WO2011040192A1 - Virtual machine, virtual machine program, application service provision system and method for providing application service - Google Patents

Abstract

Provided is a virtual machine intended to promote the use of cloud services while an application provision company carries out security countermeasures for confidential corporate information. When the virtual machine (13_x) receives a request from a client device (1a-1c) via the internet (2), the virtual machine (13_x) determines whether or not processing is required on the basis of confidential corporate information, including information about the user using the client device (1a-1c). If the virtual machine (13_x) determines, on the basis of confidential corporate information, that processing is required, the virtual machine (13_x) securely communicates with a corporate database server connected to the corporate network and, on the basis of confidential corporate information, performs processing on the request from the client device (1a-1c). However, if the virtual machine (13_x) determines, on the basis of confidential corporate information, that processing is not required, the virtual machine (13_x) carries out the process stipulated in the request from the client device (1a-1c).

Description

Virtual machine, virtual machine program, application service providing system, and application service providing method

The present invention relates to a virtual machine that operates on a server connected via the Internet, a program of the virtual machine, an application service providing system including the virtual machine, and an application service providing method.

Conventionally, computer resources such as server computers and databases have been owned by companies that use them. However, the hardware and applications are complex and expensive, and a specialized department that operates computer resources is also required.

Therefore, a service form called cloud computing (hereinafter referred to as “cloud service”) has attracted attention as a new form of use of computer resources based on the Internet. An example of such a cloud service is “Elastic Compute Cloud (EC2)” provided by Amazon.

In the cloud service, the user does not need to own or manage computer resources. In the cloud service, it is possible to use computer resources by paying a usage fee. On the other hand, on the cloud service provider side, virtual machines are arranged for each user on one or a plurality of servers, thereby improving server utilization efficiency and scalability. Therefore, the cloud service providing company can provide computer resources to the user at a relatively low cost (see, for example, Patent Document 1).

In this way, in the cloud service, since the user does not need to introduce computer resources, the introduction cost and the operation cost are reduced. In addition, because of its extensibility, it is expected that the number of users will increase in the future.

Especially, it is expected that usage forms such as renting virtual machines from cloud service providers and providing applications to clients will increase.

A company that intends to provide an application to a client via the Internet (hereinafter referred to as an “application provider”) rents a virtual machine serving as an application platform from a cloud service provider as a cloud service user. Then, the application providing company causes the application to be executed on the virtual machine. Since the application provider does not need to own and manage the application platform, the introduction cost and the operation cost are reduced, and the cost hurdle is lowered. Therefore, the application providing company can easily provide the application service to the client.

Japanese translation of PCT publication No. 2004-503011

Data used in the application provided by the application provider includes important information such as confidential information within the application provider and personal information of the client (that is, the client of the application service provided by the application provider) "In-house confidential information").

However, in the above cloud service, the application provider deposits data used in the provided application with the cloud service provider. That is, the application providing company causes the cloud service providing company to take security measures for data used in the provided application.

However, if virtual machines of other users as well as virtual machines of the application provider are placed on the same server, confidential information within the company by other users, etc. due to hacking with a defective server program There is a risk of being stolen. Further, since the operation of the server is left to the cloud service provider, there is a risk that unauthorized copying from the inside of the cloud service provider will cause unauthorized copying or theft of the disk. As described above, when the confidential information in the company is deposited in the cloud service provider, there is a security problem that the confidential information in the company cannot be managed on the application provider side.

As described above, the application provider entrusts management of confidential information in the company such as client information to the cloud service provider, and cannot manage information leakage. For this reason, there are many cases where he / she is anxious about depositing confidential company information at a cloud service provider and hesitates to use the cloud service. Although the cloud service has many advantages, it is not sufficiently utilized.

The present invention has been made in view of the above-described problems, and a virtual machine and a virtual machine that can promote the use of a cloud service while performing security measures for confidential information in the company on the application provider side. It is an object to provide a program, an application service providing system, and an application service providing method.

In order to solve the above-mentioned object, the invention according to claim 1 is a virtual machine that operates on a server connected to the Internet and processes a request from a client device; A virtual machine in an application service providing system including an in-company database server that stores confidential information in a company including information on a user to be used, and a receiving unit that receives a request from a client device via the Internet; A determination unit that determines whether or not processing based on the confidential information in the company is necessary in response to a request from the client device; and the determination unit determines that processing based on the confidential information in the company is necessary. Connected to the corporate network and the confidential information of the corporate A first processing unit that performs secure communication with an in-company database server that performs a memory process, and performs processing for the request based on the in-company confidential information; and a process based on the in-company confidential information by the determination unit And a second processing means for executing a process for the request.

The invention according to claim 2 is the virtual machine according to claim 1, wherein the in-company database server stores user authentication information of the client device, and the determination means includes the client When the authentication information is acquired from the device, it is determined that a process based on the confidential information in the company is necessary, and the first processing means sends authentication information that matches the acquired authentication information to the in-company database server. The client apparatus is inquired of whether it is stored or not, and the client device is authenticated.

The invention according to claim 3 is the virtual machine according to claim 1, and performs secure communication with the in-company database server when the in-company confidential information is received from the client device. The third database processing unit stores the confidential information in the company in the in-company database server.

The invention according to claim 4 is the virtual machine according to any one of claims 1 to 3, wherein the first processing means uses the information acquired from the client device as the confidential information in the company. Based on the processing, the data is transmitted to the client device.

According to a fifth aspect of the present invention, there is provided a virtual machine program operating on a server connected to the Internet, a reception step of receiving a request from a client device via the Internet, and a request from the client device On the other hand, it is determined that a process based on the confidential information in the company including the user information of the client device is necessary and a process based on the confidential information in the company is determined by the determination step. Then, a first process is performed in which secure communication is performed with an in-company database server that is connected to the in-company network and stores the in-company confidential information, and the request is processed based on the in-company confidential information. A process based on the confidential information in the company is not required by the step and the determination step. When a constant was assumed to execute a second process step for executing processing for the request.

