Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims 1-20 are pending.  Claims 1-6 and 17-20 are under examination. Claims 1-3 and 17-19 are amended.  Claims 1 (a method) and 17 (a non-transitory CRM) are independent.

Response to Arguments
Applicant's arguments filed 6/02/2021 have been fully considered but they are not persuasive. 
First, Applicant asserts that “Oba indicates that the coordinator distributes keys to the controller and to the devices…. There is no APN manager … that distributes a public security certificate to the coordinator, which in turn distributes … the public security certificate received from the APN manager to the client nodes.”  In other words, Applicant asserts that the coordinator of Oba (NCN) does not receive a certificate from the controller of Oba (APN manager) and send said certificate to the devices of Oba (client node).  This argument is not persuasive.
As detailed in Oba Figure 9, the coordinator of Oba (NCN) receives a certificate from the controller of Oba (APN manager):
(“In this process, X.509 certificate exchange and Elliptic curve Diffie-Hellman (ECDH) key exchange are carried out, and mutual authentication and a session key are established.” Oba ¶ 57).  This shows the exchange of certificates between a coordinator 
As detailed in Oba Figure 10, the coordinator of Oba (NCN) further distributes the certificate from the controller (APN manager) to the devices (client noes):
(“the coordinator 20 distributes an X.509 certificate of the controller 30 to the device 40 through pushing (see (11) in FIG. 10).” Oba ¶ 62. “participating nodes” Oba ¶ 57, plural nodes)

Thus, Oba describes a system whereby a certificate is sent from a controller (APN manger) to a coordinator (NCN), and the coordinator sends the certificate to a device (client node).

Second, Applicant asserts “If the coordinator is the claimed NCN, there is no APN manager executing on a separate server ….. there is no separate NCN executing on a separate server”.  This argument is not persuasive.
There is no statement within Oba that suggests the coordinator and the controller reside on the same server.  Conversely, Oba describes that a physical communication interface is used to communicate between the coordinator and the controllers: (“in FIG. 4, the coordinator 20 includes a central processing unit (CPU) 22, … and a communication interface (I/F) 25…. The communication I/F 25 is an interface for communication with external devices (such as the controllers 30 and the devices 40).” Oba ¶ 38).  Applicant’s argument is not persuasive.
For at least the above reasons, Applicant’s arguments are not persuasive.

Applicant’s amendment to claim 1: “on which the APN VM executes” on 6/02/2021 is not shown by the art of record.  The art of record, and specifically the Averi reference (US 2012/0314578, a prior publication by the assignee) does not disclose virtual machines.  Therefore, the rejection of claim 1 has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Oba (US 2016/0066354, in view of Cooper “Internet X.509 PKI Cert”, and Van Der Merwe et al., US 2015/0365288 (filed 2014-08).

Claim Interpretation: Adaptive Private Network
Adaptive Private Network is not explicitly defined in Applicant’s specification.  Further, the prior art (Averi US 2012/0314578) does not define what an Adaptive Private Network.  It does not appear to be a “term of art” as of the effective filing date of the present application.  As such, the term Adaptive Private Network or APN is reasonably interpreted to be analogous to other managed network types such as, for example, Software Defined Networks.

