DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 12/04/2025.
In the instant Amendment, claims 2 and 13 were cancelled; claims 1 and 12 have been amended; and claims 1 and 12 are independent claims. Claims 1, 3-12 and 14-20 have been examined and are pending. This Action is made FINAL.
Response to Arguments
Applicant’s arguments with respect to claims 1-20 have been considered but are moot because the arguments do not apply to any of the references being used in the current rejection. The new reference Caceres et al. (US 11496323) used to address the limitations.
The amended claims 1 and 12 have been addressed in rejection below.
Claim objection
Claims 3-6 and 14-15 are objected to because of the following informalities:
Regarding claims 3-6; claims 3-6 recite the limitation “[T]he method of claim 2”. However, claim 2 was canceled. For purpose of applying art, the Examiner considers claims 3-6 depend on claim 1.
Regarding claims 14-15; claims 14-15 recite the limitation “[T]he non-transitory computer readable medium of claim 13”. However, claim 13 was canceled. For purpose of applying art, the Examiner considers claims 14-15 depend on claim 12.
Appropriate correction(s) is required.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1, 4, and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Mallikarjuna Durga Lokanath et al. (“Lokanath,” US 2022/0239503) in view of Vaddi et al. (“Vaddi,” US 2020/0287724) and Caceres et al. (“Caceres,” US 11496323).
Regarding claim 1: Lokanath discloses a method for managing authentication in a cluster, comprising:
generating, by a node of a cluster, at least one initial cluster certificate using at least one cluster identity parameter (Lokanath: par. 0027 the certificate orchestrator to create [] a certificate; par. 0017 the container orchestration system 100 can expose a container using the domain name service (INS) name or using an Internet Protocol (IP) address), wherein:
the cluster comprises a plurality of worker nodes (Lokanath: par. 0018 groups of nodes managed by the container orchestration system 100 can be referred to as a cluster),
the plurality of worker nodes host a plurality of pods (Lokanath: par. 0018 the nodes can host 'pods' that are the components of the application workload),
the plurality of pods comprise a plurality of containers (Lokanath: par. 0020 a pod is a group of one or more containers), and
the plurality of containers comprise a plurality of services (Lokanath: par. 0019 the container orchestration system 100 runs applications by placing applications in containers, which are placed into pods to run on nodes);
making a determination that a cluster certificate update is required (Lokanath: par. 0029 in response to detecting the creation or update of the custom resources, the certificate orchestrator requests a certificate for renewal from the cloud certificate manager of the cloud computing environment (Block 207)), wherein making the determination comprises:
monitoring the cluster (Lokanath: par. 0028 monitors the custom resources related to certificates, keystores, and truststores);
identifying a change in the cluster (Lokanath: par. 0028 detects the creation or update of these custom resources (Block 205)); and
in response to the determination:
generating an updated certificate (Lokanath: par. 0030 the custom resources and associated objects are updated by the certificate orchestrator with information related to the certificate).
Lokanath does not explicitly disclose performing authentication for the cluster using the at least one initial cluster certificate, replacing the at least one initial cluster certificate using the updated certificate, and performing authentication for the cluster using the updated certificate.
However, Vaddi discloses performing authentication for the cluster using the at least one initial cluster certificate (Vaddi: par. 0034 the service 206 determines that the first certificate was issued by the trusted authority, the service 206 may begin trusting the software program 202, and may begin exchanging information with the software program 202);
replacing the at least one initial cluster certificate using the updated certificate (Vaddi: par. 0036 the present subject matter injects the certificate 107 into the container 208. The injection of a certificate into a container may refer to writing the certificate into a storage region within the container); and
performing authentication for the cluster using the updated certificate (Vaddi: par. 0042 the injection of the certificate 107 into the CSL 214 ensures that the service 206 can readily access the certificate 107 upon injection of the certificate 107. Therefore [] enables container-based services to establish trusted communications with minimal delay).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Vaddi with the system/method of Lokanath to include performing authentication for the cluster using the updated certificate. One would have been motivated to using digital certificate to establish trust between two communicating entities, such as communicating programs (Vaddi: par. 0001).
Lokanath in view of Vaddi does not explicitly disclose obtaining a new cluster identity parameter, a pod identifier, and a service identifier associated with the change, the new cluster identity parameter, a cryptographic algorithm, the pod identifier and the service identifier.
