Abstract: An example operation may include one or more of receiving a unique identifier and a security value from an object, retrieving a previously stored security value of the object from a database based on the received unique identifier, determining that the object is verified based on the received security value and the previously stored security value, and modifying the previously stored security value to generate a modified security value and transmitting the modified security value to the database.

Abstract: A method includes: federating, by a computer device, a proxy hardware security module from a physical hardware security module; storing, by the computer device, the proxy hardware security module; receiving, by the computer device, a first one of a plurality of periodic identifying communications from the physical hardware security module; and erasing, by the computer device, the proxy hardware security module as a result of the computer device not receiving a second one of the plurality of periodic identifying communications.

Abstract: A computer program product, the computer program product including a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computer device to cause the computer device to: federate a proxy hardware security module from a physical hardware security module; store the proxy hardware security module; receive a first one of a plurality of periodic identifying communications from the physical hardware security module; and erase the proxy hardware security module as a result of the computer device not receiving a second one of the plurality of periodic identifying communications.

Abstract: Technology for decrypting and using a security module in a processor cache in a secure mode such that dynamic address translation prevents access to portions of the volatile memory outside of a secret store in a volatile memory.

Abstract: A method includes: federating, by a computer device, a proxy hardware security module from a physical hardware security module; storing, by the computer device, the proxy hardware security module; receiving, by the computer device, a first one of a plurality of periodic identifying communications from the physical hardware security module; and erasing, by the computer device, the proxy hardware security module as a result of the computer device not receiving a second one of the plurality of periodic identifying communications.

Abstract: Aspects of the invention include obtaining, via a processor, an original docker image from a customer, encrypting a disk image using content from the original docker image and encrypting a bootloader. A re-packaged image is created using the encrypted disk image and the secure encrypted bootloader. The re-packaged image is deployed by inserting the re-package image into a pod container and by means of using a mutating webhook, granting elevated privileges to said container and creating a secured Kubernetes pod for protecting workloads, wherein the secured Kubernetes pod has at least one virtual machine containing the pod container.

Abstract: Aspects of the invention include a computer-implemented method including providing, by a processor, a computing cluster having a plurality of cluster nodes and services. The method provides, by the processor, a limited catalog of services and restricts, by the processor, access of an administrator of the computing cluster to use of a service deployer, wherein the service deployer restricts administrator access to installation and administration of clusters and deployment of only the limited catalog of services.

Abstract: Processing is provided for operating an in-memory database, wherein transaction data is stored by a persistence buffer in an FIFO queue, and update processor subsequently: waits for a trigger; extracts the last transactional data associated with a single transaction of the in-memory database from the FIFO memory queue; determines if the transaction data includes updates to data fields in the in-memory database which were already processed; and if not, then stores the extracted transaction data to a store queue, remembering the fields updated in the in-memory database, or otherwise updates the store queue with the extracted transaction data. The process continues until the extracting is complete, and the content of the store queue is periodically written into a persistent storage device.

Abstract: Auditably proving a usage history of an asset, in which the asset includes a hardware security module with at least a public key and a private key. A client application logs hash values of a pair of request data and response data. Usage history of the asset is proved. The proving includes verifying, using the public key, a signature of other hash values of the pair of request data and response data. The other hash values are signed with the private key. The proving further includes comparing the hash values logged by the client application with the other hash values.

Abstract: A computer-implemented method for distributing computing tasks to individual computer systems from a first pool of first computer systems, characterized by controllers executing a specific firmware with a gateway to receive commands via a network and an orchestration unit, whereby in response to a request to perform a computing task, an available and suitable first computer system is selected. An available second computer system is selected from a second pool. A firmware image corresponding to a requested controller firmware level is selected, using a gateway connector to send commands to the gateways. A network connection is established between the gateway in the controller of the first computer system and the gateway connector in the second computer system. Execution of the firmware image is triggered.

