Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION

Notice to Applicants
This communication is in response to IDS filed on 12/29/2020 and 12/31/2020.


EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such amendment, it MUST be submit no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone conversation with Applicant’s representative Stephen S. Roche on 09/08/2020, and followed by Email confirmation dated 09/11/2020.

Please replace the current listing of claims with the following:


one or more non-transitory computer readable storage media; and
program instructions, stored on the one or more computer readable storage media, to 
facilitate maintaining hydration of the KMS system, wherein the program instructions, when executed by one or more processing systems, direct the one or more processing systems to:

in response to  a metadata polling trigger, 
send  a request for metadata updates to a metadata storage service; 

process  a response to the request for metadata updates to identify secret information that is out-of-date[[;]] 
due to a hydration event comprising one or more of an instantiation and a 
restart of the KMS system;
responsive to the hydration event, determine an availability of a second KMS system in the secret distribution infrastructure; 
determine a secret information source from which to obtain the updated secret information to hydrate the KMS system based on the availability of the second KMS system, 
obtain the updated secret information from the determined secret information source; and
hydrate the KMS system with the updated secret information.

2.	 (Currently Amended) The KMS system of claim 1, 



wherein the updated secret information is obtained from the second KMS system when the second KMS system is available in the secret distribution infrastructure and the updated secret information is obtained from the key vault and the metadata storage service when the second KMS system is not available in the secret distribution infrastructure[[;]]



3.	 (Previously Presented) The KMS system of claim 2, wherein to determine the availability of the second KMS system, the program instructions when executed by the one or more processing systems, further direct the one or more processing systems to:
identify one or more local KMS systems within a same deployment as the KMS system; and
determine if at least one of the one or more local KMS systems is available to act as the second KMS system. 

4.	(Previously Presented) The KMS system of claim 3, wherein the program instructions, when executed by the one or more processing systems, further direct the one or more processing systems to:
responsive to determining that the one or more local KMS systems are unavailable to act as the second KMS system, identify one or more remote KMS systems within different deployments than the KMS system; and


5.	(Previously Presented) The KMS system of claim 1, wherein the program instructions, when executed by the one or more processing systems, further direct the one or more processing systems to:
when a response to the request for metadata updates is not received from the metadata storage service: 
identify one or more local KMS systems within a same deployment as the KMS system; 
request metadata from the one or more local KMS systems; 
based on the metadata, determine that the secret information is out-of-date; and 
attempt to hydrate the KMS system with updated secret information obtained from the one or more local KMS systems.

6.	(Previously Presented) The KMS system of claim 5, wherein the program instructions, when executed by the one or more processing systems, further direct the one or more processing systems to:
responsive to determining that the KMS system is unable to hydrate with updated secret information obtained from at least one of the one or more local KMS systems, 
identify one or more remote KMS systems within different deployments than the KMS system; 
request metadata from the one or more remote KMS systems; 
based on the metadata, determine that the secret information is out-of-date; and 
attempt to hydrate the KMS system with the updated secret information obtained from the one or more remote KMS systems.
7.	(Canceled)

8.	(Previously Presented) The KMS system of claim 1, wherein the secret information comprises one or more of certificates, passwords, keys, logins, and domain accounts. 



(Currently Amended) A method of hydrating a key master service (KMS) system in a secret distribution infrastructure, the method comprising:

in response to detecting a  metadata polling trigger,  sending a request for metadata updates;


processing  a response to the request for metadata updates to identify secret information that is out-of-date

due to a hydration event comprising one or more of an instantiation and a restart of the KMS system;
responsive to the hydration event, determining an availability of a second KMS system in the secret distribution infrastructure; 
determining a secret information source from which to obtain updated secret information to hydrate the KMS system based on the availability of the second KMS system;
obtaining the updated secret information from the determined secret information source; and
hydrating the KMS system with the obtained updated secret information.

12.	(Currently Amended) The method of claim 11, 


wherein the updated secret information is obtained from the second KMS system when the second KMS system is available in the secret distribution infrastructure and the updated secret information is obtained from the key vault and the metadata storage service when the second KMS system is not available in the secret distribution infrastructure[[;]]

.