According to a sixth aspect of the present invention, there is provided a virtual machine that operates on a server connected to the Internet and performs processing according to a request from a client device, and an in-company database server connected to the in-company network. In the provided application service providing system, the in-company database server stores in-store confidential information including user information of the client device, and stores in the storage means in response to a request from the virtual machine. Storage processing means for searching for, changing or deleting confidential information in a company, or adding confidential information in a company to the storage means, and the virtual machine receives a request from a client device via the Internet In response to a request from the accepting means and the client device, A determination means for determining whether or not a process is required, and when the determination means determines that a process based on the confidential information in the company is required, secure communication is performed with the in-company database server. First processing means for performing processing for the request based on the confidential information in the company, and executing processing for the request when the determination means determines that processing based on the confidential information in the company is not necessary And a second processing means.

According to a seventh aspect of the present invention, there is provided an application comprising a virtual machine that operates on a server connected to the Internet and performs processing according to a request from a client device, and an in-company database server connected to the in-company network. A service providing method, wherein the virtual machine receives a request from a client device via the Internet, and the virtual machine receives user information of the client device in response to a request from the client device. A determination step for determining whether or not a process based on the confidential information within the company is necessary; and when the virtual machine determines that a process based on the confidential information within the company is necessary according to the determination step, Perform secure communication with the database server to A request step for performing processing in response to a request from the client device with respect to the base server, and a storage unit in which the in-company database server stores the in-company confidential information in response to a request from the virtual machine. A storage processing step for searching, changing or deleting the confidential information in the company or adding the confidential information in the company to the storage means, and the virtual machine needs processing based on the confidential information in the company by the determining step If it is determined that it is not, it has a processing step for performing processing according to a request from the client device.

According to the present invention, an application provider that is a user of a cloud service uses a virtual machine that operates on a server connected via the Internet to reduce the introduction cost and operation cost of a computer resource, It is possible to take security measures in-house without leaving the information including confidential information to the cloud service provider.

It is a figure which shows the structure of the application service provision system which concerns on one Embodiment of this invention. It is a figure which shows schematic operation | movement of an application service provision system. It is a figure which shows the structure of the client apparatus shown in FIG. It is a figure which shows the flow of a process of the client apparatus shown in FIG. It is a figure which shows the structure of the server system shown in FIG. It is a figure which shows the architecture on the blade server shown in FIG. FIG. 6 is a functional block diagram of the blade server shown in FIG. 5. It is a figure which shows the flow of a process of a virtual AP server. It is a functional block diagram of a DB server. It is a figure which shows the flow of a process of DB server. It is a figure which shows the flow of a registration process of the system of a web conference service. It is a figure which shows an example of the data structure of a 1st table. It is a figure which shows an example of the data structure of a 2nd table. It is a figure which shows an example of the data structure of a 3rd table. It is a figure which shows the flow of the participation preparation process of the system of a web conference service. It is a figure which shows the flow of the conference process of the system of a web conference service. It is a figure which shows the flow of a process of a client apparatus. It is a figure which shows the flow (the 1) of a process of a SIP server. It is a figure which shows the flow (the 2) of a process of a SIP server. It is a figure which shows the flow of a process of DB server.

[1. Overview of application service provision system]
The application service providing system of the present embodiment is an application service providing system in which an application providing company, which is a company that intends to provide an application to the client via the Internet, can provide the application service to the client using the cloud service. It is.

As described above, in the application service provided by the application provider using the cloud service, the client using the application service is not aware of the cloud service. The client receives an application service from the application provider in the same way as a normal application service. Examples of application services include a web conference service, a database service, an e-learning service, and an image distribution service described later.

A cloud service provider, which is a company that provides cloud services, rents virtual machines that serve as application platforms to application providers. The application providing company executes an application program on the virtual machine and provides an application service to the client. In the following, a client device that receives application service from an application provider is referred to as a client device.

As shown in FIG. 1, a computer system 3 on the cloud service provider side includes a router 10 connected to the Internet 2 with a LAN input / output port and a server system 11 connected to the LAN 10 input / output port of the router 10. Have.

As will be described later, the server system 11 is composed of a plurality of blade servers connected to the Internet, and can operate a large number of virtual machines on these blade servers. Here, it is assumed that an application providing company executes an application program in one virtual machine among a large number of virtual machines and provides an application service to a client. An application provider can also provide an application service using an application service using a plurality of virtual machines. Hereinafter, the virtual machine that executes the application program in this way is referred to as a virtual AP server 13 _x . In the example shown in FIG. 1, and using the virtual machines running first on the blade server 12 ₁ as a virtual AP server 13 _x.

The users of the client devices 1a, 1b, 1c,... Subscribe to the application service of the application provider. Each user accesses the virtual AP server 13 _x from each client device 1a, 1b, 1c,... And receives an application service of an application provider. In addition, when showing any one client apparatus or all the client apparatuses among the client apparatuses 1a, 1b, 1c,.

The server system 11 is arranged in the network area for the cloud service in the corporate network of the cloud service provider. When a communication packet via the Internet is transmitted from the client device 1 to the virtual AP server 13 _x operating on the server system 11, the router 10 relays the communication packet from the client device 1 to the virtual AP server 13 _x . To do. Communication packets from the virtual AP server 13 _x to the client device 1 are also relayed to the client device 1 by the router 10. The client device 1 receives the provision of the application service by transmitting / receiving a communication packet according to the service to be provided with the virtual AP server 13 _x .

The computer system 4 of the application provider company includes a VPN router 20, a storage 21, a database server 22 that manages data in the storage 21, and a management device 23 that manages the storage 21. The management device 23 can add data to the storage 21 and update data via the database server 22. In the following, the database server is also referred to as a DB server.

