DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
The amendments filed 1/21/2021 have been accepted. Claims 1-3, 5-8, 10-15, and 17-20 are still pending. Claims 1, 2, 5-8, 10, 12, 14, 15, 17, and 19 are amended. Claims 4, 9, and 16 have been canceled. 
	
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim 1-3, 5- 8, 10-15, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Bornhoevd et al. (US Patent 8,005,879, hereafter referred to as Bornhoevd) in view of Rudzitis et al. (US PGPub 2019/0342079, hereafter referred to as Rudzitis) in view of Chen (US PGPub 2017/0085374).
Regarding claim 1, Bornhoevd teaches a plurality of devices, and a remote access controller device that is coupled to each of the plurality of devices (Fig. 1 and Col. 4, line 52-67, describes the service mapper that is connected to multiple devices and uses several mapper components to facilitate its function), wherein the remote access controller device operates independently of an operating system provided on the server device (Col. 4, line 52-67, as stated previously, the service mapper is used to deploy services to various devices (servers) on the network, both local and others, showing that it is independent and separate from the operating systems of the other devices. Col. 8, lines 52-67, state that the local service mappers can be located on Stargate servers (server device).  Col. 33, lines 45-62, states that the implementation can be pure hardware, in which case the server’s operating system would not come into play, or it could be implemented as a standalone program), and wherein the remote access controller device is configured to: identify each of the plurality of devices and a type of each of the plurality of devices, identify a profile for each of the plurality of devices, wherein a first profile identified for at least one first storage device included in the plurality of devices is different from a second profile identified for at least one second device (Col. 4, line 52-Col. 5 line 38, describe the service mapper’s function of selecting the appropriate devices to run a service on based on the service metadata and device metadata (device profiles). These profiles can include the device type as well as other information that can be used to indicate different types of devices. Col. 5, lines 15-38, specifically detail the device metadata that can be used in the device profile the combination of which can lead to multiple different profiles for the various devices), and create, using the respective profile identified for each of the plurality of devices, a respective sub-(Col. 4, lines 52-67, as stated previously the service mapper will determine an appropriate device to run a service on and deploy that service (create sub-client) to that device). Bornhoevd does not teach a device-capability-based locking key management system, comprising: a key management system, and a server device that is coupled to the key management system via a network, wherein the server device includes: a plurality of storage devices; and a remote access controller device that is coupled to each of the plurality of storage devices, wherein the profiles to be identified are key management profiles, and the sub-clients to be created are key management sub-clients, and providing the key and locking key management commands directly to the respective storage device.
Rudzitis teaches a device-capability-based locking key management system, comprising: a key management system (Fig. 1 and 2 and Paragraphs [0016]- [0019], describe the key management service that is used to manage the keys for a plurality of hardware security modules (HSMs) that are used to process requests for client devices which can be a server), and a server device that is coupled to the key management system via a network, wherein the server device includes: a plurality of storage devices of different types coupled to the key management system via an out-of-band connection (Paragraph [0050], describe the data store used in the system which can be any device or combination devices which can be a server with multiple storage devices. Paragraph [0014], states that the service can allow for the use of a variety of cryptographic devices from different vendors that have different communication and command protocols. Paragraphs [0016]-[0019], while it is not explicitly stated that an out-of-band connection is used, the use of the HSMs make it obvious one is present as that is how modern HSMs operate due to the more secure nature of out-of-band connections. See Network Hardware Security Module (HSM): Feature Description by KEMP as an example), and a server device that is coupled to the key management system via a network (Fig. 1 and 2 and Paragraph [0021], show and describe the client device and HSMs each of which are connected to the key management service/server over a network), identify a key management profile for each of a plurality of storage devices and based a type of each of the plurality of storage devices, wherein a first key management profile identified for at least one first storage device of a first type included in the plurality of storage devices is different from a second key management profile identified for at least one second storage device of a second type (Paragraphs [0018] and [0019], states that the key management service can identify a particular HSM to send a request to based on an identified cryptographic key metadata as well as metadata of the HSM. The key metadata can relate to the kind of cryptographic algorithm being used. The metadata for the HSMs can be related to the HSM itself such as interface and communication protocols and can also relate to the cryptographic key that the HSM uses such as the management policy, key length, etc. Paragraph [0014] states that one of the reasons for this method is to allow a user to use multiple HSMs from different vendors (thereby having different key management profiles present) and also states that the management server can maintain metadata that allows the service to generate the appropriate commands for the cryptographic device), wherein the respective key management sub-client operates on the remote access controller device, and is configured to communicate, according to the respective key management profile identified for its storage device, with the key management system via the out-of-band connection to provide retrieve a locking key for that storage device (Paragraph [0014] states that one of the reasons for this method is to allow a user to use multiple HSMs from different vendors (thereby having different key management profiles present). Fig. 2 and Paragraphs [0022]-[0024], shows that the key management service can be located on a remote server. While it is not explicitly stated that an out-of-band connection is used, the use of the HSMs make it obvious one is present as that is how modern HSMs operate due to the more secure nature of out-of-band connections. See Network Hardware Security Module (HSM): Feature Description by KEMP as an example), and provide the locking key and locking key management commands directly to its respective device (Paragraphs [0018]-[0019], states that the client can request a cryptographic key that is then retrieved by the key management service. Since the key management service can have multiple different types of cryptographic keys that use different algorithms and communication protocols it means there are multiple sub-clients that are being used that correspond to the difference key/communication types. Since Rudzitis concerns itself more with the managing of the different cryptographic keys there is little discussion on how they are then transmitted and provided to the actual device using them outside of having them being sent to the client device that requested them (see Paragraph [0040])). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Bornhoevd to utilize the key management service of Rudzitis that has different types of cryptographic keys and HSMs so as to allow for the management and use of cryptographic keys that are stored in cryptographic devices that are not controlled by the key management service (Rudzitis, Paragraph [0013]). Bornhoevd and Rudzitis do not teach providing, according to the respective key management profile identified for its storage device, the locking key and locking key management commands directly to that storage device.
Chen teaches wherein the first key management sub-client is configured to provide, according to the respective key management profile identified for its storage device, the locking key and locking key management commands directly to its respective storage device (Paragraph [0060]-[0062], states that the storage controller can receive the key from the BCM and perform locking and unlocking operations to the drive). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Bornhoevd and Rudzitis to have the key management sub-client of the device provide the key and locking commands directly to the 
Regarding claim 2, Bornhoevd, Rudzitis, and Chen teach all the limitations of claim 1. Rudzitis further teaches wherein the remote access controller device is configured to: retrieve key management information from each of the plurality of storage devices (Paragraph [0019], states that the metadata can be stored in a database that the key management service can access meaning that data had to have been received. Paragraphs [0046]-[0048] describe the process of attaching HSMs to the system meaning that when a new HSM is attached the appropriate metadata would need to be obtained so as to maintain it in the database showing that the system retrieves the necessary metadata from the devices and stores it in its database), and wherein the respective key management sub-client for each of the plurality of storage devices is configured to use the key management information retrieved from that storage device to provide the locking key for that storage device (Paragraphs [0018]-[0019] as stated in the rejection to claim 1). The combination of and reason for combining are the same as those given in claim 1.
Regarding claim 3, Bornhoevd, Rudzitis, and Chen teach all the limitations of claim 1. Rudzitis further teaches wherein the remote access controller device is configured to: receive each of the key management profiles identified for each of the plurality of storage devices and store the key management profiles in a key management database that is included in the server device (Fig. 1 and 2 and Paragraphs [0018] and [0019], show that the key management service has a database used to store metadata (profiles) relating to the devices). The combination of and reason for combining are the same as those given in claim 1.
Regarding claim 5, Bornhoevd, Rudzitis, and Chen teach all the limitations of claim 1. Chen further teaches wherein the server device includes: an intermediary device coupled between the remote access controller and at least one of the plurality of storage devices, wherein at least one first key management sub-client is configured to provide the locking key and the locking key management commands to its respective storage device via the intermediary device (Paragraph [0043], states that a system bus called an Intelligent Platform Management Bus/bridge (IPMB) (intermediary device) that is used to facilitate communications between storage devices and the BMC (remote access controller). This means that the client on the BMC that is sending the commands (Paragraphs [0051]-[0052]) will send the commands and key via the bus). The combination of and reason for combining are the same as those given in claim 1.
Regarding claim 6, Bornhoevd, Rudzitis, and Chen teach all the limitations of claim 1. Chen further teaches wherein the server device includes: an intermediary device coupled between the remote access controller and at least one of the plurality of storage devices, wherein the remote access controller device is configured to provide the locking key to its respective storage device via the intermediary device, and wherein the intermediary device is configured to provide the locking key commands to that storage device (Paragraph [0042], states that on startup the BIOS (intermediary device) can be used to identify a shadow drive that is then used to help unlock the self-encrypting drive (sending key and locking commands) so that a boot can be done from the actual self-encrypting drive. Paragraphs [0050]-[0052], show that this key is initially obtained by the BMC (remote access controller) and then can be stored. The BIOS would then later have access to this key that was initially received by the remote access controller and provide that key to the storage device with the locking commands). The combination of and reason for combining are the same as those given in claim 1.
Regarding claim 7, Bornhoevd teaches a remote access controller device is configured to: identify each of the plurality of devices, identify a profile for each of the plurality of devices, wherein a first profile identified for at least one first storage device included in the plurality of devices is different from a second profile identified for at least one second device (Col. 4, line 52-Col. 5, line 38, describe the service mapper’s function of selecting the appropriate devices to run a service on based on the service metadata and device metadata (device profiles). Col. 5, lines 15-38, specifically detail the device metadata that can be used in the device profile the combination of which can lead to multiple different profiles for the various devices), and create, using the respective profile identified for each of the plurality of devices, a respective sub-client for each of the plurality of devices that is configured to communicate with a system (Col. 4, lines 52-67, as stated previously the service mapper will determine an appropriate device to run a service on and deploy that service (create sub-client) to that device). Bornhoevd does not teach a remote access controller and  providing, according to the respective key management profile identified for its storage device, the locking key and locking key management commands directly to that storage device.
Rudzitis teaches a remote access controller processing system  that operates independently of a processing system that provides an operating system for the IHS; and a remote access controller memory system that is coupled to the remote access controller processing system (Fig. 9 and Paragraphs [0049]-[0050], show an exemplary system that has a data store (memory system) and application server (processing system) coupled to the memory system), a key management system (Fig. 1 and 2 and Paragraphs [0016]-[0019], describe the key management service that is used to manage the keys for a plurality of hardware security modules (HSMs) that are used to process requests for client devices which can be a server),  a plurality of storage devices of different types (Paragraph [0014], states that the service can allow for the use of a variety of cryptographic devices from different vendors that have different communication and command protocols), identify each of a plurality of storage devices that are coupled to the remote access controller processing system and a type of each of the plurality of storage devices (Fig. 1 and 2 and Paragraph [0021], show and describe the HSMs each of which are connected to the key management service/server over a network meaning the devices would have to be identified by the system at some point in time. Paragraphs [0014], states that the management server can maintain metadata that allows the service to generate the appropriate commands for the cryptographic device), identify a key management profile for each of a plurality of storage devices based on the type for that storage device, wherein a first key management profile identified for at least one first storage device included in the plurality of storage devices of a first type is different from a second key management profile identified for at least one second storage device of a second type, wherein each respective key management sub-client operates on the remote access controller device, wherein the client for each of the plurality of storage devices that is configured to communicate, according to the respective key management profile identified for its storage device, with a key management system via an out-of-band channel to retrieve a locking key for that storage device (Paragraphs [0018] and [0019], states that the key management service can identify a particular HSM to send a request to based on an identified cryptographic key metadata as well as metadata of the HSM, which can be from different vendors and use different protocols and commands as stated in Paragraph [0014]. The key metadata can relate to the kind of cryptographic algorithm being used. The metadata for the HSMs can be related to the HSM itself such as interface and communication protocols and can also relate to the cryptographic key that the HSM uses such as the management policy, key length, etc. Paragraph [0014] states that one of the reasons for this method is to allow a user to use multiple HSMs from different vendors (thereby having different key management profiles present). Fig. 2 and Paragraphs [0022]-[0024], shows that the key management service can be located on a remote server. While it is not explicitly stated that an out-of-band connection is used, the use of the HSMs make it obvious one is present as that is how modern HSMs operate due to the more secure nature of out-of-band connections. See Network Hardware Security Module (HSM): Feature Description by KEMP as an example), and providing the locking key and locking key management commands directly to its respective device (Paragraphs [0018]-[0019], states that the client can request a cryptographic key that is then retrieved by the key management service. Since the key management service can have multiple different types of cryptographic keys that use different algorithms and communication protocols it means there are multiple sub-clients that are being used that correspond to the difference key/communication types. Since Rudzitis concerns itself more with the managing of the different cryptographic keys there is little discussion on how they are then transmitted and provided to the actual device using them outside of having them being sent to the client device that requested them (see Paragraph [0040])). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Bornhoevd to utilize the key management service of Rudzitis that has different types of cryptographic keys and HSMs so as to allow for the management and use of cryptographic keys that providing the key and locking key management commands directly to the respective storage device.
Chen teaches wherein the first key management sub-client is configured to provide the locking key and locking key management commands directly to its respective storage device (Paragraph [0060]-[0062], states that the storage controller can receive the key from the BCM and perform locking and unlocking operations to the drive). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Bornhoevd and Rudzitis to have the key management sub-client of the device provide the key and locking commands directly to the device as taught in Chen so as to achieve data encryption efficiency for a large number of servers (Chen, Abstract).
Regarding claim 8, Bornhoevd, Rudzitis, and Chen teach all the limitations of claim 7. Rudzitis further teaches wherein the remote access controller device is configured to: retrieve key management information from each of the plurality of storage devices (Paragraph [0019], states that the metadata can be stored in a database that the key management service can access meaning that data had to have been received. Paragraphs [0046]-[0048] describe the process of attaching HSMs to the system meaning that when a new HSM is attached the appropriate metadata would need to be obtained so as to maintain it in the database showing that the system retrieves the necessary metadata from the devices and stores it in its database), and wherein the respective key management sub-client for each of the plurality of storage devices is configured to use the key management information retrieved from that storage device to provide the locking key for that storage device (Paragraphs [0018]-[0019] as stated in the rejection to claim 1). The combination of and reason for combining are the same as those given in claim 7.
Regarding claim 10, Bornhoevd, Rudzitis, and Chen teach all the limitations of claim 7. Chen further teaches an intermediary device coupled to the processing system, wherein at least one first key management sub-client is configured to provide the locking key and the locking key management commands to its respective storage device via the intermediary device (Paragraph [0043], states that a system bus called an Intelligent Platform Management Bus/bridge (IPMB) (intermediary device) that is used to facilitate communications between storage devices and the BMC (remote access controller). This means that the client on the BMC that is sending the commands (Paragraphs [0051]-[0052]) will send the commands and key via the bus). The combination of and reason for combining are the same as those given in claim 7.
Regarding claim 11, Bornhoevd, Rudzitis, and Chen teach all the limitations of claim 10. Chen further teaches wherein the intermediary device is provided by a Host Bus Adapter device (Paragraph [0043], as stated in the rejection to claim 10)
Regarding claim 12, Bornhoevd, Rudzitis, and Chen teach all the limitations of claim 7. Chen teaches an intermediary device coupled to the processing system, wherein the remote access controller device is configured to provide the locking key to its respective storage device via the intermediary device, and wherein the intermediary device is configured to provide the locking key commands to that storage device (Paragraph [0042], states that on startup the BIOS (intermediary device) can be used to identify a shadow drive that is then used to help unlock the self-encrypting drive (sending key and locking commands) so that a boot can be done from the actual self-encrypting drive. Paragraphs [0050]-[0052], show that this key is initially obtained by the BMC (remote access controller) and then can be stored. The BIOS would then later have access to this key that was initially received by the remote access controller and provide that key to the storage device with the locking commands. Paragraph [0026] also states that the server can additionally have RAIDs which would require a RAID controller which would could act as the intermediary device). The combination of and reason for combining are the same as those given in claim 7.
Regarding claim 13, Bornhoevd, Rudzitis, and Chen teach all the limitations of claim 12. Chen further teaches wherein the intermediary device is provided by one of a Basic Input/Output System (BIOS) and a Redundant Array of Independent Disks (RAID) controller device (Paragraph [0026] and [0042], as stated in the rejection to claim 12)
Regarding claims 14, 15, and 17-20, claims 14, 15, and 17-20 are the method claims associated with claims 7, 8, and 10-13. Since Bornhoevd, Rudzitis, and Chen teach all the limitations of claims 7, 8, and 10-13, they also teach all the limitations of claims 14, 15, and 17-20; therefore the rejections to claims 7, 8, and 10-13 also apply to claims 14, 15, and 17-20.

Response to Arguments
Applicant's arguments filed 1/21/2021 have been fully considered but they are not persuasive. The applicant first argues that the references Bornhoevd and Rudzitis do not teach the amended limitations to the independent claims and then argues that Chen does not teach the “according to the respective key management profile” limitation. The examiner agrees partially with this statement. The limitations that were present in the now canceled claims 4, 9, and 16 were not taught by the two references which is why Chen was used to teach those limitations and is now incorporated into the rejections of the independent claims. The new limitations “according to the respective key management profile identified for its storage device” is taught by Rudzitis. As stated in the rejection to claim 1, Paragraphs [0018] and [0019] states that the key management service can identify a particular HSM to send a request to based on an identified cryptographic key metadata as well as metadata of the HSM, which can be from different vendors and use different protocols and commands as stated in Paragraph [0014]. The key metadata can relate to the kind of cryptographic algorithm being used. The metadata for the HSMs can be related to the HSM itself such as interface and communication protocols and can also relate to the cryptographic key that the HSM uses such as the management policy, key length, etc. Paragraph [0014] states that one of the reasons for this method is to allow a user to . 
As stated in the rejection as well, since Rudzitis concerns itself more with the managing of the different cryptographic keys there is little discussion on how they are then transmitted and provided to the actual device using them outside of having them being sent to the client device that requested them (see Paragraph [0040]), which is why Chen is relied upon to explicitly teach the “provide…” limitation. Therefore the references do teach the amended limitations to the independent claims.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, David Yi can be reached on 571-270-7519.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/N.A.P./Examiner, Art Unit 2132                                                                                                                                                                                                        
/DAVID YI/Supervisory Patent Examiner, Art Unit 2132