CN114615309A

CN114615309A - Client access control method, device and system, electronic equipment and storage medium

Info

Publication number: CN114615309A
Application number: CN202210056377.3A
Authority: CN
Inventors: 蒋凯; 冯顾
Original assignee: Qianxin Technology Group Co Ltd; Secworld Information Technology Beijing Co Ltd
Current assignee: Qianxin Technology Group Co Ltd; Secworld Information Technology Beijing Co Ltd
Priority date: 2022-01-18
Filing date: 2022-01-18
Publication date: 2022-06-10
Anticipated expiration: 2042-01-18
Also published as: CN114615309B

Abstract

The invention provides a client access control method, a device, a system, electronic equipment and a storage medium, which are used for receiving SSL connection request information initiated by a first client; wherein the SSL connection request information is generated based on a preset SSL certificate and a CA certificate of the first client; verifying the certificate information in the SSL connection request information according to prestored certificate verification information, and generating SSL certificate state acquisition request information of a first client under the condition that the verification is passed; sending the first client certificate state acquisition request information to a CA service module; and receiving a state analysis result of the CA service module for acquiring the request information of the certificate state of the first client, controlling the access of the first client according to the state analysis result, and moving the realization of the client access control requirement from an application layer of a system to an SSL (secure socket layer) connection layer, so that the method is safer and more efficient, and the realization complexity of application layer software is reduced.

Description

Client access control method, device and system, electronic equipment and storage medium

Technical Field

The present invention relates to the field of network security technologies, and in particular, to a method, an apparatus, a system, an electronic device, and a storage medium for controlling access to a client.

Background

Currently, there are several typical requirements for controlling terminal access in a terminal management system:

(1) authentication of client access. In the prior art, the client calls the API to access the server, the server needs to authenticate the client, and is usually implemented in an application layer, the server and the client agree on an authentication method, for example, the client and the server agree on a token, the client carries the token in a request, the server can check whether the token is matched, and the method is easy to be known and attacked by forgery.

(2) Control of the authorization date. The server or the client checks the authorized date, and for the authorized date exceeding the authorized date, some functional limitations are performed, and a timed task is generally run at an application layer to check the authorized date.

(3) The server can forcibly deny the access of a certain client, such as forcibly canceling the authorization of a certain client. Typically a check is made in the code of the API and an error code is returned.

The realization of the access requirement of the control terminal is completed by the codes of the application layer after the connection is established, so that the method is not safe and efficient enough, and the complexity of the realization of the application layer software is increased.

Disclosure of Invention

The invention provides a client access control method, a device, a system, electronic equipment and a storage medium, which are used for solving the problems that the existing terminal management system is not safe and efficient enough to realize the control of client access in an application layer and the complexity of application layer software realization is increased.

In a first aspect, the present invention provides a client access control method, including:

receiving SSL connection request information initiated by a first client; wherein the SSL connection request information is generated based on a preset SSL certificate and a CA certificate of the first client;

verifying the certificate information in the SSL connection request information according to prestored certificate verification information, and generating SSL certificate state acquisition request information of a first client under the condition that the verification is passed;

sending the first client certificate state acquisition request information to a CA service module;

and receiving a state analysis result of the CA service module for acquiring the request information of the certificate state of the first client, and controlling the access of the first client according to the state analysis result.

Further, the method further comprises:

and in the case of failure of the authentication, prohibiting access of the first client.

Further, the receiving a state analysis result of the CA service module for obtaining the request information for the certificate state of the first client, and controlling the access of the first client according to the state analysis result specifically includes:

allowing the first client to access under the condition that the state analysis result is normal;

and if the state analysis result is a revoke or a fake, forbidding the access of the first client.

Further, the pre-stored certificate verification information includes:

the method comprises the steps of pre-storing identification information of the SSL certificate, valid time information and issuing information of the CA certificate.

Further, the client access control method further includes:

receiving first client certificate state acquisition request information sent by an SSL module;

and performing state analysis on the first client certificate state acquisition request information, and sending a state analysis result to an SSL (secure socket layer) module so that the SSL module controls the access of the first client according to the state analysis result.

Further, the performing state analysis on the first client certificate state acquisition request information and sending a state analysis result to the SSL module includes:

according to the state information of the SSL certificate stored in advance, performing state analysis on the request information for acquiring the certificate state of the first client, and returning an SSL certificate revocation or forged state analysis result to the SSL module under the condition that the state analysis result is abnormal;

and if the state analysis result is good, returning the state analysis result with normal SSL certificate state to the SSL module.

Further, the method further comprises:

receiving a certificate configuration file of a second client side sent by a server side program module;

generating an SSL certificate of a second client and state information of the SSL certificate of the second client according to a certificate configuration file of the second client, and locally storing the SSL certificate and the state information; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client;

and sending the SSL certificate of the second client to the server program module so as to sign the SSL certificate of the second client to the second client through the server program module.

Further, the method further comprises:

receiving an instruction sent by the server program module for revoking the SSL certificate of the third client;

searching SSL certificate of a third client in the SSL certificates of the issued clients;

and setting the status information of the SSL certificate of the third client to be in a revoke status.

Further, the client access control method further includes:

generating a certificate configuration file for the second client, and sending the certificate configuration file of the second client to the CA service module, so that the CA service module generates an SSL (secure socket layer) certificate of the second client according to the certificate configuration file of the second client; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client;

and receiving the SSL certificate of the second client from the CA service module, and sending the SSL certificate of the second client to the second client.

Further, the method further comprises:

and sending an instruction for revoking the SSL certificate of the third client to the CA service module.

Further, the method further comprises:

configuring a CA certificate and address information of a CA service module for an SSL module, and starting the SSL module; and the CA certificate is a public key used by the CA service module when the SSL certificate of the second client is signed.

