Abstract: The present invention provides a method, system, and computer program product which enables changing user credentials that are used to access legacy host applications and/or systems which provide legacy host data during a secure host access session which is authenticated using a digital certificate and is protected by a host-based security system, such as RACF (Resource Access Control Facility, a product offered by the IBM Corporation), where these changed credentials are used to authenticate a user after previously-provided credentials have been used for authentication earlier in the same session. The changed credentials may belong to the same user, where that user happens to have a different user ID and/or password for different legacy host applications and wishes to change from accessing one legacy host application to accessing another. Or, the changed credentials may be used to enable a different user to interact with the same legacy host application used by the previously-authenticated user.

Abstract: Techniques are disclosed for using geographical taxonomy data in network-accessible registries (such as the Universal Description, Discovery, and Integration, or “UDDI”, registry), where this taxonomy data leverages spatial extenders within spatially-enabled databases. Built-in functions of a spatially-enabled object relational database system can then be used for entries in the network-accessible registry.

Abstract: Methods, systems, and computer program products for automatically transforming data or business messages to enable communication between parties in a distributed computing environment (e.g. between business partners who exchange data over a public network, and who do not necessarily use the same data formats), where this data transformation preferably occurs at the edge of the computing network. A set of transformation services is described, and include template registration, transformation, forward, and receive services. Services from this set may optionally be combined to create composite transformation services. A template defines how to transform one data format into another. Selection criteria may be provided to enable dynamically selecting a template at run-time.

Abstract: Methods, systems, computer program products, and methods of doing business by automatically and dynamically annotating events in an event management system (“EMS”) to adapt to capabilities of a management system of which the EMS is an integral part. Furthermore, the EMS may automatically and dynamically recycle existing events (including events which are already annotated) for processing with newly-defined or different EMS capabilities. Events may also be re-annotated to reflect new or different capabilities of the EMS. These benefits of “smart events” are realized without requiring re-instrumentation of the event generation code of managed applications.

Abstract: The present invention provides a method, system, and computer program product for improving scheduling of tasks in systems that accumulate execution time. An upper bound is computed on the amount of additional time each schedulable task in the system may continue to execute after exceeding its predetermined cost, without adversely affecting overall operation of the system (that is, ensuring that the continued execution will not cause invocations of subsequent tasks to fail to meet their execution deadlines). By allowing tasks to run longer, the potential that the task will successfully end is increased, thereby yielding a more efficient overall system. In the preferred embodiment, the extensions are iteratively computed as a fixed percentage of the cost of each task until reaching an amount of time where the system is no longer feasible.

Abstract: Methods, systems, and computer program products for improving installation of software packages by performing dynamic, remote validation of various installation data before building an installation image. The remote validation occurs in the target environment, such that the values for various installation parameters can be analyzed in the context of that target environment. Creation and distribution of the installation package can then be suppressed until the configuration parameters have acceptable values. This immediate feedback approach allows for a more efficient installation process. In preferred embodiments, structured markup language syntax is used to specify which configuration values are subject to remote validation.

Abstract: Improved techniques are disclosed for accessing content in file systems, allowing file system clients to realize advantages of file system referrals even though a file access protocol used by the client is not specifically adapted for referral objects. (For example, the client may have a legacy file system protocol or a proprietary file system protocol which does not support referrals.) These advantages include a uniform name space view of content in a network file system, and an ability to locate content in a (nearly) seamless and transparent manner, even though the content may be dynamically moved from one location to another or replicated in different locations. A file system server returns a symbolic link in place of a referral, and an automated file mounting process on the client is leveraged to access the content using the link. Built-in crash recovery techniques of the file system client are leveraged to access moved content.

Abstract: Proxy data stream handling and complex object parameter handling allow object oriented programs to be run as distributed programs without any explicit networking code, and without using an interface definition language (IDL). Two proxies are generated dynamically that allow method calls written for local invocation to be invoked over a network. These dynamically-generated proxies allow calls to flow across a network as if they were local, and contain support for using data stream and complex objects as parameters.

Abstract: A method, system, and computer program product for improving the performance, reliability, and recoverability of a computer running a multi-threaded server application. The described techniques enable synchronization requirements to be minimized. A policy is enforced which limits the number of worker threads currently assigned to processing connections to a particular host. Thus if a host fails, some number of worker threads continue to actively service connections to other hosts. The policy may use static or dynamic limits. A single limit may pertain to all hosts, or host-specific limits may be used.

Abstract: The present invention provides a method, system, and computer program product for applying transformations to extensible documents, enabling reductions in the processing time required to transform arbitrarily-structured documents having particular well-defined elements. Signatures for structured document types are defined, along with one or more transformations to be performed upon documents of that type. The transformations are specified using syntax elements referred to as maps. A map specifies an operation code for the transformation to be performed, and describes the input and output of the associated transformation. A special map processing engine locates an appropriate transformation object to a particular input document at run-time, and applies the transformation operation according to the map definition. This technique is preferably used for a set of predetermined core transformations, with other transformations being processed using stylesheet engines of the prior art.

Abstract: Methods, systems, and computer program products for improving globalization of document content. A globalization model is defined which enables separating and externalizing translation-sensitive resources. A content translation expert can then operate efficiently to provide translated content, and a content designer can more easily focus on the task at hand using a resource-neutral document format. Using the disclosed techniques, translation-sensitive resources identified in a structured document can be programmatically translated by resolving references to a particular supplemental document in which the translated content for a target language has been specified.