However, Caceres discloses obtaining a new cluster identity parameter, a pod identifier, and a service identifier associated with the change (Caceres: col. 10 lines 8-13 assume, for example, a request in cloud computing service platform for a new container of an open-source document-oriented database. In order to do this, the platform 500 may need to allocate new components, such as a new virtual machine and a new container, which may need to interact with other components, such as a web server, in the system);
the new cluster identity parameter (Caceres: col. 4 lines 9-11 at least one container update from the enterprise registry to a plurality of cloud computing service platform internal registries in a one-to-many relationship);
a cryptographic algorithm (Caceres: col. 5 lines 58-60 assuring that communication between each pair of nodes should be authenticated and encrypted using public key infrastructure (PKI));
the pod identifier (Caceres: col. 6 lines 43-46 image provisioning may be performed via external cloud/container orchestration tools, and image instantiation may be provided via separately controlled application deployment tools); and
the service identifier (Caceres: col. 8 lines 14-16 a cloud computing service platform solution may include a component referred to as a policy engine that makes authorization decisions for the platform).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Caceres with the system/method of Lokanath and Vaddi to include obtaining a new cluster identity parameter, a pod identifier, and a service identifier associated with the change. One would have been motivated to providing methods and systems for enterprise security in container orchestration environments (Caceres: col. 1 lines 18-20).
Regarding claim 4: Lokanath in view of Vaddi and Caceres discloses the method of claim 2.
Lokanath further discloses wherein the new cluster identity parameter comprises a new fully qualified domain name associated with the cluster (Lokanath: par. 0025 the metadata of the certificate CRD includes the certificate of the fully qualified domain name (FQDN) and type of certificate).
Regarding claim 12: Lokanath discloses a non-transitory computer readable medium comprising computer readable program code, which when executed by a computer processor enables the computer processor to perform a method for managing authentication in a cluster, the method comprising:
generating, by a node of a cluster, at least one initial cluster certificate using at least one cluster identity parameter (Lokanath: par. 0027 the certificate orchestrator to create [] a certificate; par. 0017 the container orchestration system 100 can expose a container using the domain name service (INS) name or using an Internet Protocol (IP) address), wherein:
the cluster comprises a plurality of worker nodes (Lokanath: par. 0018 groups of nodes managed by the container orchestration system 100 can be referred to as a cluster),
the plurality of worker nodes host a plurality of pods (Lokanath: par. 0018 the nodes can host 'pods' that are the components of the application workload),
the plurality of pods comprise a plurality of containers (Lokanath: par. 0020 a pod is a group of one or more containers), and
the plurality of containers comprise a plurality of services (Lokanath: par. 0019 the container orchestration system 100 runs applications by placing applications in containers, which are placed into pods to run on nodes);
making a determination that a cluster certificate update is required (Lokanath: par. 0029 in response to detecting the creation or update of the custom resources, the certificate orchestrator requests a certificate for renewal from the cloud certificate manager of the cloud computing environment (Block 207)), wherein making the determination comprises:
monitoring the cluster (Lokanath: par. 0028 monitors the custom resources related to certificates, keystores, and truststores);
identifying a change in the cluster (Lokanath: par. 0028 detects the creation or update of these custom resources (Block 205)); and
in response to the determination:
generating an updated certificate (Lokanath: par. 0030 the custom resources and associated objects are updated by the certificate orchestrator with information related to the certificate).
Lokanath does not explicitly disclose performing authentication for the cluster using the at least one initial cluster certificate, replacing the at least one initial cluster certificate using the updated certificate, and performing authentication for the cluster using the updated certificate.
However, Vaddi discloses performing authentication for the cluster using the at least one initial cluster certificate (Vaddi: par. 0034 the service 206 determines that the first certificate was issued by the trusted authority, the service 206 may begin trusting the software program 202, and may begin exchanging information with the software program 202);
replacing the at least one initial cluster certificate using the updated certificate (Vaddi: par. 0036 the present subject matter injects the certificate 107 into the container 208. The injection of a certificate into a container may refer to writing the certificate into a storage region within the container); and
performing authentication for the cluster using the updated certificate (Vaddi: par. 0042 the injection of the certificate 107 into the CSL 214 ensures that the service 206 can readily access the certificate 107 upon injection of the certificate 107. Therefore [] enables container-based services to establish trusted communications with minimal delay).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Vaddi with the system/method of Lokanath to include performing authentication for the cluster using the updated certificate. One would have been motivated to using digital certificate to establish trust between two communicating entities, such as communicating programs (Vaddi: par. 0001).
Lokanath in view of Vaddi does not explicitly disclose obtaining a new cluster identity parameter, a pod identifier, and a service identifier associated with the change, the new cluster identity parameter, a cryptographic algorithm, the pod identifier and the service identifier.
However, Caceres discloses obtaining a new cluster identity parameter, a pod identifier, and a service identifier associated with the change (Caceres: col. 10 lines 8-13 assume, for example, a request in cloud computing service platform for a new container of an open-source document-oriented database. In order to do this, the platform 500 may need to allocate new components, such as a new virtual machine and a new container, which may need to interact with other components, such as a web server, in the system);
the new cluster identity parameter (Caceres: col. 4 lines 9-11 at least one container update from the enterprise registry to a plurality of cloud computing service platform internal registries in a one-to-many relationship);
a cryptographic algorithm (Caceres: col. 5 lines 58-60 assuring that communication between each pair of nodes should be authenticated and encrypted using public key infrastructure (PKI));
the pod identifier (Caceres: col. 6 lines 43-46 image provisioning may be performed via external cloud/container orchestration tools, and image instantiation may be provided via separately controlled application deployment tools); and
the service identifier (Caceres: col. 8 lines 14-16 a cloud computing service platform solution may include a component referred to as a policy engine that makes authorization decisions for the platform).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Caceres with the system/method of Lokanath and Vaddi to include obtaining a new cluster identity parameter, a pod identifier, and a service identifier associated with the change. One would have been motivated to providing methods and systems for enterprise security in container orchestration environments (Caceres: col. 1 lines 18-20).
Claims 3, 5-11 and 14-20 are rejected under 35 U.S.C. 103 as being unpatentable over Mallikarjuna Durga Lokanath et al. (“Lokanath,” US 2022/0239503) in view of Vaddi et al. (“Vaddi,” US 2020/0287724), Caceres et al. (“Caceres,” US 11496323) and Callaghan et al. (“Callaghan,” US 2006/0075219).
Regarding claim 3: Lokanath in view of Vaddi and Caceres discloses the method of claim 2.
Lokanath in view of Vaddi and Caceres does not explicitly disclose wherein the new cluster identity parameter comprises a new network address associated with the cluster.
However, Callaghan discloses wherein the new cluster identity parameter comprises a new network address associated with the cluster (Callaghan: par. 0020 an administrator selects an option or application to change a network configuration setting [] the settings include the host name (e.g. "hmcserver"), network domain name (e.g. "ibm.com") and IP address of server system 109).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Callaghan with the system/method of Lokanath, Vaddi and Caceres to include the new cluster identity parameter comprises a new network address associated with the cluster. One would have been motivated to detect when a change has been made to a name, domain or IP address of the server and updating an SSL certificate (Callaghan: par. 0007).
Regarding claim 5: Lokanath in view of Vaddi and Caceres discloses the method of claim 2.
Lokanath in view of Vaddi and Caceres does not explicitly disclose wherein the new cluster identity parameter comprises a new domain associated with the cluster.
However, Callaghan discloses wherein the new cluster identity parameter comprises a new domain associated with the cluster (Callaghan: par. 0020 an administrator selects an option or application to change a network configuration setting [] the settings include the host name (e.g. "hmcserver"), network domain name (e.g. "ibm.com") and IP address of server system 109).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Callaghan with the system/method of Lokanath, Vaddi and Caceres to include the new cluster identity parameter comprises a new domain associated with the cluster. One would have been motivated to detect when a change has been made to a name, domain or IP address of the server and updating an SSL certificate (Callaghan: par. 0007).
Regarding claim 6: Lokanath in view of Vaddi and Caceres discloses the method of claim 2.
Lokanath in view of Vaddi and Caceres does not explicitly disclose wherein obtaining the updated certificate comprises generating the updated certificate using the new cluster identity parameter.
However, Callaghan discloses wherein obtaining the updated certificate comprises generating the updated certificate using the new cluster identity parameter (Callaghan: par. 0022 management server 204 generates the new CSR containing the updated server system 109 information and writes it to removable media 203 (step 407)).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Callaghan with the system/method of Lokanath, Vaddi and Caceres to include obtaining the updated certificate comprises generating the updated certificate using the new cluster identity parameter. One would have been motivated to detect when a change has been made to a name, domain or IP address of the server and updating an SSL certificate (Callaghan: par. 0007).
Regarding claim 7: Lokanath in view of Vaddi, Caceres and Callaghan discloses the method of claim 6.
Vaddi further discloses wherein performing authentication for the cluster using the updated certificate comprises authenticating communications associated with cluster using the updated certificate by at least one client of a plurality of clients while connecting to at least one service of the plurality of services (Vaddi: par. 0016 the injection of certificates in response to initialization of a container ensures that a container has all certificates that can be used for establishing trusted communications before a service becomes operational. Further, the injection of a certificate in response to updating of the memory with the certificate ensures that the container possesses valid and up-to-date certificates).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Vaddi with the system/method of Lokanath to include authenticating communications associated with cluster using the updated certificate by at least one client of a plurality of clients. One would have been motivated to using digital certificate to establish trust between two communicating entities, such as communicating programs (Vaddi: par. 0001).
Regarding claim 8: Lokanath in view of Vaddi and Caceres discloses the method of claim 1.
Lokanath further discloses wherein making the determination that the cluster certificate update is required comprises:
monitoring the cluster (Lokanath: par. 0022 the certificate orchestrator 107 is a custom (e.g., Kubernetes) controller which monitors custom resources 109).
Lokanath in view of Vaddi and Caceres does not explicitly disclose obtaining a message from a client of a plurality of clients comprising an imported certificate and specifying a portion of the plurality of services associated with the imported certificate.
However, Callaghan further discloses obtaining a message from a client of a plurality of clients comprising an imported certificate and specifying a portion of the plurality of services associated with the imported certificate (Callaghan: par. 0021 management server 204 automatically queries the administrator if he or she would like to have management server 204 automatically generate a new certificate signing request (CSR) using the new host information (i.e. the information that was changed in step 401) to obtain from the certificate authority an updated, signed SSL certificate with the new host information (step 406)).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Callaghan with the system/method of Lokanath, Vaddi and Caceres to include obtaining a message from a client of a plurality of clients comprising an imported certificate and specifying a portion of the plurality of services associated with the imported certificate. One would have been motivated to detect when a change has been made to a name, domain or IP address of the server and updating an SSL certificate (Callaghan: par. 0007).
Regarding claim 9: Lokanath in view of Vaddi, Caceres and Callaghan discloses the method of claim 8.
Callaghan further discloses wherein the imported certificate is generated by a user of the client (Callaghan: par. 0023 the administrator himself or herself wants to generate a new CSR).
The motivation is the same that of claim 8 above.
Regarding claim 10: Lokanath in view of Vaddi and Caceres and Callaghan discloses the method of claim 8.
Vaddi further discloses wherein replacing the at least one initial cluster certificate with the updated certificate comprises replacing the at least one initial cluster certificate with the imported certificate for the portion of the plurality of services (Vaddi: par. 0036 the present subject matter injects the certificate 107 into the container 208. The injection of a certificate into a container may refer to writing the certificate into a storage region within the container).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Vaddi with the system/method of Lokanath to include replacing the at least one initial cluster certificate with the imported certificate for the portion of the plurality of services. One would have been motivated to using digital certificate to establish trust between two communicating entities, such as communicating programs (Vaddi: par. 0001).
Regarding claim 11: Lokanath in view of Vaddi, Caceres and Callaghan discloses the method of claim 10.
Lokanath further discloses wherein the performing authentication for the cluster using the updated certificate comprises:
authenticating communications associated with the portion of the plurality of services using the imported certificate (Lokanath: par. 0023 when a create event for certificate occurs, the certificate orchestrator 107 captures the create event and requests a new certificate from the cloud certificate manager 111); and
authenticating communications associated with a remaining portion of the plurality of services using the at least one initial cluster certificate (Lokanath: par. 0023 when the create event for the keystore occurs, then the certificate orchestrator 107 downloads the service's certificate bundle from the cloud certificate manager, creates a keystore and uploads it to cloud secrets manager 113).
Regarding claim 14: Claim 14 is similar in scope to claim 3, and is therefore rejected under similar rationale.
Regarding claims 15-20: Claims 15-20 are similar in scope to claims 6-11, respectively, and are therefore rejected under similar rationale.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Fahimeh Mohammadi whose telephone number is (571)270-7857. The examiner can normally be reached Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached at 5712705002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/FAHIMEH MOHAMMADI/ Examiner, Art Unit 2439
/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439