Claim Rejections - 35 USC § 112
Claims 1-6 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1, 2, and 5, is/are rejected under 35 U.S.C. 103 as being unpatentable over Oba et al., 2016/0066354 (priority date 2014-08) in view of Cooper et al., “Internet X.509 Public Key Infrastructure Certificate” (published 2008-05) and Van Der Merwe et al., US 2015/0365288 (filed 2014-08), hereafter referred to as Merwe.
As to claims 1, Oba discloses the method comprising:
…  manager executing on a first server (“… and a communication interface (I/F) 25…. The communication I/F 25 is an interface for communication with external devices (such as the controllers 30 and the devices 40).” Oba ¶ 38.  The controller is on a separate server from the coordinator) … and a first public security certificate (Oba Figure 9 shows a ‘controller node’ sending a certificate to the coordinator, thus the controller node has been configured with said certificate. See also: “In this process, X.509 certificate exchange and Elliptic curve Diffie-Hellman (ECDH) key exchange are carried out, and mutual authentication and a session key are established.” Oba ¶ 57) …  …; 
transferring … the first public security certificate from the first … manager to the NCN for installation on the NCN, (The NCN being the coordinator of Figure 9. “In this process, X.509 certificate exchange and Elliptic curve Diffie-Hellman (ECDH) key exchange are carried out, and mutual authentication and a session key are established.” Oba ¶ 57) wherein the first public security certificate contains a first public key corresponding to the first private key; (Oba ¶ 57 “X.509 certificate” x.509 certificates comprise public keys)
automatically distributing by the NCN a first certificate file including the first public security certificate … to the client nodes, wherein the first public security certificate and first public key are stored in each (See Oba Figure 10 step 11. Also: “The key sharing between the participating nodes and the coordinator 20 is carried out through distribution of a group key from the coordinator 20 to the participating nodes … the coordinator 20 may distribute, to a participating node, a certificate on another participating node.” Oba ¶ 55) of the client nodes; (“the coordinator 20 distributes an X.509 certificate of the controller 30 to the device 40 through pushing (see (11) in FIG. 10).” Oba ¶ 62. “participating nodes” Oba ¶ 57, plural nodes) and 
… wherein the first … manager manages the …. (Oba ¶¶ 122-123 configuration update commands between controller and device)

Oba does not disclose:
configuring a first adaptive private network (APN) manager in a first server with a first private key
for an adaptive private network (APN)
APN VM
within the APN
APN
, under control of a first network administrator,
and an associated first hash of the first certificate file
verifying in each client node of the one or more client nodes that a generated hash of the distributed first certificate file matches the associated first hash to verify the first public security certificate was properly received, 
APN… APN

Cooper discloses:
configuring a first … network manager in a first server with a first private key (“Users of a public key require confidence that the associated private key is owned by the correct remote subject (person or system) with which an encryption or digital signature mechanism will be used. This confidence is obtained through the use of public key certificates, which are data structures that bind public key values to subjects.” § 3.1. possession of the private key is proven by certificate)

verifying in each client node of the one or more client nodes (“Verify the basic certificate information. The certificate MUST satisfy each of the following: The signature on the certificate can be verified using working_public_key_algorithm” Cooper § 6.1.3) that a generated hash of the distributed first certificate file matches the associated first hash to verify the first public security certificate was properly received, (“The signatureValue field contains a digital signature computed upon the ASN.1 DER encoded tbsCertificate…. By generating this signature, a CA certifies the validity of the information in the tbsCertificate field. In particular, the CA certifies the binding between the public key material and the subject of the certificate.” Cooper § 4.1.1.3)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Oba with Cooper by utilizing the known X.509 conventions of Cooper; the signature/hash of § 4.1.1.3, the private key of § 3.1, and the certificate verification of § 6.1.3; to generate and validate the controller certificate of Oba.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Oba with Cooper in order to perform X.509 certificate processing that is suggested by Oba ¶ 57, thereby allowing creation of the X.509 certificates and the use of said certificates to validate the private key certified by said certificates.

Oba in view of Cooper does not disclose:

for an adaptive private network (APN) 
APN VM 
within the APN
APN
, under control of a first network administrator,
APN… APN

