DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In communications filed on 08/05/2022. Claims 1, 11, and 18 are amended. Claims 3, and 13 are canceled.  Claims 1-2, 4-12, and 14-20 are pending in this examination.
 In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.   This examination is in response to US Patent Application No. 16/801,280.

CLAIM INTERPRETATION
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “LKM is configured to…”in claims 1, and 18.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION. —The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1, and 18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) are: “LKM is configured to…”in claims 1, and 18.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
Claims limitation “LKM is configured to…”in claims 1, and 18.  invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Claims 4-6, and 10 do not cure the deficiency of claim 1 and Claim 20 do not cure the deficiency of claim 18 and are rejected under 35 USC 112, 2nd paragraph, for their dependency upon claims 1, and 18.
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.

Response to Argument
Applicant’s arguments with respect to independent claims for newly added limitation have been considered but are moot because the arguments do not apply to any of the references being used in the current rejection.

Examiner Note
Claim 1 cites “a computer readable storage medium”. The computer readable storage medium has been defined in paragraph 180 of the specification as: [ The computer readable storage medium can be a tangible device that can retain and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. A non-exhaustive list of more specific examples of the computer readable storage medium includes the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a static random access memory (SRAM), a portable compact disc read-only memory (CD-ROM), a digital versatile disk (DVD), a memory stick, a floppy disk, a mechanically encoded device such as punch-cards or raised structures in a groove having instructions recorded thereon, and any suitable combination of the foregoing. A computer readable storage medium, as used herein, is not to be construed as being transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission media (e.g., light pulses passing through a fiber-optic cable), or electrical signals transmitted through a wire. Therefore, claim 1 is statutory under 35 USC 101. Dependents claim 2-10 also statutory under 35 USC 101.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-3, 7-13, and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. (US2018/0260125) issued to Botes and in view of US Patent No. (US2005/0135622) issued to Fors and further in view of US Patent No. (US9,498,417) issued to Harwood.
Regarding claim 1, Botes discloses A computer program product for facilitating processing in a computing environment, the computer program product comprising: a computer readable storage medium readable by one or more processing circuits and storing instructions for performing operations comprising [ see FIG.1A and corresponding text for more details, computing devices 164A-B, SAN 158, Persistent storage resources 170A-B]; and
the node comprising a plurality of channels; establishing, by the LKM, to provide a secure data transfer between for the node and the other node [¶¶78-80, In implementations, storage array controller 101 includes one or more host bus adapters 103A-C that are coupled to the processing device 104 via a data communications link 105A-C. In implementations, host bus adapters 103A-C may be computer hardware that connects a host system (e.g., the storage array controller) to other network and storage arrays. In some examples, host bus adapters 103A-C may be a Fibre Channel adapter that enables the storage array controller 101 to connect to a SAN, an Ethernet adapter that enables the storage array controller 101 to connect to a LAN, or the like. Host bus adapters 103A-C may be coupled to the processing device 104 via a data communications link 105A-C such as, for example, a PCIe bus.], and [¶272, The example method depicted in FIG. 10 includes configuring (1002), by the storage system (1024), one or more data communications links (1052) between the storage systems (1024, 1046) and the second storage system (1046). In the example method depicted in FIG. 10, the storage system (1024) may configure (1002) one or more data communications links (1052) between the storage system (1024) and the second storage system (1046), for example, by identifying a defined port over a data communications network to be used for exchanging data communications with the second storage system (1046), by identifying a point-to-point data communications link to be used for exchanging data communications with the second storage system (1046), by identifying a data communications network to be used for exchanging data communications with the second storage system (1046)], and [¶272,  a service configured to run on customer facilities, such as running in a virtual machine or container, could be used to mediate key exchanges(shared keys) necessary for secure communications between replicating storage systems (1024, 1046)] ; and