The DB server 22 is accessed from the virtual AP server 13 _x via the VPN router 20. Secure communication is established between the virtual AP server 13 _x and the network in the computer system 4 by VPN (Virtual Private Network) connection. Here, performing secure communication means performing communication using data encrypted by a known method. That is, the virtual AP server 13 _x stores a VPN connection program and performs VPN connection with the VPN router 20. Note that the firewall in the VPN router 20 is set so that only the communication packets that pass through the VPN router 20 can be received by the DB server 22. Thus, only the virtual AP server 13 _x can access the DB server 22 via the Internet.

In the application service providing system according to the present embodiment, the virtual AP server 13 _x accessed from the client device 1 communicates with the DB server 22 as necessary to perform processing in response to a request from the client device 1. I have to.

Both the DB server 22 and the storage 21 are arranged in the corporate network of the application provider company. The storage 21 stores information for applications including company confidential information. The confidential corporate information includes important information such as personal information of the client and confidential information in the company of the application provider.

In the application service providing system according to the present embodiment, the company confidential information can be managed within the corporate network of the application provider company side, so that the application provider company side stores the company confidential information without depositing it with the cloud service provider company. Can be managed.

Therefore, the application provider can strictly perform internal security management. For this reason, it becomes possible to use the cloud service without worrying about the security measures of the cloud service provider. Therefore, an application provider can operate an application service at a relatively low cost by using a cloud service as a part of computer resources while strictly performing security management.

The general operation of the application service providing system configured as described above will be described with reference to FIG.

As shown in FIG. 2, first, a client that receives an application service performs a predetermined operation for receiving the application service using the client device 1. Upon receiving this operation, the client apparatus 1 makes a request according to the operation to the virtual AP server 13 _x via the Internet 2 (step S11).

When receiving a request from the client apparatus 1, the virtual AP server 13 _x determines whether it is necessary to communicate with the corporate database server (step S12). Virtual The AP server 13 _x, DB server 22 connected to the corporate network application provider company as a database server in the enterprise is registered. The virtual AP server 13 _x determines whether or not communication with the DB server 22 is necessary. For example, when the request from the client device 1 is a registration request or connection request to the application service and includes personal information such as a client password, ID, name, address, and occupation, the virtual AP server 13 _x It is determined that communication with the internal database server is necessary. That is, the virtual AP server 13 _x determines that communication with the DB server 22 is necessary when it receives the confidential information within the company. On the other hand, when the virtual AP server 13 _x does not include client personal information, the virtual AP server 13 _x determines that communication with the corporate database server is not necessary. Here, the registration request to the application service is a request made in advance for the client to use the application service by using the client device 1, and personal information such as the client password, ID, name, address, occupation, etc. It is a request for registration. The connection request to the application service is a request made when the client uses the application service using the client device 1. The connection request to the application service includes the client password and ID. The virtual AP server 13 _x authenticates the client using the client password and ID (authentication information) included in the connection request. As described above, the personal information of the client of the application providing company is held in the application providing company. Therefore, client personal information can be managed by the application provider. Therefore, application providers can provide application services by using virtual machines to reduce the cost of introducing and operating computer resources while taking security measures for personal information of extremely important clients. Can do.

If it is determined in the process of step S12 that communication with the in-company database server is not necessary (step S12: NO), the virtual AP server 13 _x performs an internal process (step S13). As this internal processing, the virtual AP server 13 _x performs necessary processing in response to a request from the client device 1.

On the other hand, if it is determined that it is necessary to communicate with the corporate database server (step S12: YES), the virtual AP server 13 _x is the DB server 22 transmits a request corresponding to the received request (step S14). At this time, since the communication path in the Internet among the communication paths between the virtual AP server 13 _x and the DB server 22 is VPN-connected, the virtual AP server 13 _x is secure with the DB server 22. Communication can be performed. Here, in order to perform secure communication between the virtual AP server 13 _x and the DB server 22, VPN connection is performed, but the HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) protocol is used. Secure communication may be performed.

The DB server 22 receives a request transmitted from the virtual AP server 13 _x via the Internet 2 and performs processing based on this request (step S15). For example, when the received request is a request corresponding to a registration request to the application service, the DB server 22 stores personal information such as a client ID, password, address, and name included in the received request in the storage 21. And register the client's personal information. When the received request is a request corresponding to a connection request to the application service, the DB server 22 stores the personal information such as the client ID and password included in the received request in the storage 21. Is determined.

The DB server 22 transmits the result of the process performed in step S15 to the virtual AP server 13 _x via the Internet 2 (step S16). For example, in response to a request in response to a registration request to the application service, the DB server 22 uses information indicating that registration of client personal information in the storage 21 is completed as a result of processing, and the virtual AP server 13 _x. Send to. In response to a request in response to a connection request to the application service, the DB server 22 uses the information indicating authentication OK as a result of the processing if the client's personal information is registered in the storage 21, and the virtual AP server 13. Send to _x . On the other hand, DB server 22, if the personal information of the client is not registered in the storage 21, and transmits to the virtual AP server 13 _x the information indicating the authentication NG as the result of the processing.

The virtual AP server 13 _x receives the processing result transmitted from the DB server 22 via the Internet 2 (step S17). The virtual AP server 13 _x transmits the result of the internal process performed in step S13 or the result of the process received in step S17 to the client device 1 (step S18).

The client device 1 receives the result of the process transmitted from the virtual AP server 13 _x via the Internet 2 (step S19), and then performs a predetermined process based on the result (step S20).

[2. Specific configuration of each component]
Next, the configuration and operation of each element constituting the application service providing system will be described.

