Abstract: Multiple work requests from different applications are queued to be processed subsequently without interruption by a crypto device. A prediction table is generated for each application to be processed by the crypto device. An initial credit value is determined for each incoming work request. The work request is an entry in an ordered queue in the order of time using respective time stamps. The next work request to be processed is selected from the entries in the queue by using the first entry in the queue for which the credit values for the corresponding application is greater than or equal to the predicted execution time for the corresponding request type in the prediction table. The selected next work request is processed.

Abstract: Multiple work requests from different applications are queued to be processed subsequently without interruption by a crypto device. A prediction table is generated for each application to be processed by the crypto device. An initial credit value is determined for each incoming work request. The work request is an entry in an ordered queue in the order of time using respective time stamps. The next work request to be processed is selected from the entries in the queue by using the first entry in the queue for which the credit values for the corresponding application is greater than or equal to the predicted execution time for the corresponding request type in the prediction table. The selected next work request is processed.

Abstract: A method for sharing secret data between multiple containers. In response to the initial booting of an operating system instance in a container, a unique operating system identifier is generated for the operating system instance. A grant authority stores the unique operating system identifier in a reserved area of a secure storage device. In response to a request from the operating system instance to access secret data in the secure storage device, the grant authority determines whether the unique operating system identifier is stored in the secure storage device. The operating system instance may be granted access to secret data in the non-reserved area of the secure storage device.

Abstract: An example operation may include one or more of receiving a unique identifier and a security value from an object, retrieving a previously stored security value of the object from a database based on the received unique identifier, determining that the object is verified based on the received security value and the previously stored security value, and modifying the previously stored security value to generate a modified security value and transmitting the modified security value to the database.

Abstract: Auditably proving a usage history of an asset, in which the asset includes a hardware security module with at least a public key and a private key. A client application logs hash values of a pair of request data and response data. Usage history of the asset is proved. The proving includes verifying, using the public key, a signature of other hash values of the pair of request data and response data. The other hash values are signed with the private key. The proving further includes comparing the hash values logged by the client application with the other hash values.

Abstract: An example operation may include one or more of receiving a unique identifier and a security value from an object, retrieving a previously stored security value of the object from a database based on the received unique identifier, determining that the object is verified based on the received security value and the previously stored security value, and modifying the previously stored security value to generate a modified security value and transmitting the modified security value to the database.

Abstract: An example operation may include one or more of receiving a signed storage request which comprises a unique identifier of an object, a public key of the object, and a signed security value associated with the object, determining, via code installed on a database node, whether the signed storage request is valid based on a signature of the signed storage request and a signature of the signed security value of the object, and in response to validation of the signed storage request, generating a storage object based on the signed storage request which includes the unique identifier, the public key of the object, and the signed security value, and storing the generated storage object in a database including the database node.

Abstract: Auditably proving a usage history of an asset, in which the asset includes a hardware security module with at least a public key and a private key. A client application logs hash values of a pair of request data and response data. Usage history of the asset is proved. The proving includes verifying, using the public key, a signature of other hash values of the pair of request data and response data. The other hash values are signed with the private key. The proving further includes comparing the hash values logged by the client application with the other hash values.

Abstract: A secure storage device is connected to a computer system. The secure storage device has a memory including a domain and a subdomain storing first and second data, respectively. The computer system includes a first level hypervisor managing a first level virtual machine, which supports a first operating system, and a second level hypervisor. The second level hypervisor manages a second level virtual machine, which supports a second level operating system. A first authentication process for the first level operating system uses first profile data sent by the computer system and a portion of the first data. A second authentication process for the second level operating system uses second profile data sent by the computer system and a portion of the second data. The first data is not accessible by the second level operating system. The second data is not accessible by the first level operating system.

Abstract: A method for operating a secure storage device with a non-volatile memory on a computer system which executes multiple operating system instances. The non-volatile memory comprises one or more domains which are used by the operating system instances. A separate trusted key entry system is used to configure secret data of an operating system instance stored in the non-volatile memory. The method comprises setting a domain to either secure or non-secure mode; generating a unique identifier of the operating system instance; generating a secure hash for the operating system instance; and storing the secure hash in the domain.

Abstract: A secure storage device is connected to a computer system. The secure storage device has a memory including a domain and a subdomain storing first and second data, respectively. The computer system includes a first level hypervisor managing a first level virtual machine, which supports a first operating system, and a second level hypervisor. The second level hypervisor manages a second level virtual machine, which supports a second level operating system. A first authentication process for the first level operating system uses first profile data sent by the computer system and a portion of the first data. A second authentication process for the second level operating system uses second profile data sent by the computer system and a portion of the second data. The first data is not accessible by the second level operating system. The second data is not accessible by the first level operating system.