Abstract: A computer-implemented method for distributing computing tasks to individual computer systems from a first pool of first computer systems, characterized by controllers executing a specific firmware with a gateway to receive commands via a network and an orchestration unit, whereby in response to a request to perform a computing task, an available and suitable first computer system is selected. An available second computer system is selected from a second pool. A firmware image corresponding to a requested controller firmware level is selected, using a gateway connector to send commands to the gateways. A network connection is established between the gateway in the controller of the first computer system and the gateway connector in the second computer system. Execution of the firmware image is triggered.

Abstract: Aspects of the invention include obtaining, via a processor, an original docker image from a customer, encrypting a disk image using content from the original docker image and encrypting a bootloader. A re-packaged image is created using the encrypted disk image and the secure encrypted bootloader. The re-packaged image is deployed by inserting the re-package image into a pod container and by means of using a mutating webhook, granting elevated privileges to said container and creating a secured Kubernetes pod for protecting workloads, wherein the secured Kubernetes pod has at least one virtual machine containing the pod container.

Abstract: An example operation may include one or more of receiving a unique identifier and a security value from an object, retrieving a previously stored security value of the object from a database based on the received unique identifier, determining that the object is verified based on the received security value and the previously stored security value, and modifying the previously stored security value to generate a modified security value and transmitting the modified security value to the database.

Abstract: An example operation may include one or more of receiving a signed storage request which comprises a unique identifier of an object, a public key of the object, and a signed security value associated with the object, determining, via code installed on a database node, whether the signed storage request is valid based on a signature of the signed storage request and a signature of the signed security value of the object, and in response to validation of the signed storage request, generating a storage object based on the signed storage request which includes the unique identifier, the public key of the object, and the signed security value, and storing the generated storage object in a database including the database node.

Abstract: Aspects of the invention include a computer-implemented method including providing, by a processor, a computing cluster having a plurality of cluster nodes and services. The method provides, by the processor, a limited catalog of services and restricts, by the processor, access of an administrator of the computing cluster to use of a service deployer, wherein the service deployer restricts administrator access to installation and administration of clusters and deployment of only the limited catalog of services.

Abstract: A computer-implemented method, for booting a computer system, that provides a list with entries of startup processes. Each startup process defines a resource of the computer system. For each startup process a requirement is defined. The method further comprises fetching one of the entries of the list with entries of startup processes; determining whether the requirement is satisfied for the one of the entries of the list with entries of startup processes; fetching, in case the requirement is not fulfilled, a next one of the entries of the list with entries of startup processes; starting, in case the required resource is fulfilled, the startup process; and repeating the fetching a next one of the entries, the determining and the starting until all startup processes of the list of startup processes have been started.

Abstract: In an approach to grouping related tasks, one or more computer processors receive a first task initialization by a first user. The one or more computer processors determine whether one or more additional tasks contained in one or more task groups are in use by the first user. Responsive to determining one or more additional tasks contained in one or more task groups are in use, the one or more computer processors determine whether the first task is related to at least one task of the one or more additional tasks. Responsive to determining the first task is related to at least one task of the one or more additional tasks, the one or more computer processors add the first task to the task group containing the at least one related task of the one or more additional tasks.

Abstract: Auditably proving a usage history of an asset, in which the asset includes a hardware security module with at least a public key and a private key. A client application logs hash values of a pair of request data and response data. Usage history of the asset is proved. The proving includes verifying, using the public key, a signature of other hash values of the pair of request data and response data. The other hash values are signed with the private key. The proving further includes comparing the hash values logged by the client application with the other hash values.

Abstract: An aspect includes receiving a software image file set and a capacity requirement at a software image distribution system. A software image is generated based on the software image file set. A license record is generated based on the capacity requirement. The software image and the license record are provided to an external interface of the software image distribution system. An installation action is triggered by the software image distribution system on to a machine based on a request of an ordering system.

Abstract: An aspect includes receiving a request to boot a software image on a machine including a plurality of processing units having different characteristics. A processing unit subtype identifier is extracted from a license record for the machine. The processing unit subtype identifier includes a software image type and an allocation of the processing units of the processing unit subtype. A processing unit capability of the machine is queried. The software image is enabled with the allocation of the processing units based on verifying that a software image identifier of the software image matches the software image type from the processing unit subtype identifier, and the processing unit capability of the machine meets the allocation of the processing units from the processing unit subtype.