In a second aspect, the present invention further provides a client access control device, including: the device comprises a first receiving module, a verification module, a first sending module and a first control module, wherein:

the first receiving module is used for receiving SSL connection request information initiated by a first client; wherein the SSL connection request information is generated based on a preset SSL certificate and a CA certificate of the first client;

the verification module is used for verifying the certificate information in the SSL connection request information according to prestored certificate verification information, and generating SSL certificate state acquisition request information of a first client under the condition that the certificate passes verification;

the first sending module is used for sending the first client certificate state acquisition request information to the CA service module;

and the first control module is used for receiving a state analysis result of the CA service module for the first client certificate state acquisition request information and controlling the access of the first client according to the state analysis result.

Further, the present invention also provides a client access control device, including: second receiving module, second control module, wherein:

the second receiving module is used for receiving the first client certificate state acquisition request information sent by the SSL module;

and the second control module is used for carrying out state analysis on the certificate state acquisition request information of the first client and sending a state analysis result to the SSL module so that the SSL module controls the access of the first client according to the state analysis result.

Further, the present invention also provides a client access control device, including: the device comprises a generating module and a second sending module, wherein:

the generation module is used for generating a certificate configuration file for the second client and sending the certificate configuration file of the second client to the CA service module so that the CA service module generates an SSL (secure socket layer) certificate of the second client according to the certificate configuration file of the second client; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client;

and the second sending module is used for receiving the SSL certificate of the second client from the CA service module and sending the SSL certificate of the second client to the second client.

In a third aspect, the present invention further provides a client access control system, including: the system comprises an SSL module, a CA service module and a server program module, wherein the SSL module, the CA service module and the server program module are used for executing the steps of the client access control method.

In a fourth aspect, the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the client access control method as described in any one of the above when executing the program.

In a fifth aspect, the present invention also provides a non-transitory computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of the client access control method as described in any one of the above.

In a sixth aspect, the present invention also provides a computer program product comprising a computer program, which when executed by a processor, implements the steps of the client access control method as described in any one of the above.

The invention provides a client access control method, a device, a system, electronic equipment and a storage medium, which are used for receiving SSL connection request information initiated by a first client; wherein the SSL connection request information is generated based on a preset SSL certificate and a CA certificate of the first client; verifying the certificate information in the SSL connection request information according to prestored certificate verification information, and generating SSL certificate state acquisition request information of a first client under the condition that the verification is passed; sending the first client certificate state acquisition request information to a CA service module; the state analysis result of the CA service module for acquiring the request information of the certificate state of the first client is received, the access of the first client is controlled according to the state analysis result, the problems that the existing terminal management system realizes the control of the client access in an application layer, the safety and the efficiency are insufficient, and the complexity of the application layer software realization is increased are solved, the realization of the client access control requirement is moved down to an SSL connection layer from the application layer of the system, the safety and the efficiency are higher, and the realization complexity of the application layer software is also reduced.

Drawings

In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.

Fig. 1 is a schematic structural diagram of a client access control system according to an embodiment of the present invention;

fig. 2 is a flowchart illustrating a method for controlling access to a client according to an embodiment of the present invention;

fig. 3 is a flowchart illustrating a method for controlling access to a client according to another embodiment of the present invention;

fig. 4 is a flowchart illustrating a method for controlling access to a client according to another embodiment of the present invention;

fig. 5 is a flowchart illustrating a method for controlling access to a client according to another embodiment of the present invention;

fig. 6 is a flowchart illustrating a method for controlling access to a client according to another embodiment of the present invention;

fig. 7 is a block diagram illustrating a structure of a client access control device according to an embodiment of the present invention;

fig. 8 is a block diagram illustrating a structure of a client access control device according to another embodiment of the present invention;

fig. 9 is a block diagram illustrating a structure of a client access control device according to another embodiment of the present invention;

fig. 10 is a block diagram illustrating a client access control system according to another embodiment of the present invention;

fig. 11 is a block diagram of a client access control electronic device according to another embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The SSL module, CA service module and server program module involved in the present invention form a client access control system, as shown in fig. 1, the following details are as follows:

the SSL module is used for receiving SSL connection request information initiated by the first client; wherein the SSL connection request information is generated based on a preset SSL certificate and a CA certificate of the first client; verifying the certificate information in the SSL connection request information according to prestored certificate verification information, and generating SSL certificate state acquisition request information of a first client under the condition that the verification is passed; sending the first client certificate state acquisition request information to a CA service module; and receiving a state analysis result of the CA service module for acquiring the request information of the certificate state of the first client, and controlling the access of the first client according to the state analysis result.

The CA service module is used for receiving the first client certificate state acquisition request information sent by the SSL module; and performing state analysis on the first client certificate state acquisition request information, and sending a state analysis result to an SSL (secure socket layer) module so that the SSL module controls the access of the first client according to the state analysis result.

The server program module is used for generating a certificate configuration file for the second client and sending the certificate configuration file of the second client to the CA service module, so that the CA service module generates an SSL (secure sockets layer) certificate of the second client according to the certificate configuration file of the second client; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client; and receiving the SSL certificate of the second client from the CA service module, and sending the SSL certificate of the second client to the second client.

Fig. 2 is a schematic flowchart of a client access control method provided in this embodiment, and referring to fig. 2, the method is applied to an SSL module, and includes:

step 201: receiving SSL connection request information initiated by a first client;

wherein the SSL connection request information is generated based on a preset SSL certificate and a CA certificate of the first client; SSL is a secure network connection layer, is a current standard secure access method, provides a secure protocol of security and data integrity for network communication, and directly encrypts network connection between a transmission layer and an application layer to ensure that data is sent to a correct client and a server and prevent the data from being stolen midway; the SSL module is standard and generic, such as SSL client authentication using nginx directly.

It should be further noted that the SSL certificate of the first client may be an issued SSL certificate, such as a self-issued SSL certificate, or an SSL certificate issued by an authority, or an revoked SSL certificate, where the first client is a client to be authenticated, and is an Agent program deployed on a windows or linux host, and is managed by a server. The first client can be in communication connection with a terminal management system to which the SSL module belongs in a wired or wireless mode, and can send SSL connection request information to the SSL module through a mobile phone, a tablet computer, a computer or special electronic equipment of a company.