Abstract: A method for sharing secret data between multiple containers. In response to the initial booting of an operating system instance in a container, a unique operating system identifier is generated for the operating system instance. A grant authority stores the unique operating system identifier in a reserved area of a secure storage device. In response to a request from the operating system instance to access secret data in the secure storage device, the grant authority determines whether the unique operating system identifier is stored in the secure storage device. The operating system instance may be granted access to secret data in the non-reserved area of the secure storage device.

Abstract: A method for operating a secure storage device with a non-volatile memory on a computer system which executes multiple operating system instances. The non-volatile memory comprises one or more domains which are used by the operating system instances. A separate trusted key entry system is used to configure secret data of an operating system instance stored in the non-volatile memory. The method comprises setting a domain to either secure or non-secure mode; generating a unique identifier of the operating system instance; generating a secure hash for the operating system instance; and storing the secure hash in the domain.

Abstract: Embodiments include a computer system, method and program product for encrypted file access. An access program module, connected to at least one file system, intercepts a data request for accessing a plaintext file with information stored physically and consecutively on a hard disk and having a pre-determined order and length expected by a program that sends the data request, wherein the plaintext file includes a plaintext record having a key field and a plaintext data field. The access program module determines an encrypted file, associated with the plaintext file, based on a configuration file and the data request, wherein the configuration file indicates the encrypted file associated with the plaintext file. The access program module determines one or more encryption keys based on the configuration file. The access program module accesses an encrypted data field within the encrypted file based on the encryption keys and the key field.

Abstract: Embodiments include a computer system, method and program product for encrypted file access. An access program module, connected to at least one file system, intercepts a data request for accessing a plaintext file with information stored physically and consecutively on a hard disk and having a pre-determined order and length expected by a program that sends the data request, wherein the plaintext file includes a plaintext record having a key field and a plaintext data field. The access program module determines an encrypted file, associated with the plaintext file, based on a configuration file and the data request, wherein the configuration file indicates the encrypted file associated with the plaintext file. The access program module determines one or more encryption keys based on the configuration file. The access program module accesses an encrypted data field within the encrypted file based on the encryption keys and the key field.

Abstract: A computer system includes a first storage area accessible by an operating system and a second storage area accessible by authorized functions only. According to some embodiments of the invention at least one protected storage area is implemented into the second storage area, wherein the operating system installs at least one secret key and/or at least one customized processing function into regions of the at least one protected storage area, wherein the operating system transfers data and/or parameters to process into regions of the at least one protected storage area, wherein the operating system selects one of the customized processing functions to execute, wherein the selected customized processing function is executed and accesses storage regions of the at least one protected storage area to process the data and/or parameters, and wherein resulting process data is read from the at least one protected storage area.

Abstract: Embodiments include a computer system, method and program product for encrypted file access. An access program module, connected to at least one file system, intercepts a data request for accessing a plaintext file with information stored physically and consecutively on a hard disk and having a pre-determined order and length expected by a program that sends the data request, wherein the plaintext file includes a plaintext record having a key field and a plaintext data field. The access program module determines an encrypted file, associated with the plaintext file, based on a configuration file and the data request, wherein the configuration file indicates the encrypted file associated with the plaintext file. The access program module determines one or more encryption keys based on the configuration file. The access program module accesses an encrypted data field within the encrypted file based on the encryption keys and the key field.

Abstract: Embodiments include a computer system, method and program product for encrypted file access. An access program module, connected to at least one file system, intercepts a data request for accessing a plaintext file with information stored physically and consecutively on a hard disk and having a pre-determined order and length expected by a program that sends the data request, wherein the plaintext file includes a plaintext record having a key field and a plaintext data field. The access program module determines an encrypted file, associated with the plaintext file, based on a configuration file and the data request, wherein the configuration file indicates the encrypted file associated with the plaintext file. The access program module determines one or more encryption keys based on the configuration file. The access program module accesses an encrypted data field within the encrypted file based on the encryption keys and the key field.

Abstract: Managing the workload across one or more partitions of a plurality of partitions of a computing environment. One or more processors are identified in a partition to be managed by a quality weight defined according to characteristics of each corresponding processor. A load of each identified processor is measured depending on the requests already allocated to be processed by each corresponding processor. Each identified processor has a performance factor determined based on the measured load and the quality weight. The performance factor is a measurement of processor load. A new request is identified to be allocated to the partition, selecting a processor from the partition with the lowest performance factor. The new request is allocated to the selected processor.

Abstract: The present invention discloses a system and method for automatic redirection of record-based data access to host files to multiple non-host file systems having non-record-based access comprising a redirector engine, a redirector server and at least one handler. The redirector engine, located on the host side, gets automatic control for each request of a host application (e.g., a read/write request), interprets a property list containing information on whether and how redirection for that request should be processed, makes a redirect decision based on information received from the property list, and establishes a communication with its assigned redirector server. The redirector server, located on a non-host system, handles communication with the redirector engine and the handler, performs data conversions if required and passes control to the handler assigned in the property list.