[2.1. Configuration and Operation of Client Device 1]
First, a specific configuration of the client device 1 will be described. The client device 1 can be a general personal computer in addition to a dedicated computer. The client device 1 is owned by the user of the client device 1, that is, the client. As illustrated in FIG. 3, the client device 1 includes a control unit 41, a storage unit 42, a communication unit 43, an operation unit 44, an information acquisition unit 45, and a presentation unit 46. They are connected to each other via a system bus 47.

The control unit 41 controls the entire client device 1 and includes a CPU (Central Processing Unit), an internal memory, and the like. The storage unit 42 is a rewritable storage device having a storage area for storing various types of information, and is composed of, for example, a flash memory. The communication unit 43 is a communication interface for communicating with other devices via the Internet 2. The operation unit 44 is an operation unit for inputting various settings. The information acquisition unit 45 includes a camera and a microphone, outputs video information captured from the camera, and outputs audio information acquired from the microphone. The presentation unit 46 includes a liquid crystal display (LCD) and a speaker, and reproduces video information and audio information.

The operation of the client device 1 configured as described above will be described based on the flowchart of FIG. Processing in the client device 1 is started and repeated when a power switch (not shown) is turned on in the client device 1 or when a reset switch (not shown) is operated. At this time, the CPU of the control unit 41 puts the program stored in the internal memory into the execution state and puts the function as the control unit 41 into the operation state.

First, the control unit 41 determines whether or not a processing execution instruction has been received via the operation unit 44 (step S21). If it is determined that the execution instruction has not been received (step S21: NO), the control unit 41 repeats the determination in step S21 until the execution instruction is received. On the other hand, if it is determined that accepts execution instruction (step S21: YES), the control unit 41, a request based on the received instruction, and transmits the virtual AP server 13 _x (step S22). Thereafter, the control unit 41 receives a processing result for the request transmitted in step S22 (step S23), and performs a predetermined process based on the processing result (step S24).

[2.2. Configuration and operation of virtual AP server 13 _x ]
The virtual AP server 13 _x is a virtual machine formed on the server system 11 as described above.

As shown in FIG. 5, the server system 11 includes a plurality of blade servers 12 ₁ to 12 _n , storages 14 ₁ to 14 _n, and a server management device 15. For the sake of convenience, the blade server 12 is referred to as any blade server among all the blade servers 12 ₁ to 12 _n or all blade servers. Further, in the case where any one or all of the storages 14 ₁ to 14 _n are indicated, the storage 14 is referred to for convenience.

Each blade server 12 includes a CPU 401, a ROM 402, a RAM 403, an input / output unit 404, a communication unit 405, and a hard disk (HDD) 406, which are connected to each other via a system bus 407. ing. The input / output unit 404 is a communication interface for transmitting / receiving data to / from the server management apparatus 15. The communication unit 405 is a communication interface for connecting to a LAN that is an in-company network within a cloud service provider.

A plurality of virtual machines 13 ₁ to 13 _n operate on the blade servers 12 ₁ to 12 _n configured as described above. For convenience, the virtual machine 13 is referred to as any one or all of the plurality of virtual machines 13 ₁ to 13 _n .

FIG. 6 shows the architecture on the blade server 12. As shown in the figure, in the blade server 12, a main OS as a base program operates. Then, a virtual machine program that is a program for operating the virtual machine on the main OS operates. A plurality of guest OSes operate on this virtual machine program. One or more application programs can be operated on each guest OS.

The server management device 15 is a device that controls and manages each blade server 12. The server management device 15 manages resources (CPU 401, ROM 402, RAM 403, HDD 406, etc.) assigned to the guest OS. For example, the server management apparatus 15 can change the resource allocated to the virtual machine 13 according to the resource utilization rate by the virtual machine 13. Further, the server management device 15 can control the start and stop of execution of the application program. Furthermore, the server management device 15 can communicate with each blade server 12 to add, delete, or update a guest OS or application program.

In the present embodiment, among the virtual machine 13 running on blade servers 12, using a virtual machine that runs first on the blade server 12 ₁ as a virtual AP server 13 _x (see FIG. 1).

As shown in FIG. 7, the virtual AP server 13 _x1 operating on the blade server 12 functions as a control unit 411, a storage unit 412, a communication unit 413, and the like by using the resources of the blade server 12, and is used for applications. Run the program. The control unit 411 functions as a reception unit, a determination unit, a first processing unit, a second processing unit, a third processing unit, and the like.

Next, the processing in the virtual AP server 13 _x will be specifically described based on the flowchart of FIG. Treatment with virtual AP server 13 _x starts when the operation of the virtual AP server 13 _x on the blade server is authorized by the server management apparatus 15.

First, the control unit 411 determines whether a request has been received from the client device 1 (step S31). In this process, if it is determined that a request has not been received (step S31: NO), the control unit 411 repeats the determination in step S31 until a request is received from the client device 1. On the other hand, if it is determined that the request has been received (step S31: YES), the control unit 411 determines whether communication with the DB server 22 is necessary (step S32).

In this process, if it is determined that there is no necessary communication with the DB server 22 (step S32: NO), the control unit 411, a process corresponding to the received request, the virtual AP server 13 _x running inside (step S33 ). On the other hand, when determining that communication with the DB server 22 is necessary (step S32: YES), the control unit 411 generates a request for the DB server 22 in response to a request from the client device 1, and the generated request is sent to the DB. It transmits to the server 22 (step S34). Thereafter, the control unit 411 receives the processing result for the request transmitted in step S34 (step S35). When this process ends, or when the process of step S33 ends, the control unit 411 sends the processing result (the result of the internal process in step S33 or the result of the internal process in step S33) to the client device 1 that has transmitted the request received in step S31. The processing result received in step S35 is transmitted (step S36).