Specifically, the first client sends SSL connection request information to the SSL module, and the SSL module receives SSL connection request information initiated by the first client.

For example, an information technology company provides a dedicated computer for each employee of the company, an employee a sends SSL connection request information to an SSL module of a company terminal management system through a computer with an identity code of 01, and the SSL module receives SSL connection request information initiated by the employee a through the computer with the identity code of 01.

Step 202: verifying the certificate information in the SSL connection request information according to prestored certificate verification information, and generating SSL certificate state acquisition request information of a first client under the condition that the verification is passed;

the pre-stored certificate verification information comprises pre-stored identification information of the SSL certificate, valid time information and issuing information of the CA certificate.

Specifically, the SSL module verifies the certificate information in the SSL connection request information according to pre-stored certificate verification information, and generates first client SSL certificate status acquisition request information when the verification passes.

For example, an SSL module in a terminal management system of an information technology company verifies certificate information in SSL connection request information initiated by a computer with an identity code 01 by an employee a according to identification information, validity time information, and signing information of a CA certificate of a pre-stored SSL certificate, where the identification information in the computer certificate information with the identity code 01 used by the employee a is the identity code 01, the validity time information is 1 month and 1 day 2021 to 1 month and 1 day 2023, the signing information of the CA certificate is an organization a, and after comparison verification of certificate verification information pre-stored in the SSL module, the certificate information in the computer with the identity code 01 used by the employee a passes verification, and then computer SSL certificate state acquisition request information with the identity code 01 is generated.

Step 203: sending the first client certificate state acquisition request information to a CA service module;

the CA is a certificate authority, and can issue various digital certificates, the certificate issued by the CA authority can be a CA certificate, the SSL certificate is one of the certificates issued by the CA authority, and the certificate issued by the CA authority can be a mail certificate, an encryption certificate, or a software digital certificate, which is not limited specifically herein.

It should be further noted that, in the case that the first client certificate information is verified, that is, the first client has owned the certificate, the certificate is within the validity period and the issuer information is correct, but it still cannot be determined whether the certificate is in a revoke or counterfeit state, in this case, in order to prevent the client who has been revoked or has a suspicion of counterfeit from accessing, it is necessary to further obtain the request information by sending the certificate state of the first client to the CA service module.

Specifically, according to the pre-stored certificate verification information, under the condition that the certificate information in the SSL connection request information sent by the first client matches the certificate verification information pre-stored in the SSL module, that is, the verification passes, the SSL module generates first client SSL certificate status acquisition request information, and sends the first client certificate status acquisition request information to the CA service module.

For example, an SSL module in a terminal management system of an information technology company generates, according to pre-stored certificate verification information, first client SSL certificate status acquisition request information when certificate information in SSL connection request information sent by employee a through a computer with an identity code of 01 matches the certificate verification information pre-stored in the SSL module, that is, the verification passes, and the SSL module sends the first client SSL certificate status acquisition request information to a CA service module.

Step 204: and receiving a state analysis result of the CA service module for acquiring the request information of the certificate state of the first client, and controlling the access of the first client according to the state analysis result.

The state analysis result can be a normal state, a suspension pin state or a fake state, and the access of the first client is allowed under the condition that the state analysis result is normal; and if the state analysis result is a revoke or a fake, forbidding the access of the first client.

Specifically, the SSL module receives a status analysis result of the first client certificate status acquisition request message from the CA service module, and controls access of the first client according to the status analysis result.

For example, an SSL module in a terminal management system of an information technology company receives a status analysis result of request information for obtaining a computer certificate status of 01, which is used by an employee a, by a CA service module, and controls access to a computer of 01, which is used by the employee a, according to the status analysis result.

The embodiment provides a client access control method, which is applied to an SSL module of a terminal management system and used for receiving SSL connection request information initiated by a first client; wherein the SSL connection request information is generated based on a preset SSL certificate and a CA certificate of the first client; verifying the certificate information in the SSL connection request information according to prestored certificate verification information, and generating SSL certificate state acquisition request information of a first client under the condition that the verification is passed; sending the first client certificate state acquisition request information to a CA service module; the state analysis result of the CA service module for acquiring the request information of the certificate state of the first client is received, the access of the first client is controlled according to the state analysis result, the problems that the existing terminal management system realizes the control of the client access in an application layer, the safety and the efficiency are insufficient, and the complexity of the application layer software is increased are solved, the realization of the client access control requirement is moved down to an SSL connection layer from the application layer of the system, the safety and the efficiency are higher, and the complexity of the application layer software is reduced.

Based on the content of the foregoing embodiment, in this embodiment, the step 202 of verifying the certificate information in the SSL connection request information according to pre-stored certificate verification information specifically includes:

It should be further noted that, in the case that the certificate information in the SSL connection request message sent by the first client does not match with the pre-stored certificate authentication information, that is, any one or more of the identification information of the pre-stored SSL certificate, the validity time information, and the issuance information of the CA certificate, the access of the first client is prohibited.

Specifically, the SSL module verifies the certificate information in the SSL connection request information according to pre-stored certificate verification information, and prohibits the access of the first client if the verification fails.

For example, an SSL module in a terminal management system of an information technology company verifies certificate information in SSL connection request information initiated by a computer with an identity code 01 by an employee a according to identification information, validity time information, and signing information of a CA certificate of a pre-stored SSL certificate, where the identification information in the computer certificate information with the identity code 01 used by the employee a is the identity code 01, the validity time information is 1/2021 to 1/2022, and the signing information of the CA certificate is an organization a, and the computer certificate information with the identity code 01 used by the employee a is expired, that is, not in the validity time, after comparison verification by the certificate verification information pre-stored in the SSL module, the verification fails, and access of the computer with the identity code 01 used by the employee a is prohibited.

The embodiment provides a client access control method, which is applied to an SSL module of a terminal management system, verifies certificate information in SSL connection request information according to prestored certificate verification information, and forbids access of a first client under the condition that the certificate information is not verified, so that the problem that the client can still access due to overdue certificate or incorrect identity information and issuing information of the client is avoided, and the client can be ensured to access more safely and effectively.

Based on the content of the foregoing embodiment, in this embodiment, in step 204, the receiving a status analysis result of the first client certificate status obtaining request information by the CA service module, and controlling access of the first client according to the status analysis result may specifically be implemented by:

Specifically, the SSL module receives a state analysis result of the CA service module on the first client certificate state acquisition request information, controls access of the first client according to the state analysis result, and allows access of the first client when the state analysis result is normal; and if the state analysis result is a revoke or a fake, forbidding the access of the first client.

For example, an SSL module in a terminal management system of an information technology company verifies certificate information in SSL connection request information initiated by a computer with an identity code of 01 for employee a and a computer with an identity code of 02 for employee B according to identification information, validity time information, and signing information of a CA certificate, wherein the identification information in the computer certificate information with an identity code of 01 used by employee a is identity code 01, the validity time information is 1/2021-1/2023, the signing information of the CA certificate is an organization a, the identification information in the computer certificate information with an identity code of 02 used by employee B is identity code 02, the validity time information is 1/2021-1/2022, the signing information of the CA certificate is an organization a, comparison verification discovery is performed through certificate verification information prestored in the SSL module, the computer certificate information with the identity code of 01 used by the employee A passes the verification, and the computer with the identity code of 01 used by the employee A is allowed to access; the computer with the identity code of 02 used by the employee B is expired, that is, is not in the valid time, so that the verification fails and the access of the computer with the identity code of 02 used by the employee B is prohibited.

The embodiment provides a client access control method, which is applied to an SSL module of a terminal management system, and allows access of a first client when a state analysis result is normal; and under the condition that the state analysis result is overhead marketing or counterfeiting, the access of the first client is forbidden, so that the problems that the existing terminal management system realizes the control of the client access in an application layer, the safety and the efficiency are not high enough, and the complexity of the application layer software realization is increased are solved.

Fig. 3 is a schematic flowchart of another client access control method provided in this embodiment, and referring to fig. 3, the method is applied to a CA service module, and includes:

step 301: receiving first client certificate state acquisition request information sent by an SSL module;

step 302: and performing state analysis on the first client certificate state acquisition request information, and sending a state analysis result to an SSL (secure socket layer) module so that the SSL module controls the access of the first client according to the state analysis result.

It should be further noted that the CA service module exists in the terminal management system.

Specifically, the CA service module receives first client certificate status acquisition request information sent by the SSL module, performs status analysis on the first client certificate status acquisition request information, and sends a status analysis result to the SSL module, so that the SSL module controls access of the first client according to the status analysis result.

For example, a CA service module in a terminal management system of an information technology company receives certificate status acquisition request information of a computer with an identity code of 01 sent by an SSL module; after receiving the certificate state acquisition request information of the computer with the identity code of 01 sent by the SSL module, performing state analysis on the certificate state acquisition request information of the computer with the identity code of 01, and sending a state analysis result to the SSL module, so that the SSL module controls the access of the computer with the identity code of 01 according to the state analysis result.

The embodiment provides a client access control method, which is applied to a CA service module of a terminal management system and used for receiving first client certificate state acquisition request information sent by an SSL module; the method comprises the steps of carrying out state analysis on the request information for acquiring the certificate state of the first client, sending a state analysis result to an SSL module, so that the SSL module controls the access of the first client according to the state analysis result, solving the problems that the existing terminal management system realizes the control of the client access in an application layer, is not safe and efficient enough, and increases the complexity of application layer software realization, and moving the realization of the client access control requirement from the application layer of the system to an SSL connection layer, so that the method is safer and efficient, and also reduces the realization complexity of the application layer software.

Based on the content of the foregoing embodiment, in this embodiment, in step 302, the performing state analysis on the first client certificate state obtaining request information, and sending a state analysis result to the SSL module may specifically be implemented as follows:

The state information of the SSL certificate stored in advance is information for analyzing and verifying whether the client certificate has a suspension or counterfeit suspected state.

Specifically, the CA service module performs state analysis on the first client certificate state acquisition request information according to state information of a pre-stored SSL certificate, and returns an SSL certificate revocation or a forged state analysis result to the SSL module when the state analysis result is abnormal; and if the state analysis result is good, returning the state analysis result with normal SSL certificate state to the SSL module.

For example, the CA service module performs state analysis on computer certificate state acquisition request information with an identity code of 01 used by the employee a according to state information of a pre-stored SSL certificate, and returns a state analysis result of SSL certificate revocation or falsification to the SSL module when the state analysis result is abnormal, and at this time, even if the certificate information in the SSL connection request information sent by the computer with the identity code of 01 used by the employee a is matched with pre-stored certificate verification information, that is, when the verification passes, the access of the computer with the identity code of 01 cannot be realized; and under the condition that the state analysis result is good, returning the state analysis result with the normal SSL certificate state to the SSL module, and realizing the access of the computer with the identity code of 01.

The embodiment provides a client access control method, which is applied to a CA (certificate authority) service module of a terminal management system, performs state analysis on state acquisition request information of a first client certificate according to state information of a prestored SSL (security socket layer) certificate, and returns a state analysis result of SSL certificate revocation or falsification to the SSL module when the state analysis result is abnormal; and under the condition that the state analysis result is good, returning the state analysis result with a normal SSL certificate state to the SSL module, avoiding the problem of normal access caused by the fact that the client is cancelled in the midway or the certificate client is forged, and realizing the access of the client more safely and efficiently by arranging the CA service module.

Based on the content of the foregoing embodiment, in this embodiment, the client access control method is applied to a CA service module, and specifically includes:

receiving a certificate configuration file of a second client sent by a server program module;

generating an SSL certificate of a second client and state information of the SSL certificate of the second client according to a certificate configuration file of the second client, and locally storing the SSL certificate and the state information;

The SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client; identification information of the second client, such as the identity ID of the user's computer.

It should be further noted that, in order to distinguish the first client to be authenticated initiating the SSL connection request message, the second client is a client that needs to generate an SSL certificate, that is, a client that has not been issued an SSL certificate, such as a newly enrolled employee C, for which a company provides a new computer, but the new computer is not provided with an SSL certificate, so that the new computer of the employee C needs to be issued an SSL certificate; the second client may be in communication connection with the server program module in a wired or wireless manner, and the second client may be any electronic device capable of performing communication connection, such as a mobile phone, a tablet computer, a computer, or a company-dedicated electronic device, and is not limited specifically herein.

Specifically, the CA service module receives a certificate configuration file of the second client sent by the server program module; generating an SSL certificate of a second client and state information of the SSL certificate of the second client according to a certificate configuration file of the second client, and storing the SSL certificate of the second client and the state information locally; wherein the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client; and sending the SSL certificate of the second client to the server program module so as to sign the SSL certificate of the second client to the second client through the server program module.

For example, the CA service module receives a certificate configuration file of a new computer used by employee C sent by the server program module; generating an SSL certificate of the new computer used by the employee C and state information of the SSL certificate of the new computer used by the employee C according to the certificate configuration file of the new computer used by the employee C, and locally storing the SSL certificate and the state information; the SSL certificate of the new computer used by the employee C comprises identification information of the new computer used by the employee C, namely the identity code is 03, and the valid time information of the SSL certificate of the new computer used by the employee C is 1/2022-1/2024; and sending the SSL certificate of the new computer used by the employee C to the server program module, so as to sign the SSL certificate of the new computer used by the employee C to the new computer used by the employee C through the server program module.

The embodiment provides a client access control method, which is applied to a CA (certificate authority) service module of a terminal management system and used for receiving a certificate configuration file of a second client, which is sent by a server program module; generating an SSL certificate of a second client and state information of the SSL certificate of the second client according to a certificate configuration file of the second client, and locally storing the SSL certificate and the state information; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client; the SSL certificate of the second client is sent to the server program module, so that the SSL certificate of the second client is signed to the second client through the server program module, the signing of the SSL certificate of the new client is realized by setting the CA service module, the realization of the client access control requirement is moved down to the SSL connection layer from the application layer of the system, the security and the efficiency are higher, and the realization complexity of application layer software is reduced.

Based on the content of the foregoing embodiment, in this embodiment, the client access control method is applied to a CA service module, and the method further includes:

and receiving an instruction sent by the server program module for revoking the SSL certificate of the third client.

Wherein the third client is a client which already has the SSL certificate issued by the CA service module but needs to be de-authorized by the CA service module.

It should be further noted that, the way to find the SSL certificate of the third client in the SSL certificates of the issued clients may be to input the identification information of the third client, or may be according to the above mentioned SSL certificate of the second client stored locally.

It can be understood that, after the status of the SSL certificate of the third client is the revoke status, the third client cannot access the SSL certificate even if the third client owns the SSL certificate issued by the CA service module and still has the authorized validity period.

Specifically, the CA service module receives an instruction sent by the server program module to revoke the SSL certificate of the third client.

For example, when employee D of an information technology company is removed by the company due to the fact that the company secret is revealed, since the SSL certificate issued by the CA service module in the terminal management system of the previous company is still within the valid period, even if the employee D leaves the company, the employee D can still log in through the computer, so that the company can operate the terminal management system at the moment of removing employee D for the sake of security, the CA service module receives the instruction of the SSL certificate of the computer with the identity code 04 sent by the server program module, and searches the SSL certificate of the computer with the identity code 04 used by employee D in the issued SSL certificate of the client; the state of the SSL certificate of the computer with the identity code 04 used by employee D is set to be the revoke state, and even if the SSL certificate of employee D is still not accessible within the validity period.

In this embodiment, a CA service module receives an instruction sent by a server program module to revoke an SSL certificate of a third client, and by setting the CA service module, the revocation of the SSL certificate of a new client is realized, and a problem that the client can normally access due to being revoked midway is avoided, so that the access of the client is controlled more safely and efficiently.

Fig. 4 is a schematic flowchart of another client access control method provided in this embodiment, and referring to fig. 4, the method is applied to a server program module, and the method includes:

step 401: generating a certificate configuration file for the second client, and sending the certificate configuration file of the second client to the CA service module, so that the CA service module generates an SSL (secure sockets layer) certificate of the second client according to the certificate configuration file of the second client; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client;

step 402: and receiving the SSL certificate of the second client from the CA service module, and sending the SSL certificate of the second client to the second client.

The certificate configuration file generated by the server program module for the second client includes identification information of the second client, such as an identity ID of a user computer, or an authorization validity date of the client, and related information that can determine whether the client can access the server.

Specifically, the server program module generates a certificate configuration file for the second client, and sends the certificate configuration file of the second client to the CA service module, so that the CA service module generates an SSL certificate of the second client according to the certificate configuration file of the second client; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client; and receiving the SSL certificate of the second client from the CA service module, and sending the SSL certificate of the second client to the second client.

For example, a server program module of an information technology company generates a certificate configuration file for a new computer of a newly-enrolled employee C, and sends the certificate configuration file of the new computer of the employee C to a CA service module, so that the CA service module generates an SSL certificate of the new computer of the employee C according to the certificate configuration file of the new computer of the employee C; wherein, the identification information of the new computer of employee C is id code 03, and the valid time information of the SSL certificate of the new computer of employee C is from 1/2022 to 1/2024; and receiving the SSL certificate of the new computer of the employee C from the CA service module, and sending the SSL certificate of the new computer of the employee C to the new computer of the employee C.

The embodiment provides a client access control method, which is applied to a server program module of a terminal management system, generates a certificate configuration file for a second client, and sends the certificate configuration file of the second client to a CA service module, so that the CA service module generates an SSL certificate of the second client according to the certificate configuration file of the second client; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client; and receiving the SSL certificate of the second client from the CA service module, and sending the SSL certificate of the second client to the second client, so that the issuance of the SSL certificate of the new client is realized, and the access of the client is controlled more safely and efficiently.

Based on the content of the foregoing embodiment, in this embodiment, the client access control method is applied to a server program module, and the method further includes:

It should be further noted that, before the server program module sends the instruction for revoking the SSL certificate of the third client to the CA service module, the relevant person in charge of the terminal management system may implement the operation and control on the server program module through relevant operations, such as a relevant icon or key for issuing an instruction, so that the server program module sends the instruction for revoking the SSL certificate of the third client to the CA service module.

Specifically, the server program module sends an instruction to revoke the SSL certificate of the third client to the CA service module.

In this embodiment, a server program module sends an instruction to revoke an SSL certificate of a third client to a CA service module, so as to revoke the SSL certificate of a new client, and avoid the problem that the client can normally access due to being revoked midway, thereby controlling access of the client more safely and efficiently.

configuring a CA certificate and address information of a CA service module for an SSL module, and starting the SSL module;

and the CA certificate is a public key used by the CA service module when the SSL certificate of the second client is signed.

It should be further noted that the CA certificate configured for the SSL module by the server program module is for performing comparison verification with certificate information in SSL connection request information sent by the client to be verified, and determining whether the signing information of the CA certificate in the client to be accessed matches the CA certificate configured in the SSL module.

Specifically, a server program module configures a CA certificate and address information of a CA service module for an SSL module, and starts the SSL module; and the CA certificate is a public key used by the CA service module when the SSL certificate of the second client is signed.

The embodiment provides a client access control method, which is applied to a server program module of a terminal management system, configures a CA certificate and address information of a CA service module for an SSL module, and starts the SSL module; the CA certificate is a public key used by the CA service module when the SSL certificate of the second client is issued, the realization of the client access control requirement is moved from the application layer of the system to the SSL connection layer, the security and the efficiency are higher, and the realization complexity of application layer software is reduced.

Fig. 5 is a schematic flowchart of another client access control method provided in this embodiment, and referring to fig. 5, the method specifically includes a client certificate issuing and authentication process:

preparing a CA certificate, wherein the CA certificate can be self-signed or issued by an authority;

starting a CA service program, and signing and issuing a client certificate by the CA service program by using a CA certificate;

configuring and starting a CA certificate and a url of a CA OCSP service program to an SSL module; wherein the OCSP is an online certificate status protocol that specifies the communication syntax of the server and client applications, the OCSP is generated to query the status of the digital certificate in place of a Certificate Revocation List (CRL) in a Public Key Infrastructure (PKI) system, and when a client attempts to access a server, the online certificate status protocol sends a request for certificate status information, and the server replies with a "valid", "expired" or "unknown" response;

when the client is deployed, the server program generates a certificate configuration file for the client, including but not limited to filling a unique identifier (such as a machine ID) of the client into a CN field of a main body, and filling a Validity field of a certificate according to an authorization date;

the server program calls a CA service program interface, and transmits a client certificate configuration file to generate a client certificate;

the client uses the SSL certificate to connect with the server;

the SSL module verifies the certificate, and the verification information comprises whether the certificate is issued by the server or not, whether the certificate is revoked or in the valid period, so as to determine whether the client is allowed to access or not.

Fig. 6 is a schematic flowchart of another method for controlling client access provided in this embodiment, and referring to fig. 6, the method is a flow for prohibiting client access, and specifically includes:

forbidding a certain client to access, such as forcibly canceling the authorization of the certain client;

the service end program calls the api of the CA to revoke the certificate corresponding to the client, the main body of the certificate and the serial number of the certificate are transmitted, and the CA sets the certificate in a revoke state;

the client side uses the certificate which is already revoked by the server side to continuously establish connection;

the SSL module inquires the certificate state through the OCSP, finds that the certificate is revoked, refuses connection and returns error information.

Fig. 7 is a block diagram of a structure of a client access control apparatus provided in this embodiment, where the apparatus includes a first receiving module 701, a verifying module 702, a first sending module 703, and a first control module 704, where:

a first receiving module 701, configured to receive SSL connection request information initiated by a first client; wherein the SSL connection request information is generated based on a preset SSL certificate and a CA certificate of the first client;

For example, an information technology company provides a dedicated computer for each employee of the company, an employee a sends SSL connection request information to an SSL module of a company terminal management system through a computer with an id of 01, and the SSL module receives the SSL connection request information initiated by the employee a through the computer with the id of 01.

A verification module 702, configured to verify certificate information in the SSL connection request information according to pre-stored certificate verification information, and generate first client SSL certificate status acquisition request information when the verification passes;

A first sending module 703, configured to send the first client certificate status acquisition request information to a CA service module;

A first control module 704, configured to receive a status analysis result of the first client certificate status obtaining request information obtained by the CA service module, and control access of the first client according to the status analysis result.

The embodiment provides a client access control device, which is applied to an SSL module of a terminal management system, and the first receiving module 701 is configured to receive SSL connection request information initiated by a first client; wherein the SSL connection request information is generated based on a preset SSL certificate and a CA certificate of the first client; a verification module 702, configured to verify certificate information in the SSL connection request information according to pre-stored certificate verification information, and generate first client SSL certificate status acquisition request information when the verification passes; a first sending module 703, configured to send the first client certificate status acquisition request information to a CA service module; the first control module 704 is configured to receive a state analysis result of the CA service module for obtaining the request information for the certificate state of the first client, and control the access of the first client according to the state analysis result, so that the problems that the existing terminal management system is not safe and efficient enough to control the client access in an application layer, and complexity of application layer software implementation is increased are solved, and by moving the implementation of the client access control requirement from the application layer of the system to an SSL connection layer, the system is safer and more efficient, and complexity of implementation of application layer software is also reduced.

Optionally, the verification module 702 further includes:

and the first client is forbidden to access under the condition that the authentication is not passed.

The embodiment provides a client access control method, which is applied to an SSL module of a terminal management system, verifies certificate information in SSL connection request information according to prestored certificate verification information, and forbids access of a first client under the condition that the verification fails, so that the problem that the client can still access the certificate when the certificate is overdue or the identity information and the issuing information are incorrect is avoided, and the client can be accessed more safely and effectively.

Optionally, the first control module 704 specifically includes:

the first client is allowed to access under the condition that the state analysis result is normal;

Optionally, the pre-stored certificate verification information in the verification module 702 includes:

Fig. 8 is a block diagram of another structure of a client access control apparatus provided in this embodiment, where the apparatus includes a second receiving module 801 and a second control module 802, where:

a second receiving module 801, configured to receive first client certificate status acquisition request information sent by the SSL module;

the second control module 802 is configured to perform state analysis on the first client certificate state acquisition request information, and send a state analysis result to the SSL module, so that the SSL module controls access of the first client according to the state analysis result.

The embodiment provides a client access control device, which is applied to a CA service module of a terminal management system, and the second receiving module 801 is configured to receive first client certificate status acquisition request information sent by an SSL module; the second control module 802 is configured to perform state analysis on the certificate state acquisition request information of the first client, and send a state analysis result to the SSL module, so that the SSL module controls access of the first client according to the state analysis result, thereby solving the problems that the existing terminal management system is not safe and efficient enough to control access of the client in an application layer, and complexity of application layer software implementation is increased.

Optionally, the second control module 802 specifically includes:

the SSL module is used for acquiring the SSL certificate status request information of the first client according to the status information of the SSL certificate stored in advance, and returning an SSL certificate revocation or forged status analysis result to the SSL module under the condition that the status analysis result is abnormal;

The embodiment provides a client access control device, which is applied to a CA service module of a terminal management system, and is used for performing state analysis on first client certificate state acquisition request information according to state information of a pre-stored SSL certificate, and returning an SSL certificate revocation or counterfeit state analysis result to the SSL module when a state analysis result is abnormal; and under the condition that the state analysis result is good, returning the state analysis result with a normal SSL certificate state to the SSL module, so that the problem of normal access caused by the fact that the client is cancelled in the midway or the certificate client is forged is avoided, and the access of the client is realized more safely and efficiently by arranging the CA service module.

Optionally, the apparatus further comprises:

the server side program module is used for receiving a certificate configuration file of the second client side sent by the server side program module;

The embodiment provides a client access control device, which is applied to a CA service module of a terminal management system and used for receiving a certificate configuration file of a second client sent by a server program module; generating an SSL certificate of a second client and state information of the SSL certificate of the second client according to a certificate configuration file of the second client, and locally storing the SSL certificate and the state information; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client; the SSL certificate of the second client is sent to the server program module, so that the SSL certificate of the second client is signed to the second client through the server program module, the signing of the SSL certificate of the new client is realized by setting the CA service module, the realization of the client access control requirement is moved down to the SSL connection layer from the application layer of the system, the security and the efficiency are higher, and the realization complexity of application layer software is reduced.

Optionally, the apparatus further comprises:

the instruction is used for receiving the SSL certificate of the third client which is sent by the server program module;

The embodiment provides a client access control device, wherein a CA service module receives an instruction for revoking an SSL certificate of a third client sent by a server program module, and by setting the CA service module, the revocation of the SSL certificate of a new client is realized, and the problem that the client can be normally accessed due to being revoked midway is avoided, so that the client can be controlled to be accessed more safely and more efficiently.

Fig. 9 is a block diagram of a structure of another client access control apparatus provided in this embodiment, where the apparatus includes a generating module 901 and a second sending module 902, where:

a generating module 901, configured to generate a certificate configuration file for the second client, and send the certificate configuration file of the second client to the CA service module, so that the CA service module generates an SSL certificate of the second client according to the certificate configuration file of the second client; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client;

a second sending module 902, configured to receive the SSL certificate of the second client from the CA service module, and send the SSL certificate of the second client to the second client.

The embodiment provides a client access control device, which is applied to a server program module of a terminal management system, and the generating module 901 is configured to generate a certificate configuration file for a second client, and send the certificate configuration file of the second client to a CA service module, so that the CA service module generates an SSL certificate of the second client according to the certificate configuration file of the second client; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client; the second sending module 902 is configured to receive the SSL certificate of the second client from the CA service module, and send the SSL certificate of the second client to the second client, so as to implement issuance of a new SSL certificate of the client, thereby controlling access of the client more safely and efficiently.

Optionally, the apparatus further comprises:

sending an instruction to revoke the SSL certificate of the third client to the CA service module.

The embodiment provides a client access control device, wherein a server program module sends an instruction for revoking an SSL certificate of a third client to a CA service module, so that revoking of the SSL certificate of a new client is realized, and the problem that the client can be normally accessed due to being revoked midway is avoided, thereby realizing safer and more efficient control of access of the client.

Optionally, the apparatus further comprises:

the SSL module is configured with a CA certificate and address information of a CA service module, and is started; and the CA certificate is a public key used by the CA service module when the SSL certificate of the second client is signed.

Fig. 10 is a block diagram of a structure of a client access control system provided in this embodiment, where the system includes an SSL module, a CA service module, and a server program module, where:

The server program module is used for generating a certificate configuration file for the second client and sending the certificate configuration file of the second client to the CA service module so that the CA service module generates an SSL (secure sockets layer) certificate of the second client according to the certificate configuration file of the second client; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client; and receiving the SSL certificate of the second client from the CA service module, and sending the SSL certificate of the second client to the second client.

The embodiment provides a client access control system, which solves the problems that the existing terminal management system realizes the control of client access in an application layer, is not safe and efficient enough, and also increases the complexity of application layer software realization.

Fig. 11 is a schematic entity structure diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 11, the electronic device may include: a processor (processor)1110, a communication Interface (Communications Interface)1120, a memory (memory)1130, and a bus 1140, wherein the processor 1110, the communication Interface 1120, and the memory 1130 communicate with each other via the bus 1140. Bus 1140 may be used for information transfer between the electronic device and the sensor. Processor 1110 may call logic instructions in memory 1130 to perform the following method: the SSL module is used for receiving SSL connection request information initiated by the first client; wherein the SSL connection request information is generated based on a preset SSL certificate and a CA certificate of the first client; verifying the certificate information in the SSL connection request information according to prestored certificate verification information, and generating SSL certificate state acquisition request information of a first client under the condition that the verification is passed; sending the first client certificate state acquisition request information to a CA service module; receiving a state analysis result of the CA service module for acquiring request information of the certificate state of the first client, and controlling the access of the first client according to the state analysis result; the CA service module is used for receiving the first client certificate state acquisition request information sent by the SSL module; performing state analysis on the first client certificate state acquisition request information, and sending a state analysis result to an SSL (secure socket layer) module so that the SSL module controls the access of the first client according to the state analysis result; the server program module is used for generating a certificate configuration file for the second client and sending the certificate configuration file of the second client to the CA service module so that the CA service module generates an SSL (secure sockets layer) certificate of the second client according to the certificate configuration file of the second client; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client; and receiving the SSL certificate of the second client from the CA service module, and sending the SSL certificate of the second client to the second client.

In addition, the logic instructions in the memory 1130 may be implemented in software functional units and stored in a computer readable storage medium when sold or used as a stand-alone product. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

In another aspect, an embodiment of the present invention provides a non-transitory computer-readable storage medium, which stores computer instructions, where the computer instructions cause a computer to execute a client access control method provided in the foregoing embodiment, for example, including: the SSL module is used for receiving SSL connection request information initiated by the first client; wherein the SSL connection request information is generated based on a preset SSL certificate and a CA certificate of the first client; verifying the certificate information in the SSL connection request information according to prestored certificate verification information, and generating SSL certificate state acquisition request information of a first client under the condition that the verification is passed; sending the first client certificate state acquisition request information to a CA service module; receiving a state analysis result of the CA service module for acquiring request information of the certificate state of the first client, and controlling the access of the first client according to the state analysis result; the CA service module is used for receiving the first client certificate state acquisition request information sent by the SSL module; performing state analysis on the first client certificate state acquisition request information, and sending a state analysis result to an SSL (secure socket layer) module so that the SSL module controls the access of the first client according to the state analysis result; the server program module is used for generating a certificate configuration file for the second client and sending the certificate configuration file of the second client to the CA service module so that the CA service module generates an SSL (secure sockets layer) certificate of the second client according to the certificate configuration file of the second client; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client; and receiving the SSL certificate of the second client from the CA service module, and sending the SSL certificate of the second client to the second client.

Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.

In yet another aspect, the present invention also provides a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform a client access control method provided by the above methods, the method comprising: the SSL module is used for receiving SSL connection request information initiated by the first client; wherein the SSL connection request information is generated based on a preset SSL certificate and a CA certificate of the first client; verifying the certificate information in the SSL connection request information according to prestored certificate verification information, and generating SSL certificate state acquisition request information of a first client under the condition that the verification is passed; sending the first client certificate state acquisition request information to a CA service module; receiving a state analysis result of the CA service module for acquiring the request information of the certificate state of the first client, and controlling the access of the first client according to the state analysis result; the CA service module is used for receiving the first client certificate state acquisition request information sent by the SSL module; performing state analysis on the first client certificate state acquisition request information, and sending a state analysis result to an SSL (secure sockets layer) module so that the SSL module controls the access of the first client according to the state analysis result; the server program module is used for generating a certificate configuration file for the second client and sending the certificate configuration file of the second client to the CA service module so that the CA service module generates an SSL (secure sockets layer) certificate of the second client according to the certificate configuration file of the second client; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client; and receiving the SSL certificate of the second client from the CA service module, and sending the SSL certificate of the second client to the second client.

Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims

1. A client access control method, comprising:

2. The client access control method of claim 1, further comprising:

3. The client access control method according to claim 1, wherein the receiving a state analysis result of the CA service module for the first client certificate state acquisition request information, and controlling access of the first client according to the state analysis result specifically includes:

4. The client access control method according to claim 1, wherein the pre-stored certificate verification information comprises:

5. A client access control method, comprising:

6. The client access control method according to claim 5, wherein the performing the state analysis on the first client certificate state obtaining request information and sending a state analysis result to the SSL module includes:

7. The client access control method of claim 5, further comprising:

8. The client access control method of claim 5, further comprising:

9. A client access control method, comprising:

10. The client access control method of claim 9, further comprising:

11. The client access control method of claim 9, further comprising:

12. A client access control device is characterized by comprising a first receiving module, a verification module, a first sending module and a first control module, wherein:

13. The client access control device is characterized by comprising a second receiving module and a second control module, wherein:

14. The client access control device is characterized by comprising a generation module and a second sending module, wherein:

15. A client access control system, comprising: the system comprises an SSL module, a CA service module and a server program module; wherein the content of the first and second substances,

the SSL module, configured to perform the steps of the client access control method according to any of claims 1 to 4;

the CA service module for performing the steps of the client access control method of any of claims 5 to 8;

the server program module for performing the steps of the client access control method of any one of claims 9 to 11.

16. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the client access control method according to any of claims 1 to 4, or the steps of the client access control method according to any of claims 5 to 8, or the steps of the client access control method according to any of claims 9 to 11 when executing the program.

17. A non-transitory computer readable storage medium, having stored thereon a computer program, characterized in that the computer program, when being executed by a processor, is adapted to carry out the steps of the client access control method according to any of the claims 1 to 4, or the steps of the client access control method according to any of the claims 5 to 8, or the steps of the client access control method according to any of the claims 9 to 11.

18. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, carries out the steps of the client access control method according to any one of claims 1 to 4, or the steps of the client access control method according to any one of claims 5 to 8, or the steps of the client access control method according to any one of claims 9 to 11.