more flexible and convenient.
Therefore, by implementing the terminal management method described in fig. 2, the terminal management control can be realized without a gateway device, thereby being beneficial to avoiding exposing the actual positions and the IP of the terminal and the management terminal and ensuring the communication safety.
Referring to fig. 3, fig. 3 is a schematic diagram of a system architecture of a centralized management system according to an embodiment of the present application. As shown in fig. 3, wherein the centralized management system includes a first console 210, a target terminal 220, and a target access point 230.
The target terminal 220 is configured to access the centralized management and control system from the target access point 230, and obtain an access credential of the target access point 230; and after the access authentication is successful according to the access credential, determining a return path from the first console 210 to the target access point 230 and a target path from the target terminal 220 to the target access point 230 according to a preset path label mapping relationship.
The target terminal 220 is configured to splice the target path and the return path to obtain full path information from the target terminal 220 to the first console 210; and establishing a communication session with the first console 210 according to the full path information;
the first console 210 is configured to establish a communication session with the target terminal 220 and manage the target terminal 220 through the communication session.
As an alternative embodiment, the centralized management system further includes a second console 240 and a console access point 250.
The second console 240 is configured to access the centralized management system through the console access point 250, obtain an access credential of the console access point 250, search communication path information from the second console 240 to the first console 210 after access authentication is successfully performed according to the access credential, and establish a synchronization session with the first console 210 through the communication path information; and synchronizes the device information on the first console 210 through the synchronization session timing; wherein the device information includes device information of the target terminal 220.
In this embodiment, the centralized management system further includes a forwarding node 260, when the target terminal 220 needs to send information to the first console 210, the target terminal 220 first sends the information to the target access point 230, then the target access point 230 sends the information to the forwarding node 260, and the forwarding node 260 forwards the information to the first console 210. Similarly, when the first console 210 needs to send information to the target terminal 220, the forwarding node 260 and the target access point 230 forward the information to the target terminal 220.
In the embodiment of the present application, when the second console 240 needs to send information to the first console 210, the information is also forwarded to the first console 210 by the console access point 250 and the forwarding node 260; similarly, when the first console needs to send information to the second console 240, the information is also forwarded to the second console 240 by the forwarding node 260 and the console access point 250.
For example, as shown in fig. 5, when the target terminal 220 sends information to the first console 210, and when the target access point 230 includes the node 6, the nodes 4 and 1 are forwarding nodes 260; when the target access point 230 includes node 7, then nodes 5, 4, 1 are forwarding nodes 260. When the second console 240 sends information to the first console 210, and when the console access point 250 includes the node 5, the node 4 and the node 1 are forwarding nodes 260; when the console access point 250 includes node 8, then nodes 5, 4, and 1 are forwarding nodes 260.
In the embodiment of the application, the centralized management system comprises a plurality of control consoles, and each control console can automatically query other control consoles capable of synchronizing data, so that the stored equipment information can be synchronized to other control consoles, thereby realizing timely switching to other control consoles synchronized with the same equipment information when the control console fails, and realizing seamless switching of control over the target terminal 220.
In the embodiment of the application, the centralized management system applies a centralized management multi-source deployment, identity hiding and spontaneous path addressing mode to realize terminal management, and combines centralized management and control with safe operation and maintenance by linking management and control centers in different positions and areas and different identities through the multi-source deployment; meanwhile, the public key information is used as the unique identity of the equipment data, forwarding processing and control center, and the hiding of the service is realized by combining the self-adaptive path addressing and tunnel forwarding technologies; on the other hand, by providing a uniform application interface layer, access and control are provided for management and control of different devices and terminals, so that integrated management and control become possible.
Therefore, the centralized management system described in fig. 3 can realize management control of the terminal without a gateway device, thereby being beneficial to avoiding exposure of actual positions and IPs of the terminal and the management terminal and ensuring communication security.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a terminal management device according to an embodiment of the present application. As shown in fig. 4, the terminal management apparatus includes:
an obtaining unit 310, configured to obtain an access credential of a target access point when a target terminal accesses a centralized management and control system;
a path determining unit 320, configured to determine, according to a preset path label mapping relationship, a return path from the first console to the target access point and a target path from the target terminal to the target access point after the access authentication is successfully performed according to the access credential;
the path splicing unit 330 is configured to splice the target path and the return path to obtain full path information from the target terminal to the first console;
a session establishing unit 340, configured to establish a communication session with the first console according to the full path information, so that the first console manages the target terminal through the communication session.