Merwe discloses:
a first adaptive private network (APN) (the APN is the controlled Software Defined Network of Merwe which includes: “Controller 128 is responsible for applying changes to the resources 132 of network infrastructure 130” Merwe ¶ 91)
for an adaptive private network (APN) (“FlowOps can support SDN based network devices and can use OpenFlow device drivers with those devices. SDN is an approach to networking in which control is decoupled from hardware and given to a software application. The goal of SDN is to allow network engineers and administrators to respond quickly to changing business requirements.” Merwe ¶ 213)
APN VM (“all or portions of network management system 119 can be virtualized, can be in "the cloud," or can be implemented in other various manners.” Merwe ¶ 66. Where the network management system includes controller 128)
within the APN (“network operator 104, subscribers 108, and service providers 110--can communicate with network manager 120 through portal 121 to establish, manage, and terminate connections between users to support services over network 
APN (the APN is the controlled Software Defined Network of Merwe which includes: “Controller 128 is responsible for applying changes to the resources 132 of network infrastructure 130” Merwe ¶ 91)
, under control of a first network administrator, (“a "network operator" is defined as the entity that manages and controls a network and facilitates sharing of the network between various users.” Merwe ¶ 52. See Also Merwe ¶ 59)
APN… APN (the APN is the controlled Software Defined Network of Merwe which includes: “Controller 128 is responsible for applying changes to the resources 132 of network infrastructure 130” Merwe ¶ 91)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Oba in view of Cooper with Merwe by incorporating the software defined network control elements (network manager, controller and portal) implemented in virtual machines of Merwe in the system of Oba in view of Cooper.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention in order to provide automated network management to fix problems and to update and control service configurations in the network without requiring user intervention, Merwe ¶ 8.

As to claim 2 Oba in view of Cooper and Merwe discloses the method of claim 1 and further discloses: 
Thus, M (M≧1) controllers 30 are present.” Oba ¶ 35. Devices in a domain may be connected to multiple controllers.) with a second (a second controller) private key (“Users of a public key require confidence that the associated private key is owned by the correct remote subject (person or system) with which an encryption or digital signature mechanism will be used. This confidence is obtained through the use of public key certificates, which are data structures that bind public key values to subjects.” § 3.1. possession of the private key is proven by certificate) and a second public security certificate (Oba Figure 9 shows a ‘controller node’ sending a certificate to the coordinator, thus the controller node has been configured with said certificate. See also: “In this process, X.509 certificate exchange and Elliptic curve Diffie-Hellman (ECDH) key exchange are carried out, and mutual authentication and a session key are established.” Oba ¶ 57) for the APN (the APN is the controlled Software Defined Network of Merwe which includes: “Controller 128 is responsible for applying changes to the resources 132 of network infrastructure 130” Merwe ¶ 91) including the NCN and the plurality of client nodes; (see OBA Figs. 1-2, the coordinator being NCN and the client nodes being the devices.) 
transferring, under control of the network administrator, (“a "network operator" is defined as the entity that manages and controls a network and facilitates sharing of the network between various users.” Merwe ¶ 52. See Also Merwe ¶ 59) the second public 
automatically distributing by the NCN a second certificate file including the second public security certificate and an associated second hash of the second certificate file to the client nodes (“the coordinator 20 distributes an X.509 certificate of the controller 30 to the device 40 through pushing (see (11) in FIG. 10).” Oba ¶ 62. See Oba ¶ 55, plural nodes), wherein the second public security certificate and second public key are verified (“The signatureValue field contains a digital signature computed upon the ASN.1 DER encoded tbsCertificate…. By generating this signature, a CA certifies the validity of the information in the tbsCertificate field. In particular, the CA certifies the binding between the public key material and the subject of the certificate.” Cooper § 4.1.1.3) in each of the client nodes and wherein the first APN manager and the second APN manager manage (Oba ¶¶ 122-123 configuration update commands between controller and device) the APN. (the APN is the controlled Software Defined Network of Merwe which includes: “Controller 128 is responsible for applying changes to the resources 132 of network infrastructure 130” Merwe ¶ 91)


discovering that a new client node has been added to the APN creating a new configuration of the APN; (“the device 40 transmits an MIH_MN_Group_Manipulate request message to the coordinator 20. The MIH_MN_Group_Manipulate request message contains “src=IDdev(L), dst=IDdev@IDcdn(L), SAID, Security{TargetID=IDdev@IDctl (E or S), GroupAction=join}”” Oba ¶ 117. Joining means new node.)
exporting the new configuration to the NCN for installation; and (Oba ¶ 117. The device in communication with the NCN/coordinator to join the network.)
automatically sending the public security certificate by the NCN to the new client node after the new configuration has been installed. (“the coordinator 20 transmits an MIH_Push_Certificate request message to the device 40.” Oba ¶ 119. See also Oba ¶ 62, discussing phase 2b as discussed above.)