13.	(Previously Presented) The method of claim 12, wherein determining the availability of the second KMS system comprises:
identifying one or more local KMS systems within a same deployment as the KMS system; and
determining if at least one of the one or more local KMS systems is available to act as the second KMS system.

14.	(Previously Presented) The method of claim 13, further comprising:
responsive to determining that the one or more local KMS systems are unavailable to act as the second KMS system, identifying one or more remote KMS systems within different deployments than the KMS system; and
determining if at least one of the one or more remote KMS systems is available to act as the second KMS system.

15.	(Previously Presented) The method of claim 11, further comprising:                                                                                                                             
when a response to the request for metadata updates is not received from the metadata storage service: 
identifying local KMS systems within a same deployment as the KMS system; 
requesting metadata from the local KMS systems; and


16.	(Previously Presented) The method of claim 15, further comprising:
responsive to determining that the KMS system was unable to hydrate with the updated secret information obtained from the one or more of the local KMS systems:
identifying remote KMS systems within a different deployment than the KMS system; 
requesting metadata from the remote KMS systems; and
when the secret information is out-of-date, attempting to hydrate the KMS system with the updated secret information obtained from the one or more of the remote KMS systems.
17.	(Canceled)

18.	(Previously Presented) The method of claim 11, wherein the secret information comprises one or more of certificates, passwords, keys, logins, and domain accounts.

19.	(Currently Amended) A secret distribution infrastructure comprising:
multiple key vaults that redundantly store secret information associated with an external service; 
a metadata storage service that stores metadata associated with secret information; and
multiple key master deployments each including a plurality of KMS systems that service requests from a plurality of key master clients, wherein at least one KMS system of the plurality of KMS systems is configured to:
detect a metadata polling trigger;
in response to the metadata polling trigger, generate a request for metadata updates;
send the request for metadata updates to the metadata storage service; and
when a response to the request for metadata updates is received from the metadata storage service:

hydrate the at least one KMS system with updated secret information obtained from a key vault;
wherein the at least one KMS system is further configured to:
when a response to the request for metadata updates is not received from the metadata storage service:
identify one or more local KMS systems within a same deployment as the at least one KMS system; and
attempt to hydrate the at least one KMS system with the updated secret information obtained from the one or more local KMS systems.

20.	(Canceled) 

21.	(Currently Amended) The secret distribution infrastructure of claim  19, wherein to attempt to hydrate the at least one KMS system with the updated secret information obtained from the one or more KMS systems, the at least one KMS system is further configured to:
responsive to detecting an inability to hydrate with the updated secret information obtained from the one or more local KMS systems: 
identify one or more remote KMS systems within different deployments than the at least one KMS system; and
attempt to hydrate with the updated secret information obtained from the one or more remote KMS systems.

22.	(Previously Presented) The KMS system of claim 1, wherein the key master clients are configured to provide end-user systems with access to external services.




Allowable Subject Matter
Claims 1-6, 8, 11-16, 18-19 and 21-22 are allowed.
The following is an examiner's statement of reasons for allowance: This communication warrants No Examiner's Reason for Allowance, applicant's reply and the Examiner amendments make evident the reasons for allowance, satisfying the “record as a whole” proviso of the rule 37 CFR 1.104(e).
Any comments Applicants considers necessary must be submitted no later than the payment of the Issue Fee and to avoid processing delays, should preferable accompany the Issue Fees. Such submission should be clearly labeled "Comments on Statement of Reasons for Allowance". In event of any post-allowance papers (e.g. IDS, 312 amendment, petition, etc.), Applicant is exhorted to mail papers to the Production Control branch in Publications or faxed to post-allowance papers correspondence branch at (703) 308-5864 to expedite issuing process or call PUB's Customer Service if any questions at (703) 305-8497.



Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure: 
US 20160170783 A1		NEAR CACHE DISTRIBUTION IN IN-MEMORY DATA GRID (IMDG)(NO-SQL) ENVIRONMENTS
US 9379890 B1		System and method for managing cryptographic keys

US 9071429 B1		Revocable shredding of security credentials
US 20180006815 A1		Maintaining Operating System Secrets Across Resets

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON CHIANG whose telephone number is (571)270-3393.  The examiner can normally be reached on 9 AM to 6 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.








Primary Examiner, Art Unit 2431