As an optional implementation, the obtaining unit 310 includes:
the first subunit 311 is configured to, when the target terminal accesses the centralized management and control system, obtain public key information of the target terminal, and determine a target access point of the target terminal accessing the centralized management and control system;
a second sub-unit 312, configured to notify the first console to allocate an access credential of the target access point to the target terminal according to the public key information.
As an alternative embodiment, the path determining unit 320 includes:
a third subunit 321, configured to send a console path request command to the target access point after the access authentication is successful according to the access credential; receiving response information fed back by the target access point aiming at the console path request command;
a fourth subunit 322, configured to determine a responding node from the target access point according to the responding information;
a fifth subunit 323, configured to acquire a return path determined by the response node by performing automatic addressing according to the console path request command, the public key information, and a preset path label mapping relationship, where the return path is a communication path from the first console to the response node; and determining a target path from the target terminal to the answering node.
As an optional implementation manner, the session establishing unit 340 includes:
a sixth subunit 341, configured to initiate a session establishment request to the first console according to the full path information;
a seventh sub-unit 342, configured to receive, when the first console detects that the target terminal is a valid terminal according to the session establishment request, session establishment confirmation information sent by the first console;
an eighth subunit 343, configured to establish a communication session with the first console according to the session establishment confirmation information.
As an optional implementation manner, the terminal management apparatus further includes:
a receiving unit 350, configured to receive control path information to be replaced sent by a second console when the first console fails; the second console synchronizes the device information on the first console in a timing mode, wherein the device information comprises the device information of the target terminal;
the establishing unit 360 is configured to replace the full path information with the control path information, and establish a new communication session with the second console according to the control path information, so that the second console manages the target terminal through the new communication session.
Therefore, the implementation of the terminal management device described in fig. 4 can realize the management control of the terminal without a gateway device, thereby being beneficial to avoiding exposing the actual positions and the IP of the terminal and the management terminal and ensuring the communication safety.
An embodiment of the present application provides an electronic device, which includes a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to enable the electronic device to execute the terminal management method in any one of embodiment 1 and embodiment 2 of the present application.
An embodiment of the present application provides a computer-readable storage medium, which stores computer program instructions, and when the computer program instructions are read and executed by a processor, the computer program instructions execute the terminal management method in any one of embodiment 1 or embodiment 2 of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. A terminal management method, comprising:
when a target terminal accesses a centralized management and control system, acquiring an access certificate of a target access point;
after the access authentication is successfully carried out according to the access certificate, determining a return path from the first console to the target access point and a target path from the target terminal to the target access point according to a preset path label mapping relation;
splicing the target path and the return path to obtain the full path information from the target terminal to the first console;
and establishing a communication session with the first control console according to the full path information so that the first control console manages the target terminal through the communication session.
2. The terminal management method according to claim 1, wherein the obtaining the access credential of the target access point comprises:
acquiring public key information of the target terminal, and determining a target access point of the target terminal accessing the centralized management and control system;
and informing the first control console to distribute the access certificate of the target access point for the target terminal according to the public key information.
3. The terminal management method according to claim 2, wherein the determining a return path from the first console to the target access point and a target path from the target terminal to the target access point according to a preset path label mapping relationship comprises:
sending a console path request command to the target access point;
receiving response information fed back by the target access point aiming at the console path request command;
determining a response node from the target access point according to the response information;
acquiring a return path which is determined by the response node through automatic addressing according to the console path request command, the public key information and a preset path label mapping relation, wherein the return path is a communication path from the first console to the response node;
and determining a target path from the target terminal to the response node.
4. The terminal management method according to claim 1, wherein the establishing a communication session with the first console according to the full path information comprises:
initiating a session establishment request to the first console according to the full path information;
when the first console detects that the target terminal is a legal terminal according to the session establishment request, receiving session establishment confirmation information sent by the first console;
and establishing a communication session with the first console according to the session establishment confirmation information.
5. The terminal management method according to claim 1, wherein the method further comprises:
when the first console fails, receiving control path information to be replaced, which is sent by a second console; the second console synchronizes device information on the first console in a timing manner, wherein the device information comprises device information of the target terminal;
and replacing the full path information with the control path information, and establishing a new communication session with the second console according to the control path information so that the second console manages the target terminal through the new communication session.