Claims 3 is/are rejected under 35 U.S.C. 103 as being unpatentable over Oba et al., 2016/0066354 (priority date 2014-08) in view of Cooper et al., “Internet X.509 Public Key Infrastructure Certificate” (published 2008-05), Merwe et al., US 2015/0365288 (filed 2014-08), and Zhu et al., US 2015/0156025 (priority date of 2013-04).


providing the second APN manager executing on the second server to the NCN with credentials signed (Cooper § 4.1.1.3 signature value, signatures are encrypted hashes.) by the second private key to the client nodes; (“the coordinator 20 distributes an X.509 certificate of the controller 30 to the device 40 through pushing (see (11) in FIG. 10).” Oba ¶ 62. See Oba ¶ 55, plural nodes)
to make requests to the client nodes. (Oba ¶¶ 122-123 configuration update commands between controller and device)
APN (the APN is the controlled Software Defined Network of Merwe which includes: “Controller 128 is responsible for applying changes to the resources 132 of network infrastructure 130” Merwe ¶ 91)

Oba in view of Cooper and Merwe does not disclose:
checking by the NCN the credentials with the first public security certificate and with the second public security certificate that have been installed; and 
permitting the first … manager, upon finding a match with the first public security certificate, or the second … manager, upon finding a match with the second public security certificate, 

Zhu discloses:
checking by the NCN the credentials with the first public security certificate and with the second public security certificate that have been installed; and (“The client 
permitting the first server, upon finding a match with the first public security certificate, or the second server, upon finding a match with the second public security certificate, (“The client encrypts, by using a public key in a server certificate found by searching, a client key exchange message to be sent, and sends an encrypted client key exchange message to the server. The procedure ends” Zhu ¶ 111. A matching certificate begins the encrypted communication)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Oba in view of Cooper and Merwe with Zhu by including the certificate caching mechanisms of Zhu in the key setup/exchange of Oba Figure 9, before allowing the further control aspects of Figures 10 and 25.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Oba in view of Cooper and Merwe with Zhu in order to cache certificates exchanged by the controllers of Oba in the coordinator of Oba, thereby accelerating the PKI handshake and key exchange mechanism of Oba ¶ 57, see Zhu ¶ 7.

Claim 4 is/are rejected under 35 U.S.C. 103 as being unpatentable over Oba et al., 2016/0066354 (priority date 2014-08) in view of Cooper et al., “Internet X.509 Public Key Infrastructure Certificate” (published 2008-05), Merwe et al., US 2015/0365288 (filed 2014-08), and Hazlewood et al., US 2009/0327708 (filed 2008-05).
As to claims 4 Oba in view of Cooper and Merwe discloses the method of claims 1 but does not disclose: 
further comprising: receiving a new public key at a client node; and 
terminating security connections to the client node that use the first public key.

Hazlewood discloses: 
further comprising: receiving a new public key (“"digital certificate" is used to associate an identity, such as an identity of the user, or of a data process system, with one half of the key pair--the "public" key.” Hazlewood ¶ 10) at a client node; and (“process 700 may be used to distribute renewed certificate to replace expired certificates.” Hazlewood ¶ 97)
terminating security connections (“implementation of process 700 may perform a clean-up of the certificate repository by removing the expired or expiring certificate upon receiving the new certificate.” Hazlewood ¶ 97. See also ¶¶ 66-67 discussing the repository.) to the client node that use the first public key. (“a replacement of a certificate may be forced. For example, a certificate may be forced to expire or the certificate may be revoked.” Hazlewood ¶ 34. “If the application determines that the certificate is expiring or has expired in this manner, the application may not accept the certificate.” Hazlewood ¶ 70)

.

Claim 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Oba et al., 2016/0066354 (priority date 2014-08) in view of Cooper et al., “Internet X.509 Public Key Infrastructure Certificate” (published 2008-05), Merwe et al., US 2015/0365288 (filed 2014-08), and Hicks et al., US 2004/0064760 (filed 2002-09).
As to claims 6 Oba in view of Cooper and Merwe discloses the method of claims 1 and further discloses: including the new client node. (“the device 40 transmits an MIH_MN_Group_Manipulate request message to the coordinator 20. The MIH_MN_Group_Manipulate request message contains “src=IDdev(L), dst=IDdev@IDcdn(L), SAID, Security{TargetID=IDdev@IDctl (E or S), GroupAction=join}”” Oba ¶ 117. Joining means new node.)
APN (the APN is the controlled Software Defined Network of Merwe which includes: “Controller 128 is responsible for applying changes to the resources 132 of network infrastructure 130” Merwe ¶ 91)


further comprising: automatically polling for operating statistics of the new configuration of the [network]
Hicks discloses:
further comprising: automatically polling for operating statistics of the new configuration of the [network] (“The monitored information may be based on a test of a scheduled duration and polling information specifying when, for example, the device/link Management Information Bases (MIBs) are polled and their utilization statistics are recorded. An exemplary readiness rating operation, with the utilization statistics evaluated and the thresholds applied for particular types of devices/links is as follows.” Hicks ¶ 133, see also table 2-4 on ¶¶ 134-136.)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Oba in view of Cooper and Merwe with Hicks by retrieving utilization statistics by polling connected network devices in order to assess the network health or readiness.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Oba in view of Cooper and Merwe with Hicks in order to determine whether the network is fulfilling its expected obligations (e.g. Hicks ¶ 2) so that remediation or network management can be performed in response thereto.


Claim 17, 18, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Oba et al., 2016/0066354 (priority date 2014-08) in view of Cooper et al., “Internet X.509 Public Key Infrastructure Certificate” (published 2008-05) and Averi et al., US 2012/0314578. (filed 2012-12)
As to claims 17, Oba discloses the CRM comprising:
executable instructions that when executed by a processor of a computer control the computer to perform steps comprising: (as to the CRM, see Oba ¶ 130)
configuring a first … manager executing on a first server with … and a first public security certificate (Oba Figure 9 shows a ‘controller node’ sending a certificate to the coordinator, thus the controller node has been configured with said certificate. See also: “In this process, X.509 certificate exchange and Elliptic curve Diffie-Hellman (ECDH) key exchange are carried out, and mutual authentication and a session key are established.” Oba ¶ 57) for an … having a network control node (NCN) and a plurality of client nodes and, wherein the NCN is separate from the first server on which the first -4-Serial No.: 16/528,092 APN manager executes and from each client node and administers and controls a plurality of client nodes within the … (see OBA Figs. 1-2, the coordinator being NCNs, the controller being the manager, and the client nodes being the devices.); 
transferring, …, the first public security certificate from the first … manager to the NCN for installation on the NCN, (The NCN being the coordinator of Figure 9. “In this process, X.509 certificate exchange and Elliptic curve Diffie-Hellman (ECDH) key exchange are carried out, and mutual authentication and a session key are established.” Oba ¶ 57) wherein the first public security certificate contains a first public 
automatically distributing by the NCN a first certificate file including the first public security certificate … to the client nodes, wherein the first public security certificate and first public key are stored in each (See Oba Figure 10 step 11. Also: “The key sharing between the participating nodes and the coordinator 20 is carried out through distribution of a group key from the coordinator 20 to the participating nodes … the coordinator 20 may distribute, to a participating node, a certificate on another participating node.” Oba ¶ 55) of the client nodes; and (“the coordinator 20 distributes an X.509 certificate of the controller 30 to the device 40 through pushing (see (11) in FIG. 10).” Oba ¶ 62. “participating nodes” Oba ¶ 57, plural nodes)
… wherein the first … manager manages the …. (Oba ¶¶ 122-123 configuration update commands between controller and device)

Oba does not disclose: 
a first private key
adaptive private network (APN)
APN
APN
under control of a first network administrator
and an associated first hash of the first certificate file

APN, APN, APN, APN

Cooper discloses:
a first private key (“Users of a public key require confidence that the associated private key is owned by the correct remote subject (person or system) with which an encryption or digital signature mechanism will be used. This confidence is obtained through the use of public key certificates, which are data structures that bind public key values to subjects.” § 3.1. possession of the private key is proven by certificate)
and an associated first hash of the first certificate file (Cooper § 4.1.1.3 signature value, signatures are encrypted hashes.)
verifying in each client node of the one or more client nodes (“Verify the basic certificate information. The certificate MUST satisfy each of the following: The signature on the certificate can be verified using working_public_key_algorithm” Cooper § 6.1.3) that a generated hash of the distributed first certificate file matches the associated first hash to verify the first public security certificate was properly received, (“The signatureValue field contains a digital signature computed upon the ASN.1 DER encoded tbsCertificate…. By generating this signature, a CA certifies the validity of the information in the tbsCertificate field. In particular, the CA certifies the binding between the public key material and the subject of the certificate.” Cooper § 4.1.1.3)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Oba with Cooper by utilizing the known X.509 conventions of Cooper; the signature/hash of § 4.1.1.3, the private key of § 3.1, and the certificate verification of § 6.1.3; to generate and validate the controller certificate of Oba.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Oba with Cooper in order to perform X.509 certificate processing that is suggested by Oba ¶ 57, thereby allowing creation of the X.509 certificates and the use of said certificates to validate the private key certified by said certificates.

Oba in view of Cooper does not disclose:
adaptive private network (APN) 
APN 
APN 
under control of a first network administrator 
APN, APN, APN, APN 

Averi discloses:
adaptive private network (APN) (“An APN client node 130 is an APN node that does not perform as the APN control point, but instead performs as an APN client point that works in tandem with an external APN control point for the APN node's control and administration.” Averi ¶ 44)
APN (“APN conduits may exist between the NCN and up to sixteen APN client nodes as shown in FIG. 2” Averi ¶ 80)
APN (Averi ¶¶ 44 and 80)
under control of a first network administrator (“Each APN conduit may have the unique configuration parameters tailored by an administrator for the particular needs of each geographic location associated with a particular APN.” Averi ¶ 80)
APN, APN, APN, APN (“If the APN node is an APN network control node, the module will serve as the APN control point. If the APN node is an APN client, the module will serve as the APN client point.” Averi ¶ 40)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Oba in view of Cooper with Averi by utilizing the network terminology of Averi in the system of Oba in view of Cooper and providing for an administrator to configure the system.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Oba in view of Cooper with Averi in order to provide a configurable network under control of an administrator that improves performance reliability and predictability of the network (Averi ¶ 5).