[2.3. Configuration and operation of DB server 22]
Next, a specific configuration of the DB server 22 will be described. A general server computer can be applied to the DB server 22. The DB server 22 is managed by the user's company (application providing company). As shown in FIG. 9, the DB server 22 includes a control unit 61, a storage unit 62, a communication unit 63, and an operation unit, which are connected to each other via a system bus 64. The control unit 61 controls the storage 21. The storage unit 62 is a rewritable storage device having a storage area for storing various information. The communication unit 63 is a communication interface for communicating with the management device 23 and the like.

The control unit 61 includes a CPU (Central Processing Unit), an internal memory, and the like. The CPU functions as a storage processing unit or the like by reading and executing a program stored in the internal memory.

Next, the processing in the DB server 22 will be specifically described based on the flowchart of FIG. Processing in the DB server 22 is started and repeated when a power switch (not shown) is turned on or a reset switch (not shown) is operated in the DB server 22. At this time, the CPU of the control unit 61 operates the function as the control unit 61 with the program stored in the internal memory as the execution state.

First, the control unit 61 determines whether a request has been received from the virtual AP server 13 _x (step S41). If it determines with not having received the request (step S41: NO), the control part 61 will repeat the determination of step S41 until a request is received. On the other hand, when it determines with having received the request (step S41: YES), the control part 61 performs the process based on the content of the request in step S42. At this time, the confidential information in the company stored in the storage 21 is used as necessary. Thereafter, in step S43, the control unit 61, to the virtual AP server 13 _x that has transmitted the request received in step S41, and transmits the result of the processing.

As described above, the application service providing system operates when the client device 1, the virtual AP server _13x , and the DB server 22 repeat the above-described processing.

[4. Web conference system to which this embodiment is applied]

Next, a Web conference service system (hereinafter, “Web conference system”) using the application service providing system having the above-described configuration will be specifically described. This Web conference system is executed by operating application software for Web conference on the virtual machine 13 set on the blade server 12. Here, as an example, the application providing company, rent a virtual machine operating on the second blade server 12 _2, SIP is used as (Session Initiation Protocol) server 13 _x2, described as providing Web conferencing services To do.

In the following description, this Web conference system enables a conference between remote locations by transmitting and receiving video information and audio information between the client devices 1 via the SIP server 13 _x2 . In the following, although the audio information process is omitted, it is the same process as the video information process.

In the configuration shown in FIG. 1, when three clients A to C using the client devices 1a to 1c conduct a Web conference, the presentation unit 46 of the client device 1a used by the client A includes the client devices 1b and 1c. The acquired video information is presented. In addition, video information acquired from the client devices 1a and 1c is presented to the presentation unit 46 of the client device 1b used by the client B. In addition, video information acquired from the client devices 1a and 1b is presented to the presentation unit 46 of the client device 1c used by the client C. Further, the SIP server 13 _x2 processes and transmits video information to be transmitted to each client device 1 based on the video information acquired from each client device 1.

Also, in the storage 21, a first table (see FIG. 12) in which information for each client device 1 is registered, and a second table (in FIG. 13) in which information such as the start time and end time of the conference to be held is registered. And a third table (see FIG. 14) in which information of the client device 1 participating in the conference is registered. In order to conduct a Web conference, it is necessary to register conference information described later in the storage 21 from the client device 1 of the organizer in advance. In addition, in order to participate in the Web conference, it is necessary to perform an operation for preparing for participation in each participating client device 1.

In this Web conference system, the following three processes are performed.
(1) “Registration process” for registering a conference to be hosted in the DB server 22
(2) “Participation preparation process” for the procedure to participate in the conference
(3) “Conference processing” for conducting a web conference
Each process will be specifically described below.

[4.1. registration process]
First, the registration process will be described with reference to FIG. This process is executed by the client device 1 of the client that hosts the conference, the SIP server 13 _x2, and the DB server 22.

First, the client device 1 receives an input of a base ID and a password and an execution instruction for authentication processing from the conference organizer via the operation unit 44. Note that if the base ID and password are stored in the storage unit 42 in advance, the input via the operation unit 44 is not necessary. Then, the client device 1 transmits an authentication processing request based on the received information to the SIP server 13 _x2 (step S51). This request includes information indicating an execution request for authentication processing, a base ID, and a password. At this time, a predetermined encryption process may be applied to the base ID and password.

When receiving the request for the authentication process, the SIP server 13 _x2 transmits an authentication process request corresponding to the request for the authentication process to the DB server 22 (step S52). This authentication processing request includes identification information for identifying the SIP server 13 _x2 in addition to the information transmitted from the client device 1.

When the DB server 22 receives the authentication processing request, the DB server 22 performs the authentication processing (step S53). The DB server 22 performs an authentication process with reference to the first table (FIG. 12) stored in the storage 21. That is, in this authentication process, the DB server 22 collates whether or not the combination of the base ID and the password included in the received authentication process request is registered in the first table of the storage 21. When the combination of the base ID and the password is registered in the first table, the DB server 22 determines that the authentication is successful. Otherwise, it is determined that authentication has failed. Note that the base ID and password stored in the storage 21 may also be subjected to encryption processing as in the processing in the client device 1. In this case, decoding is performed at the time of collation.

Here, the data structure of the first table stored in the storage 21 will be described. As shown in FIG. 12, in the first table, the setting for each client device 1 includes “site ID”, “IP address”, “password”, “person in charge”, “phone number”, “company name”. , “Service contents” and “Mail address” are stored.

After the authentication process, the SIP server 13 _x2 transmits an authentication result to the SIP server 13 _x2 that has transmitted the authentication process request (step S54). The authentication result includes information indicating whether or not the authentication is successful, that is, information indicating authentication OK or information indicating authentication NG.

When the SIP server 13 _x2 receives the authentication result from the DB server 22, the SIP server 13 _x2 transmits the authentication result to the client device 1 that has transmitted the request accepted in step S52 (step S55).