6. A centralized management system, comprising a first console, a target terminal, and a target access point, wherein,
the target terminal is used for accessing the centralized management and control system from the target access point and acquiring an access certificate of the target access point; after the access authentication is successfully carried out according to the access certificate, determining a return path from the first console to the target access point and a target path from the target terminal to the target access point according to a preset path label mapping relation;
the target terminal is used for splicing the target path and the return path to obtain the full path information from the target terminal to the first console; and establishing a communication session with the first console according to the full path information;
the first console is used for establishing the communication session with the target terminal and managing the target terminal through the communication session.
7. The centralized management system of claim 6, further comprising a second console and a console access point, wherein,
the second console is used for accessing the centralized management system through the console access point, acquiring an access certificate of the console access point, searching communication path information from the second console to the first console after access authentication is successfully performed according to the access certificate, and establishing a synchronous session with the first console through the communication path information; and the equipment information on the first console is synchronized in a timing mode through the synchronous session; wherein the device information includes device information of the target terminal.
8. A terminal management apparatus, characterized in that the terminal management apparatus comprises:
the acquisition unit is used for acquiring an access certificate of a target access point when a target terminal accesses the centralized management and control system;
a path determining unit, configured to determine, according to a preset path label mapping relationship, a return path from the first console to the target access point and a target path from the target terminal to the target access point after access authentication is successfully performed according to the access credential;
the path splicing unit is used for splicing the target path and the return path to obtain the full path information from the target terminal to the first console;
and the session establishing unit is used for establishing a communication session with the first control console according to the full path information so that the first control console manages the target terminal through the communication session.
9. An electronic device, characterized in that the electronic device comprises a memory for storing a computer program and a processor for executing the computer program to cause the electronic device to perform the terminal management method according to any one of claims 1 to 5.
10. A readable storage medium, in which computer program instructions are stored, which, when read and executed by a processor, perform the terminal management method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111406400.9A CN114125827B (en) | 2021-11-24 | 2021-11-24 | Terminal management method, device and centralized management system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111406400.9A CN114125827B (en) | 2021-11-24 | 2021-11-24 | Terminal management method, device and centralized management system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114125827A true CN114125827A (en) | 2022-03-01 |
| CN114125827B CN114125827B (en) | 2023-11-10 |
Family
ID=80372138
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111406400.9A Active CN114125827B (en) | 2021-11-24 | 2021-11-24 | Terminal management method, device and centralized management system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114125827B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115189998A (en) * | 2022-07-11 | 2022-10-14 | 北京蔚领时代科技有限公司 | Method, system and equipment for maintaining server based on PaaS platform |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101505550A (en) * | 2008-02-04 | 2009-08-12 | 华为技术有限公司 | Method, terminal, apparatus and system for device management |
| CN102457395A (en) * | 2010-10-26 | 2012-05-16 | 华为终端有限公司 | Method and equipment for managing terminal in equipment management system |
| US20130097674A1 (en) * | 2011-10-17 | 2013-04-18 | Tamanna Jindal | Methods and apparatuses to provide secure communication between an untrusted wireless access network and a trusted controlled network |
| CN104113552A (en) * | 2014-07-28 | 2014-10-22 | 百度在线网络技术(北京)有限公司 | Platform authorization method, platform server side, application client side and system |
| CN105635249A (en) * | 2015-12-18 | 2016-06-01 | 小米科技有限责任公司 | Session management method and apparatus |
| KR20170041037A (en) * | 2015-10-06 | 2017-04-14 | 충북대학교 산학협력단 | Control and Management Server of Network System and Network Routing Method |
| CN109218263A (en) * | 2017-07-04 | 2019-01-15 | 阿里巴巴集团控股有限公司 | A kind of control method and device |
| CN109428751A (en) * | 2017-08-29 | 2019-03-05 | 中兴通讯股份有限公司 | A kind of method and device of SDN management network access equipment |
