DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.	Claims 1-12 and 15-22 are pending.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
2.	Claims 1-12 and 15-22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Abgrall, et al. [US 2003/0037237] in view of Wang [US 2017/0250978].
Claim 1:	Abgrall teaches a method, comprising: 
generating, by a computer system cryptographic information [Abgrall: 0041-0042; A CustSecret (Customer Secret) is a cryptographic variable chosen by some component of an application system. A CustAppKey (Customer Application Key) is a cryptographic variable derived from an AppKey and a CustSecret, and can be used directly as a cryptographic key for encryption or integrity checking or as an input to a function that computes other cryptographic variables or keys. See also 0081-0082] usable for authenticating communications [Abgrall: 0015-0017] **between first and second multi-tenant applications [**as rejected under the secondary reference, discussion below], wherein the cryptographic information includes: 
a master private key usable to derive tenant-specific private keys for a plurality of tenants [Abgrall: 0044] hosted by **the first multi-tenant application; and [**as rejected under the secondary reference, discussion below]
master public configuration information usable to derive tenant-specific public keys for the plurality of tenants; [Abgrall: 0052, 0054; shared key includes a private key and public key derived from master public configuration information, which involves information for authentication. See also 0071, 0150, 0158]
sending, by the computer system, the master public configuration information to a directory service accessible to the second multi-tenant applications [Abgrall: 0135, 0465], wherein the second multi-tenant application is executable to use the master public configuration information to derive [Abgrall: 0105, 0148], without maintaining public keys for each of the plurality of tenants, tenant-specific public keys that can be used to authenticate communications from the first multi-tenant application; [Abgrall: 0150-0151, 0159; The AppContainers are secured with the help of the secret master key. Each container is encrypted with a key that is a function of the secret master key and the digest of the code of the program that owns the container]
receiving, from the first multi-tenant application by the computer system, a request for a tenant-specific private key for a tenant application of the plurality of tenants that is useable to sign a request to the second multi-tenant application on behalf of the tenant, wherein the request includes a tenant identifier that identifies the tenant; [Abgrall: 0158, 0166-0168]
performing, by the computer system, a key derivation function to generate a particular tenant-specific private key for the tenant based on the master private key and the tenant identifier; and [Abgrall: 0150, 0663-0666]
sending, by the computer system, the particular tenant-specific private key to the first multi-tenant application. [Abgrall: 0148, 0668]
Abgrall discloses cryptographic information usable for authenticating communications between first and second multi-tenant applications [Abgrall: 0015-0017]. The claimed multi-tenant can broadly be given the broadest reasonable interpretation as (multiple or more than one) users and devices. Abgrall suggests multi-tenant in terms of users and devices; the administrator may also create associations between users and devices to indicate valid combinations, to restrict users to authenticate from specific machines [Abgrall: 0715]. However, Abgrall did not clearly include “communications between first and second multi-tenant applications”.
Wang discloses many multi-tenant applications or platform providers (a.k.a., platform or service provider) wish to provide their users with custom-designated domains that reside behind SSL (HTTPS) [Wang: 0010-0012]. Referring FIG. 2A, shows a basic system configuration, where user activates a browser (e.g., Chrome from 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Wang with Abgrall to teach “communications between first and second multi-tenant applications” for the reason to help these providers with necessary infrastructure to manage the certificates of their customers transparently as there is a need for techniques that can help these providers, small or large, manage as many users as possible without incurring the cost and complexity of managing the certificates.
first multi-tenant application by the computer system, a subsequent request for a tenant-specific private key for a different tenant of the plurality of tenants, wherein the subsequent request includes an identifier of the different tenant [Abgrall: 0081-0082]; and performing, by the computer system, the key derivation function to generate a different particular tenant-specific private key for the different tenant based on the master private key and the identifier of the different tenant.
Claim 3:  Abgrall: 0668; discussing the method of claim 1, further comprising: accessing, by the computer system, certificate information indicating that the computer system is authorized to generate cryptographic information for the plurality of tenants hosted by the first multi-tenant application.
Claim 4:  Abgrall: 0465; discussing the method of claim 3, wherein sending the master public configuration information to the directory service includes: sending, to the directory service by the computer system, the certificate information to enable registration of the master public configuration information at the directory service on behalf of the first multi-tenant application.
Claim 5:  Abgrall: 0642; discussing the method of claim 3, further comprising: receiving, by the computer system, a subsequent request for a tenant-specific private key for a particular tenant not indicated by the certificate information; and rejecting, by the computer system, the subsequent request.
Claim 6:  Abgrall: 0670; discussing the method of claim 3, further comprising: performing, by the computer system, a refresh operation that replaces the master 
Claim 7:  Abgrall: 0669-0670; discussing the method of claim 6, wherein the refresh operation is performed in response to the certificated information being modified.
Claim 8:  Abgrall: 0166; discussing the method of claim 1, wherein the first multi-tenant application is operable to sign the request to a second multi-tenant application using the particular tenant-specific private key, and wherein the request to the second multi-tenant application includes information identifying the master public configuration information at the directory service. [Abgrall: 0465]
Claim 9:  Abgrall: 0088, 0673; discussing the method of claim 1, wherein the first multi-tenant application is a cloud-based service that is operable to store data for the plurality of tenants, and wherein the tenant identifier of the tenant further identifies the cloud-based service.
Claim 10:	Abgrall teaches a non-transitory computer readable medium having program instructions stored thereon that are capable of causing a computer system to perform operations comprising. 
generating cryptographic information [Abgrall: 0041-0042; A CustSecret (Customer Secret) is a cryptographic variable chosen by some component of an application system. A CustAppKey (Customer Application Key) is a cryptographic variable derived from an AppKey and a CustSecret, and can be used directly as a cryptographic key for encryption or integrity checking or as an input to a function that computes other cryptographic variables or keys. See also 0081-0082] usable to authenticate communications [Abgrall: 0015-0017] between first and second multi-tenant applications [**as rejected under the secondary reference, discussion below], wherein the cryptographic information includes: 
tenant-specific private keys for a plurality of tenants [Abgrall: 0044] hosted by-the first **multi-tenant application; and [**as rejected under the secondary reference, discussion below]
public key parameters usable to derive tenant-specific public keys for the plurality of tenants; [Abgrall: 0052, 0054; shared key includes a private key and public key derived from master public configuration information, which involves information for authentication. See also 0071, 0150, 0158]
sending the public key parameters to a directory service accessible to the **second multi-tenant application for retrieving the public key parameters; [Abgrall: 0150, 0159; The AppContainers are secured with the help of the secret master key. Each container is encrypted with a key that is a function of the secret master key and the digest of the code of the program that owns the container] [Abgrall: 0105, 0148] [Abgrall: 0135, 0465]
receiving, from the first multi-tenant application, a request for tenant-specific a private key specific to a tenant of the plurality of tenants, wherein the request includes a tenant identifier that identifies the tenant; [Abgrall: 0158, 0166-0168]
performing a key derivation function to generate a particular tenant-specific private key specific to the tenant based on the master private key and the tenant identifier, wherein the particular tenant-specific private key is usable to sign a request from the first multi-tenant application to the second multi-tenant application on behalf of the tenant; and [Abgrall: 0150, 0663-0666]
sending, to the first multi-tenant application, the particular tenant-specific private key. [Abgrall: 0148, 0668] 
Abgrall discloses cryptographic information usable for authenticating communications between first and second multi-tenant applications [Abgrall: 0015-
Wang discloses many multi-tenant applications or platform providers (a.k.a., platform or service provider) wish to provide their users with custom-designated domains that reside behind SSL (HTTPS) [Wang: 0010-0012]. Referring FIG. 2A, shows a basic system configuration, where user activates a browser (e.g., Chrome from Google, IE from Microsoft or Safari in iPhone) loaded in the computing device to browse the Internet. It is assumed that the user uses the computing device to access a website siteB.com that is hosted on a platform server operated by a platform provider X. Depending on implementation, the platform server may be allocated for a single business or a plurality of business entities (a.k.a., tenant or tenants of the platform provider X). A tenant may create and maintain a site under a specified hostname (e.g., bob.com or siteB.com). Further, a tenant subscribing to the services offered by the platform provider X may allow its own users to establish their virtual sites with hostnames [Wang: 0042, 0048]. Thus, Wang suggests multi-tenant applications where there is “communications between first and second multi-tenant applications” as the many multi-tenant applications or platform providers (a.k.a., platform or service provider) wish to provide their users with custom-designated domains and allow its own users to establish their virtual sites. Accordingly, it is obvious the motivation to have 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Wang with Abgrall to teach “communications between first and second multi-tenant applications” for the reason to help these providers with necessary infrastructure to manage the certificates of their customers transparently as there is a need for techniques that can help these providers, small or large, manage as many users as possible without incurring the cost and complexity of managing the certificates.
Claim 11:  Abgrall: 0166-0167; discussing the medium of claim 10, wherein the operations further comprise: receiving, from the first multi-tenant application, another request for a tenant-specific private key specific to a different tenant of the plurality of tenants, wherein the other request includes an identifier that is associated with the different tenant; performing the key derivation function to generate a different tenant-specific private key specific to the different tenant based on the master private key and the identifier associated with the different tenant; and sending, to the first multi-tenant application, the different private key. [Abgrall: 0135, 0465]
Claim 12:  Abgrall: 0052, 0465; discussing the medium of claim 10, wherein sending the public key parameters to the directory service includes: sending, to the directory service, certification information indicating that the computer system is authorized to register the public key parameters at the directory service in association with the first multi-tenant application.

Claim 14:  Canceled
Claim 15:	Abgrall teaches a method, comprising: 
receiving, by a first computer system, an operation request signed by a second computer system, wherein the operation request specifies a set of operations to be performed [Abgrall: 0110, 0148] **on behalf of a tenant of the second computer system [**as rejected under the secondary reference, discussion below], and wherein the operation request includes a tenant identifier that identifiers the tenant and a reference to master public configuration information stored by a directory service; [Abgrall: 0135, 0465]
retrieving, by the first computer system, the master public configuration information from the directory service using the reference; [Abgrall: 0105, 0148] 
performing, by the first computer system, a key derivation function to generate a tenant-specific public key specific to the tenant [Abgrall: 0150, 0159; The AppContainers are secured with the help of the secret master key. Each container is encrypted with a key that is a function of the secret master key and the digest of the code of the program that owns the container. See also 0081-0082] based on the master public configuration information and the identifier of the tenant; and [Abgrall: 0158, 0166-0168]
verifying, by the first computer system, that the operation request was signed on behalf of the tenant based on the generated tenant-specific public key. [Abgrall: 0150, 0663-0666] 
Abgrall discloses cryptographic information usable for authenticating communications between first and second multi-tenant applications [Abgrall: 0015-0017]. The claimed multi-tenant can broadly be given the broadest reasonable interpretation as (multiple or more than one) users and devices. Abgrall suggests multi-
Wang discloses many multi-tenant applications or platform providers (a.k.a., platform or service provider) wish to provide their users with custom-designated domains that reside behind SSL (HTTPS) [Wang: 0010-0012]. Referring FIG. 2A, shows a basic system configuration, where user activates a browser (e.g., Chrome from Google, IE from Microsoft or Safari in iPhone) loaded in the computing device to browse the Internet. It is assumed that the user uses the computing device to access a website siteB.com that is hosted on a platform server operated by a platform provider X. Depending on implementation, the platform server may be allocated for a single business or a plurality of business entities (a.k.a., tenant or tenants of the platform provider X). A tenant may create and maintain a site under a specified hostname (e.g., bob.com or siteB.com). Further, a tenant subscribing to the services offered by the platform provider X may allow its own users to establish their virtual sites with hostnames [Wang: 0042, 0048]. Thus, Wang suggests “on behalf of a tenant of the second computer system”, as the multi-tenant applications or platform providers (a.k.a., platform or service provider) performs operations or communications and the platform server may be allocated for a single business or a plurality of business entities (a.k.a., tenant or tenants of the platform provider X), of which are on behalf of a tenant of a second computer system. Accordingly, it is obvious the motivation to have operations 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Wang with Abgrall to teach “communications between first and second multi-tenant applications” for the reason to help these providers with necessary infrastructure to manage the certificates of their customers transparently as there is a need for techniques that can help these providers, small or large, manage as many users as possible without incurring the cost and complexity of managing the certificates.
Claim 16:  Abgrall: 0166-0167; discussing the method of claim 15, further comprising: sending, to a third computer system by the first computer system, a particular operation request to perform a set of operations on behalf of a second tenant of the first computer system, wherein sending the particular operation request includes: sending a key request to a private key generator for a tenant-specific private key that is specific to the second tenant, wherein the key request includes a second tenant identifier that identifies the second tenant; receiving a particular tenant-specific private key from the private key generator; and signing the particular operation request based on the particular tenant-specific private key. [Abgrall: 00147-0148]
Claim 17:  Abgrall: 0158; discussing the method of claim 16, wherein the second tenant identifier further indicates the second computer system.
Claim 18:  Abgrall: 0166; discussing the method of claim 15, wherein the master public configuration information is usable by the first computer system to derive, for each tenant of a set of tenants associated with the second computer system, a tenant-specific public key specific to that tenant.
Claim 19:  Abgrall: 0294-0295; discussing the method of claim 15, further comprising: in response to determining that a signature of the operation request is invalid, the first computer system rejecting the operation request from the second computer system.
Claim 20:  Abgrall: 0164-0166; discussing the method of claim 15, wherein the first and second computer systems are a part of a multi-user system that hosts a set of tenants, and wherein the first and second computer systems each implement a respective service for ones of the set of tenants.
Claim 21:  Abgrall: 0; discussing the method of claim 1, wherein the generating of the cryptographic information is performed by a cryptographic information generator executing on the computer system, wherein the cryptographic information generator and the first multi-tenant application are deployed on a virtual cluster.
Claim 22:  Abgrall: 0; discussing the method of claim 21, wherein the cryptographic information generator is accessible only by entities of the virtual cluster.

Response to Arguments
3.	Applicant’s arguments with respect to claim(s) 1-12 and 15-22 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LEYNNA THANH TRUVAN whose telephone number is (571)272-3851.  The examiner can normally be reached on Monday-Friday 8:00AM-5:00PM, EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.



LEYNNA T TRUVAN
Examiner
Art Unit 2435



/L.TT/Examiner, Art Unit 2435 

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435