When the client apparatus 1 receives an authentication result including information indicating authentication OK, the client apparatus 1 accepts input of information on a conference hosted by the conference organizer via the operation unit 44 (hereinafter referred to as “conference information”). The conference information registration process execution process is accepted. Then, the client device 1 transmits a conference information registration processing request based on the received information to the SIP server 13 _x2 (step S56). Here, the conference information includes the identification number (hereinafter referred to as “conference participation base number”) of the client device 1 used by the client participating in the conference, and the scheduled start time / scheduled end time of the conference. . Further, display layout setting information (described later) on each client device 1 participating in the conference is also included in this request.

SIP server 13 _x2 accepts the request for the meeting information registering process, to the DB server 22 transmits a registration processing request including the identification information of the SIP server 13 _x2 (Step S57). When receiving the registration process request, the DB server 22 performs a conference information registration process (step S58). In the conference information registration process, the conference information is registered in the second table and the third table of the storage 21 based on the received registration process request. That is, the DB server 22 includes the conference scheduled start time, the scheduled end time, and the base ID (host base ID) of the client device 1 that has requested the conference information registration process among the conference information included in the registration processing request. And the identification information of the SIP server 13 _x2 are registered in the second table in association with the newly issued conference ID. Also, the DB server 22 registers the conference participation base number and the setting information in the third table in association with the newly issued conference ID among the conference information included in the registration processing request.

Here, the data structures of the second table and the third table stored in the storage 21 will be described. As shown in FIG. 13, in the second table, the conference ID is used as a key, the “host base ID” indicating the client device 1 of the organizer, the “scheduled start time” indicating the conference start time, and the conference end time. The “scheduled end time” shown is registered. In the second table, the identification information of the SIP server 13 _x2 is also registered using the conference ID as a key, but it is not shown here. Further, as shown in FIG. 14, “conference participation base ID” and “setting information” indicating the identification number of the client device 1 participating in the conference are registered in the third table using the conference ID as a key. . The setting information includes the quality of video information to be displayed (video information compression method and the like) and display layout information. In the present embodiment, this setting information is also handled as confidential information within the company.

When the registration of the conference information in step S58 ends, the DB server 22 transmits completion information indicating that the conference information registration processing has been completed to the SIP server 13 _x2 (step S59). When the SIP server 13 _x2 receives the completion information from the DB server 22, the SIP server 13 _x2 transmits the completion information to the client device 1 (step S60).

[4.2. Preparation for participation]
Next, the participation preparation process will be described with reference to FIG. This process is a process for notifying each client device 1 used by a client participating in the Web conference that the Web conference is to be performed and authenticating each client device 1.

First, the SIP server 13 _x2 transmits a conference information request to the DB server 22 (step S61). This conference information request includes the identification number of the SIP server 13 _x2 . The process of step S61 is repeatedly performed at predetermined time intervals.

The DB server 22 extracts conference information with reference to the first to third tables stored in the storage 21 based on the identification number of the SIP server 13 _x2 included in the received conference information request (step S62). Specifically, the DB server 22 refers to the second table, and extracts a conference ID that is associated with the identification number of the SIP server 13 _x2 and started within a predetermined time from the current time. The DB server 22 extracts the conference participation base ID and the setting information with reference to the third table using the extracted conference ID as a search key. Then, the DB server 22 extracts a mail address by referring to the first table using the extracted conference participation base ID as a search key. The DB server 22 uses the extracted information as conference information. Thereafter, the DB server 22 transmits the extracted conference information to the SIP server 13 _x2 that has transmitted the conference information request received in Step S62 (Step S63).

When the SIP server 13 _x2 receives the conference information (step S64), the SIP server 13 _x2 transmits conference notification information indicating that the conference is to be performed to the client device 1 having the conference participation base number included in the received conference information by e-mail. (Step S65).

When the meeting notification information is received, the client device 1 receives an input of a base ID and a password and an execution instruction for authentication processing from the client via the operation unit 44. Then, the client device 1 transmits an authentication processing request based on the received information to the SIP server 13 _x2 (step S66). When receiving the request for the authentication process, the SIP server 13 _x2 transmits an authentication process request to the DB server 22 (step S67).

When the DB server 22 receives the authentication process request, the DB server 22 performs the authentication process (step S68). This authentication process is performed with reference to the first table and the third table stored in the storage 21. That is, the DB server 22 determines whether the combination of the base ID and the password included in the authentication processing request is registered in the first table. If the combination is registered in the first table, the DB server 22 further stores the combination in the third table. It is determined whether the base ID is registered. When registered in both, the DB server 22 determines that the authentication has succeeded, and otherwise determines that the authentication has failed. Thereafter, the DB server 22 transmits an authentication result to the SIP server 13 _x2 that has transmitted the authentication processing request (step S69). When the authentication is successful, the DB server 22 acquires setting information corresponding to the site ID included in the authentication processing request from the third table stored in the storage 21, and uses this setting information together with information indicating authentication OK. Transmit to the SIP server 13 _x2 .

When the SIP server 13 _x2 receives the authentication result from the DB server 22 (step S70), the combination of the base ID and the setting information of each client device 1 included in the received authentication result is stored in the storage unit 412 or the storage 14. Store (step S71). Further, the SIP server 13 _x2 transmits an authentication result to the client device 1 that has transmitted the request for the authentication process (step S72). The client apparatus 1 has a conference flag in the storage unit 42, and the flag is turned ON when the conference start time comes.

[4.3. Meeting processing]
Next, the conference process will be described with reference to FIG. This process is a process executed between each client device 1 participating in the Web conference and the SIP server 13 _x2 . In FIG. 16, for convenience of explanation, two client devices, the client device 1a and the client device 1b, are shown. However, in reality, the same processing is repeated during the Web conference as many as the number of client devices 1 participating in the conference. Is called.