| CN110933180A (en) * | 2019-12-10 | 2020-03-27 | 深信服科技股份有限公司 | Communication establishing method and device, load equipment and storage medium |
| CN111737016A (en) * | 2020-08-17 | 2020-10-02 | 上海飞旗网络技术股份有限公司 | Service data processing method and device for cloud edge fusion system |
| CN111885604A (en) * | 2020-06-28 | 2020-11-03 | 北京交通大学 | Authentication method, device and system based on heaven and earth integrated network |
| CN112565225A (en) * | 2020-11-27 | 2021-03-26 | 北京百度网讯科技有限公司 | Method and device for data transmission, electronic equipment and readable storage medium |
-
2021
- 2021-11-24 CN CN202111406400.9A patent/CN114125827B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101505550A (en) * | 2008-02-04 | 2009-08-12 | 华为技术有限公司 | Method, terminal, apparatus and system for device management |
| CN102457395A (en) * | 2010-10-26 | 2012-05-16 | 华为终端有限公司 | Method and equipment for managing terminal in equipment management system |
| US20130097674A1 (en) * | 2011-10-17 | 2013-04-18 | Tamanna Jindal | Methods and apparatuses to provide secure communication between an untrusted wireless access network and a trusted controlled network |
| CN104113552A (en) * | 2014-07-28 | 2014-10-22 | 百度在线网络技术(北京)有限公司 | Platform authorization method, platform server side, application client side and system |
| KR20170041037A (en) * | 2015-10-06 | 2017-04-14 | 충북대학교 산학협력단 | Control and Management Server of Network System and Network Routing Method |
| CN105635249A (en) * | 2015-12-18 | 2016-06-01 | 小米科技有限责任公司 | Session management method and apparatus |
| CN109218263A (en) * | 2017-07-04 | 2019-01-15 | 阿里巴巴集团控股有限公司 | A kind of control method and device |
| CN109428751A (en) * | 2017-08-29 | 2019-03-05 | 中兴通讯股份有限公司 | A kind of method and device of SDN management network access equipment |
| CN110933180A (en) * | 2019-12-10 | 2020-03-27 | 深信服科技股份有限公司 | Communication establishing method and device, load equipment and storage medium |
| CN111885604A (en) * | 2020-06-28 | 2020-11-03 | 北京交通大学 | Authentication method, device and system based on heaven and earth integrated network |
| CN111737016A (en) * | 2020-08-17 | 2020-10-02 | 上海飞旗网络技术股份有限公司 | Service data processing method and device for cloud edge fusion system |
| CN112565225A (en) * | 2020-11-27 | 2021-03-26 | 北京百度网讯科技有限公司 | Method and device for data transmission, electronic equipment and readable storage medium |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115189998A (en) * | 2022-07-11 | 2022-10-14 | 北京蔚领时代科技有限公司 | Method, system and equipment for maintaining server based on PaaS platform |
| CN115189998B (en) * | 2022-07-11 | 2024-05-17 | 北京蔚领时代科技有限公司 | Method, system and equipment for maintaining server based on PaaS platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114125827B (en) | 2023-11-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR100445374B1 (en) | Topology propagation in a distributed computing environment with no topology message traffic in steady state | |
| US7257629B2 (en) | Method and apparatus for providing back-up capability in a communication system | |
| EP2933979A1 (en) | Dht-based control network implementation method and system, and network controller | |
| CN110602108B (en) | Data communication method, device, equipment and storage medium based on block chain network | |
| JP2017534133A (en) | Distributed storage and replication system and method | |
| JP2007156569A (en) | Cluster system, load balancer, method of transferring node, and node transfer program | |
| JP2005216313A (en) | System and method for session reestablishment between client terminal and server | |
| CN107404509B (en) | Distributed service configuration system and information management method | |
| CN111901705B (en) | OMCI function virtualization system of OLT equipment | |
| CN111352716B (en) | Task request method, device and system based on big data and storage medium | |
| CN106937351B (en) | Session realization method and core network element | |
| CN110932876B (en) | Communication system, method and device | |
| CN101595689A (en) | In multi-chassis network access environment, change user profile | |
| CN112003943A (en) | Voice data synchronization method and device | |
| CN114125827B (en) | Terminal management method, device and centralized management system | |
| CN107302849B (en) | Light path distribution method and device | |
| CN108366087B (en) | ISCSI service realization method and device based on distributed file system | |
| CN110071964A (en) | File synchronisation method, device, file sharing network, file are total to system and storage medium | |
| CN111800516B (en) | Internet of things equipment management method and device based on P2P | |
| CN111917748B (en) | Intelligent laser remote control system and method based on IPFS + alliance chain | |
| US7126909B2 (en) | Centralized management technique of call control data | |
| KR101342258B1 (en) | Deistributed data management system and method thereof | |
| CN116346834A (en) | Session synchronization method, device, computing equipment and computer storage medium | |
| CN110417636B (en) | Decentralized self-organizing instant messaging system and method thereof | |
| CN110661651A (en) | SDN controller data management method, system, device and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |