DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In communications filed on 02/26/2020. Claims 1-20 are pending in this examination.
 In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.   This examination is in response to US Patent Application No. 16/801,280.

Examiner Note
Claim 1 cites “a computer readable storage medium”. The computer readable storage medium has been defined in paragraph 180 of the specification as: [ The computer readable storage medium can be a tangible device that can retain and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. A non-exhaustive list of more specific examples of the computer readable storage medium includes the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a static random access memory (SRAM), a portable compact disc read-only memory (CD-ROM), a digital versatile disk (DVD), a memory stick, a floppy disk, a mechanically encoded device such as punch-cards or raised structures in a groove having instructions recorded thereon, and any suitable combination of the foregoing. A computer readable storage medium, as used herein, is not to be construed as being transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission media (e.g., light pulses passing through a fiber-optic cable), or electrical signals transmitted through a wire. Therefore, claim 1 is statutory under 35 USC 101. Dependents claim 2-10 also statutory under 35 USC 101.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-3, 7-13, and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. (US2018/0260125) issued to Botes and in view of US Patent No. (US2005/0135622) issued to Fors.
Regarding claim 1, Botes discloses A computer program product for facilitating processing in a computing environment, the computer program product comprising: a computer readable storage medium readable by one or more processing circuits and storing instructions for performing operations comprising [ see FIG.1A and corresponding text for more details, computing devices a64A-B, SAN 158, Persistent storage resources 170A-B]; and 
the node comprising a plurality of channels, and the LKM configured to provide a secure data transfer between the node and another node of the computing environment [¶¶78-80, In implementations, storage array controller 101 includes one or more host bus adapters 103A-C that are coupled to the processing device 104 via a data communications link 105A-C. In implementations, host bus adapters 103A-C may be computer hardware that connects a host system (e.g., the storage array controller) to other network and storage arrays. In some examples, host bus adapters 103A-C may be a Fibre Channel adapter that enables the storage array controller 101 to connect to a SAN, an Ethernet adapter that enables the storage array controller 101 to connect to a LAN, or the like. Host bus adapters 103A-C may be coupled to the processing device 104 via a data communications link 105A-C such as, for example, a PCIe bus.], and [¶272, The example method depicted in FIG. 10 includes configuring (1002), by the storage system (1024), one or more data communications links (1052) between the storage systems (1024, 1046) and the second storage system (1046). In the example method depicted in FIG. 10, the storage system (1024) may configure (1002) one or more data communications links (1052) between the storage system (1024) and the second storage system (1046), for example, by identifying a defined port over a data communications network to be used for exchanging data communications with the second storage system (1046), by identifying a point-to-point data communications link to be used for exchanging data communications with the second storage system (1046), by identifying a data communications network to be used for exchanging data communications with the second storage system (1046)], and [¶272,  a service configured to run on customer facilities, such as running in a virtual machine or container, could be used to mediate key exchanges(shared keys) necessary for secure communications between replicating storage systems (1024, 1046)] ; and 
 and in response to establishing the connection, registering, by the LKM, security capabilities of the plurality of channels, the security capabilities used by the LKM to provide the secure data transfer between the node and the other node [¶167, … the storage systems described above may make building, operating, and growing an AI system easier due to the random read bandwidth provided by the storage systems, the ability to of the storage systems to randomly read small files (50KB) high rates (meaning that no extra effort is required to aggregate individual data points to make larger, storage-friendly files), the ability of the storage systems to scale capacity and performance as either the dataset grows or the throughput requirements grow, the ability of the storage systems to support files or objects, the ability of the storage systems to tune performance for large or small files (i.e., no need for the user to provision filesystems), the ability of the storage systems to support non-disruptive upgrades of hardware and software even during production model training, and for many other reasons], and [0241], The example method depicted in FIG. 7 also includes configuring (704) one or more data communications links (716, 718, 720) between each of the plurality of storage systems (714, 724, 728) to be used for synchronously replicating the dataset (712). In the example method depicted in FIG. 6, the storage systems (714, 724, 728) in a pod must communicate with each other both for high bandwidth data transfer, and for cluster, status, and administrative communication. These distinct types of communication could be over the same data communications links (716, 718, 720) or, in an alternative embodiment, these distinct types of communication could be over separate data communications links (716, 718, 720). In a cluster of dual controller storage systems, both controllers in each storage system should have the nominal ability to communicate with both controllers for any paired storage systems (i.e., any other storage system in a pod)], and [¶¶490, 499].
establishing, by the LKM a connection between the LKM and an external key manager (EKM) that stores a shared key for the node and the other node
 Even tough Botes discloses this limitation as: [¶272, a service configured to run on customer facilities, such as running in a virtual machine or container, could be used to mediate key exchanges (shared keys) necessary for secure communications between replicating storage systems (1024, 1046)].
Furthermore FORS discloses this limitation as: [See FIG.5 and corresponding text for more detail, client key manager(503), server key manger(511)], and  [0045]  515 RequestAppKey: MN(Mobile Node) requests a key from Client Key Manager for MIP(Mobile Internet protocol)], and [0046] 517 RetriveAppKey: Client Key Manager retrieves the Key for MIP from Persistent Storage][0047] 519 Kmip: Key for MIP is passed to the  Key Manager], and [0048] 521 Kmip: Key for MIP is passed to the MN], and [0052] 528 RequestAppKey: RADIUS Server requests the Application Key for MIP from the Key Manager], and [0053] 529 RetreiveAppKey: Key Manager retrieves Application Key for MIP from Persistent Storage], and [0054] 531 Kmip: The Key for MIP is passed to the Key Manager], and [0055] 533 Kmip: The Key for MIP is passed to the RADIUS Server]; and 
initializing a local key manager (LKM) on a node of the computing environment [ See Item # 503, client key manager].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Botes with the teaching of Fors in order to implement methods and functionality for effecting upper layer security schema based on lower layer keying processes within such communication units operating within such networks [Fors, Abstract, ¶1].
Regarding claims 2, 12, and 19, Botes discloses, wherein the node is a host computer and the LKM executes in a logical partition of the host computer [¶243, a service configured to run on customer facilities, such as running in a virtual machine or container, could be used to mediate key exchanges necessary for secure communications between replicating storage systems (716, 718, 720)], and [¶148].
Regarding claims 3, and 13 Botes discloses, wherein the providing the secure data transfer comprises managing private keys for at least a subset of the plurality of channels.  
[¶169, Readers will appreciate that the storage systems described above may be configured to support the storage of (among of types of data) blockchains. Such blockchains may be embodied as a continuously growing list of records, called blocks, which are linked and secured using cryptography], and [¶245, some communications may be encrypted and secured].
Regarding claims 7, and 16, Botes discloses wherein the node is a host computer or a storage array [¶78, storage array controller 101 includes one or more host bus adapters 103A-C that are coupled to the processing device 104 via a data communications link 105A-C. In implementations, host bus adapters 103A-C may be computer hardware that connects a host system (e.g., the storage array controller) to other network and storage arrays], and [¶243, In the example method depicted in FIG. 7, configuring (704) one or more data communications links (716, 718, 720) between each of the plurality of storage systems (714, 724, 728) to be used for synchronously replicating the dataset (712) may be carried out, for example, by configuring the storage systems (716, 718, 720) to communicate via defined ports over a data communications network, by configuring the storage systems (716, 718, 720) to communicate over a point-to-point data communications link between two of the storage systems (716, 724, 728), or in a variety of ways.
Regarding claim 8, Botes discloses, wherein the other node is a host computer or a storage array [¶78, storage array controller 101 includes one or more host bus adapters 103A-C that are coupled to the processing device 104 via a data communications link 105A-C. In implementations, host bus adapters 103A-C may be computer hardware that connects a host system (e.g., the storage array controller) to other network and storage arrays], and [0243] In the example method depicted in FIG. 7, configuring (704) one or more data communications links (716, 718, 720) between each of the plurality of storage systems (714, 724, 728) to be used for synchronously replicating the dataset (712) may be carried out, for example, by configuring the storage systems (716, 718, 720) to communicate via defined ports over a data communications network, by configuring the storage systems (716, 718, 720) to communicate over a point-to-point data communications link between two of the storage systems (716, 724, 728), or in a variety of ways].
Regarding claims 9, and 17, Botes discloses, wherein the channel is a host bus adapter (HBA) [¶78, storage array controller 101 includes one or more host bus adapters 103A-C that are coupled to the processing device 104 via a data communications link 105A-C. In implementations, host bus adapters 103A-C may be computer hardware that connects a host system (e.g., the storage array controller) to other network and storage arrays].
Regarding claim 10, Botes discloses, wherein the LKM is further configured to provide a secure data transfer between two of the plurality of channels on the node
[¶243, a service configured to run on customer facilities, such as running in a virtual machine or container, could be used to mediate key exchanges necessary for secure communications between replicating storage systems (716, 718, 720)].
Regarding claims 11, and 18, these claims are interpreted and rejected for the same rational as set forth in claim 1.
Claims 4-6, 14-15, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. (US2018/0260125) issued to Botes and in view of US Patent No. (US2005/0135622) issued to Fors and further in view of application RU2663476C2 issued to Oleg Makhotin.
Regarding claims 4, 14, and 20, Botes and Fors do not explicitly disclose, however Makhotin discloses  wherein the establishing a connection comprises initiating a request to the EKM for the connection, the request comprising an authentication certificate assigned to the node [¶147,  additionally, the payee information may include a merchant ID that is provided to the merchant application 121 (or to the merchant server associated with the merchant application 121) during the registration phase for the remote transaction processing service or the remote key manager 140. In some embodiments, the payee information may be used to identify the merchant certificate to be provided to the remote key manager 140 (for example, for embodiments in which the mobile payment application 123 transmits the merchant certificate to the remote key manager 140)], and [¶¶ [ 27, 29, 70, 72, 106, 123, 174, 182].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Botes, and Fors with the teaching of Makhotin in order to verify the authenticity of the authentication data and authorize the requested transaction (or other operation) associated with the remote transaction through a secure and efficient communication architecture. In addition, authentication data may include two-factor authentication by including device authentication data (e.g., security value generated using a shared secret) and user (e.g., personal identification number, password code, etc.) in one process data exchange and authentication. The digital signature can confirm the authenticity of the sender and the integrity of the signed document due to the so-called principle of non-denial, which does not allow the denial of what is signed. A certificate or other data that includes a digital signature by a signatory is said to be "signed" by a signatory. [ Makhotin, ¶¶23, 69].
Regarding claims 5, Botes and Fors do not explicitly disclose, however Makotin discloses wherein the connection is established based at least in response to the EKM recognizing the authentication certificate [¶147,  additionally, the payee information may include a merchant ID that is provided to the merchant application 121 (or to the merchant server associated with the merchant application 121) during the registration phase for the remote transaction processing service or the remote key manager 140. In some embodiments, the payee information may be used to identify the merchant certificate to be provided to the remote key manager 140 (for example, for embodiments in which the mobile payment application 123 transmits the merchant certificate to the remote key manager 140)], and [¶¶ [ 27, 29, 70, 72, 106, 123, 174, 182].
Regarding claims 6, and 15,  Botes and Mokhotin  do not explicitly disclose, however, FORS discloses, wherein the request is a key management interoperability protocol (KMIP) message that is sent via a transport layer security (TLS) session to the EKM  [See FIG.5 and corresponding text for more detail, client key manager(503), server key manger(511)], and  [0045]  515 RequestAppKey: MN(Mobile Node) requests a key from Client Key Manager for MIP(Mobile Internet protocol)], and [0046] 517 RetriveAppKey: Client Key Manager retrieves the Key for MIP from Persistent Storage][0047] 519 Kmip: Key for MIP is passed to the  Key Manager], and [0048] 521 Kmip: Key for MIP is passed to the MN], and [0052] 528 RequestAppKey: RADIUS Server requests the Application Key for MIP from the Key Manager], and [0053] 529 RetreiveAppKey: Key Manager retrieves Application Key for MIP from Persistent Storage], and [0054] 531 Kmip: The Key for MIP is passed to the Key Manager], and [0055] 533 Kmip: The Key for MIP is passed to the RADIUS Server]. [ ¶22, [0022] The L2 Authentication Client 201 and Server 301 are each used in establishing a network connection, specifically for the Layer 2 authentication… Examples of L2 Authentication processes or methods include using EAP-TLS denotes EAP with Transport Level Security extensions].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Botes, and Mokhotin with the teaching of Fors in order to implement methods and functionality for effecting upper layer security schema based on lower layer keying processes within such communication units operating within such networks [Fors, Abstract, ¶1].

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Bunch(US20190238323) [ KEY MANAGERS FOR DISTRIBUTED COMPUTING SYSTEMS USING KEY SHARING TECHNIQUES, Abstract].
Neerumalla (US2019/0068370) [KEY MANAGERS FOR DISTRIBUTED COMPUTING SYSTEMS]. 
Przykucki (US8266433) [Method And System For Automatically Migrating Encryption Keys Between Key Managers In A Network Storage System, Abstract].
Buer (US2010/0290624) [Key Management System And Method].
Kao (US6275944) [ Method and System for Single Sign on Using Configuration Directives with Respect to Target Types, ¶¶ 29, 40].
Fang (US6240512) [ Single Sign-on (SSO) Mechanism Having Master Key Synchronization].
Carlson (US2009/0049311) [ Efficient Elimination of Access to Data on A Writable Storage Media].
WO2019/225921 [METHOD FOR STORING DIGITAL KEY AND ELECTRONIC DEVICE].
CN 1359574 A [certificate, authentication see the claims].
Scheidt (US6490680) [(47) A user's certificate is contained in that user's credentials so that it can be sent with Constructive Key Management objects that the user has signed. The recipient of a Constructive Key Management object uses the Credential Manager's public key to decrypt the sender's certificate and recovers that user's public key. The sender's public key is used to verify the digital signature on that Constructive Key Management object].
Gade (20100031045) [METHODS AND SYSTEM AND COMPUTER MEDIUM FOR LOADING A SET OF KEYS, ¶¶45-46].
Kobata(20060005237)[¶9] A digital certificate uses public key cryptography to authenticate the identity of a communicating party. A digital certificate for a particular identity is issued by a certification authority (CA). The identity presents the digital certificate and the identity's public key to an authenticating service that uses the digital certificate and public key to confirm the identity of the presenter of the public key], and [¶¶10,38-40].

Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAHRIAR ZARRINEH whose telephone number is (571)272-1207. The examiner can normally be reached Monday-Friday, 8:30am-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached on 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SHAHRIAR ZARRINEH/Examiner, Art Unit 2496