First, the client device 1a transmits the video information acquired via the information acquisition unit 45 to the SIP server 13 _x2 (step S75a). Similarly, the client device 1b transmits the video information acquired via the information acquisition unit 45 to the SIP server 13 _x2 (step S75b).

When the SIP server 13 _x2 receives video information from each client device 1 (step S76), it generates video information to be transmitted to each client device 1 based on the received video information (step S77). At this time, the setting information for each client device 1 stored in the storage unit 412 or the storage 14 is referred to. Thereafter, the SIP server 13 _x2 transmits the generated video information to each client device 1 (step S78).

Receiving the video information from the SIP server 13 _x2, the client devices 1a and 1b display the video on the presentation unit 46 based on the received video information (steps S79a and S79b).

Next, specific processing for each element in the Web conference system that performs the above operation will be described.

[4.4. Processing in client device 1]
First, the processing in the client device 1 will be specifically described with reference to FIG.

First, the control unit 41 determines whether or not an instruction to execute authentication processing has been received from the client via the operation unit 44 (step S81). If it is determined that an authentication process execution instruction has been received (step S81: YES), the control unit 41 transmits an authentication process request to the SIP server 13 _x2 (step S82). This request for registration processing includes a base ID and a password. Thereafter, the control unit 41 receives the authentication result from the SIP server 13 _x2 (step S83).

On the other hand, if it is determined in step S81 that the authentication process execution instruction has not been received (step S81: NO), the control unit 41 determines in step S84 whether or not the conference information registration process execution instruction has been received. If it is determined that the conference registration process execution instruction has been received (step S84: YES), the control unit 41 transmits a conference information registration process request to the SIP server _13x2 based on the received input in step S85. Thereafter, the control unit 41 receives completion information indicating registration of conference information transmitted from the SIP server 13 _{x2 in} response to the conference information registration processing request (step S86).

On the other hand, if it is determined in step S84 that an instruction to execute the conference information registration process has not been received (step S84: NO), the control unit 41 determines whether it is the conference start time (step S87). In this process, the control unit 41 determines that there is a meeting instruction when the meeting start time comes. This determination is made based on whether the in-conference flag stored in the storage unit 42 is ON. If it determines with it not being the meeting start time (step S87: NO), the control part 41 will transfer a process to step S81, and will repeat the process after step S81. On the other hand, if it determines with it being a meeting start time (step S87: YES), the control part 41 will transfer a process to step S88.

In step S88, the control unit 41 transmits the video information acquired via the information acquisition unit 45 to the SIP server 13 _x2 . Also, the control unit 41 presents the video information acquired from the SIP server 13 _x2 to the presentation unit 46 (step S89). Thereafter, the control unit 41 determines whether or not the conference is over (step S90). This determination is made based on whether or not the in-conference flag stored in the storage unit 42 is OFF. If it determines with it not being the meeting completion (step S90: NO), the control part 41 will transfer a process to step S88, and will repeat the process from step S88. On the other hand, if it determines with it being the meeting end (step S90: YES), the control part 41 will transfer a process to step S81, and will repeat the process from step S81.

[4.5. Processing in SIP server 13 _x2 (part 1)]
Next, the process (part 1) in the SIP server 13 _x2 will be specifically described with reference to FIG. In this process, a process corresponding to the request received from the client device 1 is performed.

First, the control unit 411 determines whether or not a request for authentication processing has been received from any one of the client devices 1 (step S101). If it determines with having received the request | requirement of the authentication process (step S101: YES), the control part 411 will transmit an authentication process request to the DB server 22 (step S102). In response to this authentication processing request, when the authentication result is received from the DB server 22 (step S103), the control unit 411 transmits the authentication result to the client device 1 (step S104).

On the other hand, if it is determined in step S101 that a request for authentication processing has not been received (step S101: NO), the control unit 411 determines whether a request for conference information registration processing has been received (step S105). If it determines with having received the request | requirement of a meeting registration process (S105: YES), the control part 411 will transmit a registration process request to DB server 22 (step S106). In response to this registration processing request, when the processing result is received from the DB server 22 (step S107), the processing result is transmitted to the client device 1 (step S108).

On the other hand, if it is determined in step S105 that the conference information registration process request has not been received (step S105: NO), the control unit 411 determines whether video information has been received (step S109). If it is determined that the video information is not received (step S109: NO), the control unit 411 shifts the process to step S101 and repeats the processes after step S101. On the other hand, when determining that the video information has been received (step S109: YES), the control unit 411 temporarily stores the received video information in the storage unit 412 or the storage 14 (step S110).

Thereafter, the control unit 411 generates video information to be transmitted to the client device 1 that has transmitted the video information received in step S109 (step S111). This video information is generated by processing video information received from the storage unit 412 or another client device 1 stored in the storage 14. Further, at the time of processing, setting information that is one of the confidential information in the company stored in the storage unit 412 or the storage 14 is referred to. When the video information is generated, the control unit 411 transmits the generated video information to the client device 1 (step S112).

[4.6. Processing in SIP server 13 _x2 (part 2)]
Next, the process (part 2) in the SIP server 13 _x2 will be specifically described with reference to FIG. This process is a process of inquiring the DB server 22 whether or not there is a meeting that starts within a predetermined time from the current time, and is repeatedly executed at predetermined time intervals. The process (part 2) is executed in parallel with the above-described “process in the SIP server 13 _x2 (part 1)”.

First, the control unit 411 transmits a conference information request to the DB server 22 (step S121). When receiving a response to the conference information request (step S122), the control unit 411 determines whether the received response includes conference information (step S123). If there is no meeting information corresponding to the meeting information request transmitted in step S121, the received response does not include the meeting information.

If it determines with meeting information not being included (S123: NO), the control part 411 will complete | finish this process. On the other hand, when it is determined that the conference information is included (S123: YES), the control unit 411 indicates the conference notification information indicating that the conference is performed with respect to the client device 1 having the conference participation base number included in the conference information. Is transmitted by electronic mail (step S124).

