DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the America Invents Act (AIA ).

Response and Claim Status
The instant Office action is responsive to the interview conducted June 29, 2022 (the “Interview”) and the response received August 10, 2022 (the “Response”).  
In response to the Interview and the Response, the previous (A) objection to claims 27–37 under 37 C.F.R. § 1.71(a); (B) rejection of claims 6 and 8 under 35 U.S.C. § 112(b); (C) rejections of claims 1–14 and 27–37 under 35 U.S.C. § 101; and (D) rejection of claims 1–3, 5–8, 27–29, and 31–33 under 35 U.S.C. § 103 as being obvious over Binyamin (US 2009/0204711 A1; PCT filed May 25, 2007) in view of Tashkandi (US 2021/0042104 A1; filed Aug. 6, 2019), in further view of Johnson et al. (US 11,316,733 B1; filed Apr. 16, 2019), and in further view of Reeve et al. (US 2019/0141022 A1; filed Nov. 7, 2017)
are WITHDRAWN.
Claims 1–14 and 27–37 are currently pending.  

Information Disclosure Statement (IDS)
37 C.F.R. § 1.98(a) recites 
Any information disclosure statement filed under § 1.97 shall include the items listed in paragraphs (a)(1), (a)(2) and (a)(3) of this section. 

. . . 

(2) A legible copy of: (ii) Each publication or that portion which caused it to be listed, other than U.S. patents and U.S. patent application publications unless required by the Office.

The IDSs filed Aug. 10, 2022 and September 14, 2022 each fail to comply with 37 C.F.R. § 1.98(a)(2) which requires a legible copy of each publication or that portion which caused it to be listed.  It has been placed in the application file, but the information referred to therein has not been considered.

Claim Rejections – 35 U.S.C. § 103
Claims 1–8, 27–29, and 31–34 are rejected under 35 U.S.C. § 103 as being obvious over Reeve in view of Tashkandi, and in further view of Johnson.
Regarding claim 1, while Reeve teaches at least one non-transitory computer-readable storage medium including instructions that when executed by a computing node in a computing system (fig. 1A, item 90; “The security component 90 comprises: an authentication data store 180; an authentication component 185; a first communication component 190; and a second communication component 200.” at ¶ 76), cause the computing node to:
receive, by an authentication component (fig. 1B, item 185), a request (“application request” at ¶¶ 71–72) to connect to an application (“application” at ¶ 72; fig. 1A, items 110, 120), a service, or combinations thereof, the request comprising a payload (“an identification portion, an authentication placeholder and a payload portion” at ¶ 72) including information parameters (“identification portion includes information relating to the identification of an application (such as an application name for example)” at ¶ 72);
in response to receiving the request, and based at least on the information parameters, determine hosted locations (“on-premise servers” at ¶¶ 10–11, 41–44), including a hosted location (fig. 1A, item 100) of the application, a hosted location of the service, or combinations thereof,
in response to determining the hosted location of the application, the hosted location of the service, or combinations thereof, and based at least on the information parameters, select a tunnel connection (“the second communication component 170 may establish a mutually authenticated TLS tunnel connection between the switching component 80 and the on-premise security component 90” at ¶ 74; “the first communication component 190 is adapted to establish a secure tunnel for receiving the application request” at ¶ 79; fig. 2, items C, D) from a plurality of tunnel connections (fig. 2, items C, D; “tunnels” at ¶¶ 75, 83);
generate (“the second communication component 170 may establish a mutually authenticated TLS tunnel connection between the switching component 80 and the on-premise security component 90” at ¶ 74; “the first communication component 190 is adapted to establish a secure tunnel for receiving the application request” at ¶ 79; fig. 2, items C, D), by the authentication component, the selected tunnel connection; and
generate, at the authentication component (fig. 1B, item 185), an endpoint (fig. 1B, item 200), wherein the endpoint, including a proxy service endpoint, a proxy application endpoint (fig. 1B, item 200), or combinations thereof, facilitates a connection between authentication component (fig. 1B, item 185) and the hosted location of the application (fig. 1A, item 100), the hosted location of the service, or combinations thereof,
wherein the selected tunnel connection enables the authentication component to route the request using a tunneling protocol (“the second communication component 200 is adapted to establish a secure tunnel for communicating the revised/final application request” at ¶ 82) from the proxy service endpoint or the proxy application endpoint (fig. 1B, item 200) hosted by the authentication component (fig. 1B, item 185) to the hosted location of the application (fig. 1A, item 100) or the hosted location of the service,
Reeve does not teach (A) the authentication component being a proxy service of a Platform-as-a-Service (PaaS) Management Portal; and (B) the request being an API request.
(A)
Tashkandi teaches a proxy service of a PaaS Management Portal (¶¶ 40, 44, 48).
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for Reeve’s authentication component to be a proxy service of a PaaS Management Portal as taught by Tashkandi “for automated control of platform as a service system updates and modifications.”  Tashkandi ¶ 1.
(B)
Johnson teaches an API request (12:27–56).
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for Reeve’s request to be an API request as taught by Johnson so that “[u]sers can initiate web service requests to computer devices of a cloud infrastructure and the computer devices can process the requests and return appropriate responses.  Johnson 12:31–33.
Regarding claim 2, Reeve teaches wherein the information parameters include an application name (“identification portion includes information relating to the identification of an application (such as an application name for example)” at ¶ 72), an application type, a service name, service type, or combinations thereof.
Regarding claim 3, Reeve teaches wherein the hosted locations are hosted behind a firewall (“reference to on-premise resources or platforms is taken to refer to a concept of local or private computing resources such as networks, servers, storage devices, application, etc. that are situated locally or within/behind a virtual boundary (often behind a firewall).” at ¶ 5).
Regarding claim 4, Reeve teaches wherein the selected tunnel connection (“the second communication component 170 may establish a mutually authenticated TLS tunnel connection between the switching component 80 and the on-premise security component 90” at ¶ 74; “the first communication component 190 is adapted to establish a secure tunnel for receiving the application request” at ¶ 79; fig. 2, items C, D) enables the proxy service to route the API request using a requested tunneling protocol (fig. 2, item D; “The modified application request is communicated by the second communication component 200 of the security component 90 to the first application 110 (‘APPLICATION A’) of the on-premise resources 73 as indicated by the arrow labeled ‘D’.” at ¶ 88; ¶ 82) from the proxy service endpoint or the proxy application endpoint (fig. 1B, item 200) hosted by the PaaS Management Portal to the hosted location of the application (fig. 1B, item 100), the hosted location of the service, or combinations thereof
Regarding claim 5, while the Reeve/Tashkandi/Johnson combination teaches the Paas management portal (Tashkandi ¶¶ 40, 44, 48), the Reeve/Tashkandi/Johnson combination does not teach wherein the PaaS Management Portal is a centralized management plane (MP) for clusters and cloud native services.
Johnson teaches a centralized management plane (MP) (9:35–48) for clusters and cloud native services (intended use in italics).
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for the Reeve/Tashkandi/Johnson combination’s PaaS Management Portal to be a centralized management plane (MP) for clusters and cloud native services as taught by Johnson so that “[u]sers can initiate web service requests to computer devices of a cloud infrastructure and the computer devices can process the requests and return appropriate responses.  Johnson 12:31–33.
Regarding claim 6, while the Reeve/Tashkandi/Johnson combination teaches wherein the API request (“modified application request” at ¶ 88) is dynamically controlled (“The modified application request is communicated by the second communication component 200 of the security component 90 to the first application 110 (‘APPLICATION A’) of the on-premise resources 73 as indicated by the arrow labeled ‘D’.” at ¶ 88; ¶ 82) by the endpoint, and wherein the endpoint is a private endpoint (“reference to on-premise resources or platforms is taken to refer to a concept of local or private computing resources such as networks, servers, storage devices, application, etc. that are situated locally or within/behind a virtual boundary (often behind a firewall).” at ¶ 5),
the Reeve/Tashkandi/Johnson combination does not teach (A) the centralized MP being dynamically controlled; and (B) the endpoint being a public endpoint.
(A)
Johnson teaches a centralized management plane (MP) (9:35–48).
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for the Reeve/Tashkandi/Johnson combination’s endpoint to dynamically control the centralized MP as taught by Johnson so that “[u]sers can initiate web service requests to computer devices of a cloud infrastructure and the computer devices can process the requests and return appropriate responses.  Johnson 12:31–33.
(B)
	An endpoint is either a public endpoint or a private endpoint.
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for the Reeve/Tashkandi/Johnson combination’s endpoint to be a public endpoint since “a person of ordinary skill has good reason to pursue the known options within his or her technical grasp. If this leads to the anticipated success, it is likely that product [was] not of innovation but of ordinary skill and common sense. In that instance the fact that a combination was obvious to try might show that it was obvious under § 103.”  MPEP § 2143(E)(quoting KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 421 (2007)).
Regarding claim 7, Reeve teaches wherein the hosted location of the application (fig. 1A, item 100), the hosted location of the service, or combinations thereof are located in a private data center (“ON-PREMISE” at figs. 1-–2; “private or sensitive authentication data may be maintained on-premise and not communicated or exposed to the off-premise platform(s)” at ¶ 83; “On-premise platforms are well-established and considered to provide a good level of security because data is stored and handled internally, e.g., within an internal private network” at ¶ 5) not accessible from a public outside network (figs. 1–2, item 72).
Regarding claim 8, Reeve teaches wherein the endpoint (fig. 1B, item 200) is secure (“ON-PREMISE” at figs. 1-–2; “private or sensitive authentication data may be maintained on-premise and not communicated or exposed to the off-premise platform(s)” at ¶ 83; “On-premise platforms are well-established and considered to provide a good level of security because data is stored and handled internally, e.g., within an internal private network” at ¶ 5), multi-tenant, includes access control support, is protected by at least one of a plurality of authentication mechanisms, or combinations thereof.
Regarding claim 27, while Reeve teaches a system (fig. 1) comprising:
at least one processor (fig. 1B, item 185); 
memory (fig. 1B, item 180) coupled to the at least one processor, the memory encoded with instructions for an authentication component (fig. 1A, item 90) ; and 
the authentication component (fig. 1B, item 185) configured to receive an Application Programming Interface (API) a request (“application request” at ¶¶ 71–72), from a requesting application (fig. 1A, item 77), a requesting service, or combinations thereof, to connect to a plurality of clusters (fig. 1A, items 110, 120), a plurality of cloud native services, or combinations thereof, located in a plurality of hosted locations (fig. 1A, item 100; “on-premise servers” at ¶¶ 10–11, 41–44), the request comprising a payload including information parameters (“identification portion includes information relating to the identification of an application (such as an application name for example)” at ¶ 72); and
the authentication component further configured to determine, based at least on receiving the request including the information parameters, determine the plurality of hosted locations (“on-premise servers” at ¶¶ 10–11, 41–44) of the plurality of clusters, the plurality of cloud native services, or combinations thereof;
the authentication component further configured to select, based at least on receiving the request, a tunnel connection (“the second communication component 170 may establish a mutually authenticated TLS tunnel connection between the switching component 80 and the on-premise security component 90” at ¶ 74; “the first communication component 190 is adapted to establish a secure tunnel for receiving the application request” at ¶ 79; fig. 2, items C, D) of a plurality of tunnel connections (fig. 2, items C, D; “tunnels” at ¶¶ 75, 83); and
the authentication component (fig. 1B, item 185) further configured to generate, based on receiving the request including the information parameters, a proxy service endpoint, a proxy application endpoint (fig. 1B, item 200), or combinations thereof, at the authentication component that facilitates a connection between the requesting application (fig. 1A, item 77), the requesting service, or combinations thereof, and the plurality of clusters (fig. 1A, items 110, 120), the plurality of cloud native services, or combinations thereof, located in the plurality of hosted locations (“on-premise servers” at ¶¶ 10–11, 41–44),
Reeve does not teach (A) the authentication component being a proxy service of a Platform-as-a-Service (PaaS) Management Portal; and (B) the request being an API request.
Tashkandi teaches a proxy service of a PaaS Management Portal (¶¶ 40, 44, 48).
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for Reeve’s authentication component to be a proxy service of a PaaS Management Portal as taught by Tashkandi “for automated control of platform as a service system updates and modifications.”  Tashkandi ¶ 1.
Johnson teaches an API request (12:27–56).
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for Reeve’s request to be an API request as taught by Johnson so that “[u]sers can initiate web service requests to computer devices of a cloud infrastructure and the computer devices can process the requests and return appropriate responses.  Johnson 12:31–33.
Regarding claim 28, the Reeve/Tashkandi/Johnson combination teaches wherein the proxy service is further configured to select the tunnel connection (Reeve fig. 2, items C, D) of the plurality of tunnel connections that connects between the proxy service endpoint, the proxy application endpoint (Reeve fig. 1B, item 200), or combinations thereof, hosted at the PaaS management portal and the plurality of hosted locations (Reeve “on-premise servers” at ¶¶ 10–11, 41–44), wherein the selection is based at least on the information parameters (Reeve “identification portion includes information relating to the identification of an application (such as an application name for example)” at ¶ 72).  
Regarding claim 29, the Reeve/Tashkandi/Johnson combination teaches wherein the proxy service is further configured to generate the selected tunnel connection (Reeve fig. 2, items C, D) of the plurality of tunnel connections that connects between the proxy service endpoint, the proxy application endpoint (Reeve fig. 1B, item 200), or combinations thereof, hosted at the PaaS management portal and the plurality of hosted locations ( “on-premise servers” at Reeve ¶¶ 10–11, 41–44), based at least on receiving the API request (“application request” at Reeve ¶¶ 71–72; Johnson 12:27–56) including the information parameters (“identification portion includes information relating to the identification of an application (such as an application name for example)” at Reeve ¶ 72).
Regarding claim 31, the Reeve/Tashkandi/Johnson combination teaches wherein the API request is a user input (“a user (e.g. originator of an application request)” at Reeve ¶ 35), and wherein the user input comprises a payload (“identification portion includes information relating to the identification of an application (such as an application name for example)” at Reeve ¶ 72) containing the information parameters.
Regarding claim 32, the Reeve/Tashkandi/Johnson combination teaches wherein the information parameters comprise an application name (“identification portion includes information relating to the identification of an application (such as an application name for example)” at Reeve ¶ 72), an application type, a service name, a service type, a hosted application location identifier, a hosted service location identifier, or combinations thereof
Regarding claim 33, claim 7 recites substantially similar features.  Thus, references/arguments equivalent to those present for claim 7 are equally applicable to claim 33.
Regarding claim 34, while Reeve teaches wherein the endpoint (fig. 1B, item 200) is a first endpoint of a plurality of endpoints, the first end point being a private endpoint (“reference to on-premise resources or platforms is taken to refer to a concept of local or private computing resources such as networks, servers, storage devices, application, etc. that are situated locally or within/behind a virtual boundary (often behind a firewall).” at ¶ 5), and wherein the first endpoint is secure (“situated locally or within/behind a virtual boundary (often behind a firewall).” at ¶ 5), multi-tenant, includes access control support, is protected by at least one of a plurality of authentication mechanisms, or combinations thereof, Reeve does not teach the first endpoint being a public endpoint.
An endpoint is either a public endpoint or a private endpoint.
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for the Reeve’s endpoint to be a public endpoint since “a person of ordinary skill has good reason to pursue the known options within his or her technical grasp. If this leads to the anticipated success, it is likely that product [was] not of innovation but of ordinary skill and common sense. In that instance the fact that a combination was obvious to try might show that it was obvious under § 103.”  MPEP § 2143(E)(quoting KSR, 550 U.S. at 421).

Allowable Subject Matter
Claims 9–14 are objected to as being dependent upon rejected base claim 1, but would be allowable if rewritten to include all of the limitations of base claim 1.
Claims 30 and 35–37 are objected to as being dependent upon rejected base claim 1, but would be allowable if rewritten to include all of the limitations of base claim 1.

Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicants’ disclosure: US-20200287737-A1.
Applicants’ amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicants are reminded of the extension of time policy as set forth in 37 C.F.R. § 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to § 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the Examiner should be directed to DAVID P. ZARKA whose telephone number is (703) 756-5746.  The Examiner can normally be reached Monday–Friday from 9:30AM–6PM ET.
If attempts to reach the Examiner by telephone are unsuccessful, the Examiner’s supervisor, Vivek Srivastava, can be reached at (571) 272-7304.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://portal.uspto.gov/external/portal.  Should you have questions about access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool.  To schedule an interview, Applicants are encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
/DAVID P ZARKA/PATENT EXAMINER, Art Unit 2449