Abstract: A method, system, and computer program product for providing consistent, end-to-end protection within a computer network for user datagrams (i.e. packets) traveling through the network. The network may comprise network segments that are conventionally assumed to be secure (such as those found in a corporate intranet) as well as network segments in non-secure networks (such as the public Internet or corporate extranets). Because security breaches may in fact happen in any network segment when datagrams are unprotected, the present invention discloses a technique for protecting datagrams throughout the entire network path by establishing cascaded tunnels. The datagrams may be exposed in cleartext at the endpoints of each tunnel, thereby enabling security gateways to perform services that require content inspection (such as network address translation, access control and authorization, and so forth).

Abstract: Methods, systems, and computer program instructions for enabling users of pervasive devices to remotely access and manipulate information in ways that might otherwise be impossible or impractical because of inherent limitations of the device. The disclosed techniques enable a wide variety of data manipulation operations to be performed on behalf of the pervasive device, for a wide variety of content types. In preferred embodiments, no modifications or add-ons are required to the pervasive device.

Abstract: Techniques are disclosed for improving navigation through content in a user interface that has been rendered in a content aggregation framework (such as in a portal page provided by a portal system). The navigation order for the aggregated content is set dynamically, using programmatic operations, based on input supplied in a markup language document. The navigation order may therefore be efficiently controlled, even though the content which is aggregated may originate from multiple independent sources.

Abstract: The present invention provides methods, systems, devices, and computer program instructions for enabling low-power wireless devices (such as wireless telephones and personal digital assistants, or PDAs) to connect to a fast wired or wireless voice/data network. A novel relay point device, referred to as an “extension point”, is defined that flexibly extends the effective reach of network access points. Use of extension points enables the network infrastructure to be expanded (and subsequently re-configured, if necessary) simply and cost-effectively, requiring little or no additional physical wiring. The defined techniques provide an infrastructure that is scalable, supporting a large number of end users without substantial degradation to connection establishment time and data rates. Using the disclosed techniques, end devices are able to reach network services, and to communicate with other end devices, beyond the nominal working range of these devices and without limitation to the numbers of such devices.

Abstract: The present invention provides a method, system, and computer program product for reliably and efficiently serializing access to data structures (i.e. updates and retrievals) without requiring searchers to use locks. The disclosed technique ensures that the contents of the data structure remain valid during access operations, yet does not require searchers to perform compute-intensive comparison operations to determine validity. Two trees are used at all times. Searches proceed against a first tree, while the second tree is used for performing updates. The steps required to carry out a particular update operation are stored as a queued transaction. When the update to the second tree completes, the trees are switched.

Abstract: The present invention provides methods, systems, and computer program instructions for providing location-independent packet routing and secure access in a wireless networking environment (such as that encountered within a building), enabling client devices to travel seamlessly within the environment. Each client device uses a constant address. An address translation process that is transparent to the client and server is automatically performed as the device roams through the environment, enabling efficient client migration from one supporting access point to another. The secure access techniques provide user-centric authentication and allow policy-driven packet filtering, while taking advantage of encryption capabilities that are built in to the hardware at each endpoint.

Abstract: A device certificate identifies a particular device using a globally-unique device identifier and contains a public key associated therewith. A private key stored in protected storage of the device is used to digitally sign outbound messages, enabling communicating devices to authenticate one another using the associated device certificate and public key, before returning a response. Devices functioning as servers can thereby securely participate in dynamic, automatic address assignment services using a service such as a Boot Protocol or Dynamic Host Configuration Protocol, and/or to update address information stored in a Domain Name System (DNS) server, ensuring that the update is authentic, and when the DNS is also authenticated, ensuring that a legitimate DNS has been contacted.

Abstract: A technique, system, and computer program for enhancing performance of a computer running a multithreaded server application. A scheduling heuristic is defined for optimizing the number of available threads. This heuristic alleviates over-scheduling of worker threads by defining a technique to wait to assign an incoming request to a currently-executing thread (upon completion of the thread's current work), instead of awakening a blocked thread for the incoming request. Provision is made to ensure no thread waits too long. Two stages are associated with a passive socket, so that a connection is only bound to a worker thread when work arrives for that connection. A new type of socket is defined, for merging input from more than one source and making that merged input available for scheduling. A giveback function is defined, for optimizing assignment of threads to incoming requests when persistent connections are used. Threads that go idle are put onto an idle queue, releasing them from a worker thread.

Abstract: A device certificate identifies a particular device using a globally-unique device identifier and contains a public key associated therewith. A private key stored in protected storage of the device is used to digitally sign outbound messages, enabling the message receiver to authenticate the message originator. Devices requesting address assignment from a service such as a Boot Protocol or Dynamic Host Configuration Protocol service can be authenticated by that service before an address is assigned. The device of the service providing the address assignment may also digitally sign the requested address, using its own private key, enabling the address receiver to verify that the address provider is authentic before accepting and using the assigned address. A device requesting an update to address information stored in a Domain Name System (DNS) server can be authenticated and/or can ensure that a legitimate DNS has been contacted.