[4.7. Processing in DB Server 22]
Next, processing in the DB server 22 will be specifically described with reference to FIG.

First, the control unit 61 of the DB server 22 determines whether or not an authentication processing request has been received from the SIP server 13 _x2 (step S131). If it determines with having received the authentication process request (step S131: YES), the control part 61 will perform an authentication process (step S132). This authentication process is performed with reference to the first table and the third table stored in the storage 21, as described in the process of step S68. When this authentication process is completed, the control unit 61 transmits the authentication result to the SIP server 13 _x2 (step S133).

On the other hand, if it is determined in step S131 that an authentication process request has not been received (step S131: NO), the control unit 61 determines whether a registration process request has been received (step S134). If it is determined that the registration processing request has been received (step S134: YES), the control unit 61 registers the conference information in the second table and the third table of the storage 21 as described in the processing of step S58 described above ( Step S135). Thereafter, the control unit 61 transmits completion information indicating that registration of the conference information has been completed to the SIP server 13 _x2 (step S136).

On the other hand, if it is determined in step S134 that a registration processing request has not been received (step S134: NO), the control unit 61 determines whether a conference information request has been received (step S137). If it determines with not having received the meeting information request (step S137: NO), the control part 61 will transfer a process to step S131, and will repeat the process after step S131. On the other hand, if it is determined that the conference information request has been received (step S137: YES), the control unit 61 refers to the first to third tables stored in the storage 21 as described in step S62 above. Meeting information is extracted (step S138). Thereafter, the control unit 61 transmits the extracted conference information to the SIP server 13 _x2 (step S139).

In addition, description of each embodiment mentioned above is an example of this invention, and this invention is not limited to the above-mentioned embodiment. For this reason, it is needless to say that various modifications other than the above-described embodiments can be made according to the design and the like as long as they do not depart from the technical idea of the present invention.

DESCRIPTION OF SYMBOLS 1 Client apparatus 11 Server system 12 Blade server 13 _x Virtual AP server 13 _x2 SIP server 14, 21 Storage 22 Database server 23 Management apparatus

Claims (7)

An enterprise that operates on a server connected to the Internet and processes a request from a client device, and stores corporate confidential information that is connected to the corporate network and includes information about a user who uses the client device. A virtual machine in an application service providing system comprising a database server,
Accepting means for accepting a request from a client device via the Internet;
In response to a request from the client device, a determination unit that determines whether or not processing based on the confidential information in the company is necessary;
When it is determined by the determination means that processing based on the confidential information in the company is necessary, a secure connection is established with an in-company database server connected to the corporate network and performing storage processing of the confidential information in the company. First processing means for performing communication and processing for the request based on the confidential information in the company;
A virtual machine comprising: second processing means for executing processing in response to the request when the determination means determines that processing based on the confidential information in the company is not necessary. The enterprise database server stores authentication information of the user of the client device,
The determination unit determines that processing based on the in-company confidential information is necessary when obtaining authentication information from the client device;
The first processing means inquires of the in-company database server whether or not authentication information matching the acquired authentication information is stored in the in-company database server, and performs the authentication process of the client device. The virtual machine according to claim 1, wherein: A third processing unit configured to perform secure communication with the in-company database server and store the in-company secret information in the in-company database server when the in-company secret information is received from the client device; The virtual machine according to claim 1, wherein the virtual machine is a virtual machine. The virtual processing device according to any one of claims 1 to 3, wherein the first processing means processes information acquired from the client device based on the confidential information in the company and transmits the information to the client device. Machine. To a virtual machine running on a server connected to the Internet,
An accepting step for accepting a request from a client device via the Internet;
A determination step for determining whether or not processing based on confidential information in the company including user information of the client device is necessary for the request from the client device;
If it is determined in the determination step that processing based on the confidential information in the company is necessary, secure communication is performed with an internal database server connected to the internal network and storing the confidential information in the company. And a first processing step for performing processing for the request based on the in-company confidential information;
A program for executing a second processing step for executing processing for the request when it is determined in the determination step that processing based on the confidential information in the company is not necessary. A virtual machine that runs on a server connected to the Internet and performs processing in response to a request from a client device;
In an application service providing system comprising an in-company database server connected to an in-company network,
The corporate database server is
Storage means for storing in-company confidential information including user information of the client device;
In response to a request from the virtual machine, storage processing means for searching, changing or deleting the confidential information in the company stored in the storage means, or adding the confidential information in the company to the storage means,
The virtual machine is
Accepting means for accepting a request from a client device via the Internet;
In response to a request from the client device, a determination unit that determines whether or not processing based on the confidential information in the company is necessary;
When it is determined by the determination means that processing based on the confidential information in the company is necessary, secure communication is performed with the database server in the company, and processing for the request is performed based on the confidential information in the company. First processing means to perform,
An application service providing system comprising: a second processing unit that executes a process for the request when the determination unit determines that the process based on the confidential information in the company is not necessary. An application service providing method by a virtual machine that operates on a server connected to the Internet and performs processing according to a request from a client device, and an in-company database server connected to the in-company network,
A reception step in which the virtual machine receives a request from a client device via the Internet;
A determination step of determining whether or not the virtual machine requires processing based on in-company confidential information including user information of the client device in response to a request from the client device;
When it is determined that the process based on the confidential information in the company is necessary in the determination step, the virtual machine performs secure communication with the database server in the company, and A request step for performing processing in response to a request from the client device;
In response to a request from the virtual machine, the in-company database server retrieves, changes or deletes the in-company secret information from the storage unit storing the in-company secret information, or the in-company secret information to the storage unit A storage processing step for adding
An application service comprising: a processing step for performing processing in response to a request from the client device when the virtual machine determines that processing based on the confidential information in the company is not necessary in the determining step How to provide.

Images