As to claim 18 Oba in view of Cooper and Averi discloses the CRM of claim 17 and further discloses: 
configuring a second APN manager executing on a second server (See Oba Figure 2, multiple controllers: “one coordinator 20 is present in one ECHONET Lite Thus, M (M≧1) controllers 30 are present.” Oba ¶ 35. Devices in a domain may be connected to multiple controllers.) with a second (a second controller) private key (“Users of a public key require confidence that the associated private key is owned by the correct remote subject (person or system) with which an encryption or digital signature mechanism will be used. This confidence is obtained through the use of public key certificates, which are data structures that bind public key values to subjects.” § 3.1. possession of the private key is proven by certificate) and a second public security certificate (Oba Figure 9 shows a ‘controller node’ sending a certificate to the coordinator, thus the controller node has been configured with said certificate. See also: “In this process, X.509 certificate exchange and Elliptic curve Diffie-Hellman (ECDH) key exchange are carried out, and mutual authentication and a session key are established.” Oba ¶ 57) for the APN (“An APN client node 130 is an APN node that does not perform as the APN control point, but instead performs as an APN client point that works in tandem with an external APN control point for the APN node's control and administration.” Averi ¶ 44) including the NCN and the plurality of client nodes; (see OBA Figs. 1-2, the coordinator being NCN and the client nodes being the devices.) 
transferring, under control of the network administrator, (“Each APN conduit may have the unique configuration parameters tailored by an administrator for the particular needs of each geographic location associated with a particular APN.” Averi ¶ 80) the second public security certificate from the second APN manager to the NCN for installation on the NCN, (The NCN being the coordinator of Figure 9. “In this process, 
automatically distributing by the NCN a second certificate file including the second public security certificate and an associated second hash of the second certificate file to the client nodes (“the coordinator 20 distributes an X.509 certificate of the controller 30 to the device 40 through pushing (see (11) in FIG. 10).” Oba ¶ 62. See Oba ¶ 55, plural nodes), wherein the second public security certificate and second public key are verified (“The signatureValue field contains a digital signature computed upon the ASN.1 DER encoded tbsCertificate…. By generating this signature, a CA certifies the validity of the information in the tbsCertificate field. In particular, the CA certifies the binding between the public key material and the subject of the certificate.” Cooper § 4.1.1.3) in each of the client nodes and wherein the first APN manager and the second APN manager manage (Oba ¶¶ 122-123 configuration update commands between controller and device) the APN. (“If the APN node is an APN network control node, the module will serve as the APN control point. If the APN node is an APN client, the module will serve as the APN client point.” Averi ¶ 40)


As to claim 20 Oba in view of Cooper and Averi discloses the CRM of claim 17 and further discloses:
GroupAction=join}”” Oba ¶ 117. Joining means new node.)
exporting the new configuration to the NCN for installation; and (Oba ¶ 117. The device in communication with the NCN/coordinator to join the network.)
automatically sending the public security certificate by the NCN to the new client node after the new configuration has been installed. (“the coordinator 20 transmits an MIH_Push_Certificate request message to the device 40.” Oba ¶ 119. See also Oba ¶ 62, discussing phase 2b as discussed above.)


Claim 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Oba et al., 2016/0066354 (priority date 2014-08) in view of Cooper et al., “Internet X.509 Public Key Infrastructure Certificate” (published 2008-05), Averi et al., US 2012/0314578 (filed 2012-12), and Zhu et al., US 2015/0156025 (priority date of 2013-04).

As to claim 19 Oba in view of Cooper and Averi discloses the CRM of claim 18 and further discloses: 

to make requests to the client nodes. (Oba ¶¶ 122-123 configuration update commands between controller and device)
APN (Averi ¶¶ 44 and 80)

Oba in view of Cooper and Averi does not disclose:
checking by the NCN the credentials with the first public security certificate and with the second public security certificate that have been installed; and 
permitting the first … manager, upon finding a match with the first public security certificate, or the second … manager, upon finding a match with the second public security certificate, 

Zhu discloses:
checking by the NCN the credentials with the first public security certificate and with the second public security certificate that have been installed; and (“The client obtains, from the received server handshake message, the identifier of the certificate that the server is ready to use, and searches for the server certificate corresponding to the identifier of the certificate that the server is ready to use, among the server certificates buffered by the client.” Zhu ¶ 110. See also ¶¶ 104 and 105)


A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Oba in view of Cooper and Averi with Zhu by including the certificate caching mechanisms of Zhu in the key setup/exchange of Oba Figure 9, before allowing the further control aspects of Figures 10 and 25.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Oba in view of Cooper and Averi with Zhu in order to cache certificates exchanged by the controllers of Oba in the coordinator of Oba, thereby accelerating the PKI handshake and key exchange mechanism of Oba ¶ 57, see Zhu ¶ 7.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:
Haddad et al., US 20150169340 discoses a device manager and an SDN controller managing virtual machines in a Software Defined Network.

Waldbusser, US 9544182 disclsoes a system with virtual gateway devices functioning under a manager device to control slave devices.
Neginhal et al., US 9647883 discloses a virtualized network managed by logical routers.


Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165.  The examiner can normally be reached on M, W-F 8-5.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MICHAEL W CHAO/Examiner, Art Unit 2492