establishing, by the LKM, a connection between the LKM and an external key manager (EKM) that stores a shared key for use by the node and an other node of the computing environment
Even though Botes discloses this limitation as: [¶272, a service configured to run on customer facilities, such as running in a virtual machine or container, could be used to mediate key exchanges (shared keys) necessary for secure communications between replicating storage systems (1024, 1046)].
Furthermore FORS discloses this limitation as: [See FIG.5 and corresponding text for more detail, client key manager(503), server key manger(511)], and  [0045]  515 RequestAppKey: MN(Mobile Node) requests a key from Client Key Manager for MIP(Mobile Internet protocol)], and [0046] 517 RetriveAppKey: Client Key Manager retrieves the Key for MIP from Persistent Storage][0047] 519 Kmip: Key for MIP is passed to the  Key Manager], and [0048] 521 Kmip: Key for MIP is passed to the MN], and [0052] 528 RequestAppKey: RADIUS Server requests the Application Key for MIP from the Key Manager], and [0053] 529 RetreiveAppKey: Key Manager retrieves Application Key for MIP from Persistent Storage], and [0054] 531 Kmip: The Key for MIP is passed to the Key Manager], and [0055] 533 Kmip: The Key for MIP is passed to the RADIUS Server]; and 
 and in response to establishing the connection: obtaining, by the LKM, the shared key from the EKM; 
Even though Botes discloses this limitation as: [¶272, a service configured to run on customer facilities, such as running in a virtual machine or container, could be used to mediate key exchanges (shared keys) necessary for secure communications between replicating storage systems (1024, 1046)].
Furthermore FORS discloses this limitation as: [See FIG.5 and corresponding text for more detail, client key manager(503), server key manger(511)], and  [0045]  515 RequestAppKey: MN(Mobile Node) requests a key from Client Key Manager for MIP(Mobile Internet protocol)], and [0046] 517 RetriveAppKey: Client Key Manager retrieves the Key for MIP from Persistent Storage][0047] 519 Kmip: Key for MIP is passed to the  Key Manager], and [0048] 521 Kmip: Key for MIP is passed to the MN], and [0052] 528 RequestAppKey: RADIUS Server requests the Application Key for MIP from the Key Manager], and [0053] 529 RetreiveAppKey: Key Manager retrieves Application Key for MIP from Persistent Storage], and [0054] 531 Kmip: The Key for MIP is passed to the Key Manager], and [0055] 533 Kmip: The Key for MIP is passed to the RADIUS Server]; and 
 wherein the LKM is configured to provide the secure data transfer between the node and the other node of the computing environment via a channel of the plurality of channels based at least in part on the shared key
Even though Botes discloses this limitation as: [¶272, a service configured to run on customer facilities, such as running in a virtual machine or container, could be used to mediate key exchanges (shared keys) necessary for secure communications between replicating storage systems (1024, 1046)].
Furthermore FORS discloses this limitation as: [See FIG.5 and corresponding text for more detail, client key manager(503), server key manger(511)], and  [0045]  515 RequestAppKey: MN(Mobile Node) requests a key from Client Key Manager for MIP(Mobile Internet protocol)], and [0046] 517 RetriveAppKey: Client Key Manager retrieves the Key for MIP from Persistent Storage][0047] 519 Kmip: Key for MIP is passed to the  Key Manager], and [0048] 521 Kmip: Key for MIP is passed to the MN], and [0052] 528 RequestAppKey: RADIUS Server requests the Application Key for MIP from the Key Manager], and [0053] 529 RetreiveAppKey: Key Manager retrieves Application Key for MIP from Persistent Storage], and [0054] 531 Kmip: The Key for MIP is passed to the Key Manager], and [0055] 533 Kmip: The Key for MIP is passed to the RADIUS Server].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Botes with the teaching of Fors in order to implement methods and functionality for effecting upper layer security schema based on lower layer keying processes within such communication units operating within such networks [Fors, Abstract, ¶1].
 Botes and Fors do not explicitly disclose, however Harwood discloses  wherein the LKM is configured to provide the secure data transfer between the node and the other node of the computing environment via a channel of the plurality of channels based at least in part on an encryption algorithm of the one or more encryption algorithms; and registering, by the LKM, security capabilities of the plurality of channels, the security capabilities comprising one or more encryption algorithms supported by the channels
(Col. 5 lines 5-9, Prior to granting storage access to a host processor, a storage system may require host authentication via a secure mechanism, such as the Kerberos protocol. A storage system may require authentication of each storage access request, for example, using a secure mechanism], and [ see -Figs 7-8, and corresponding text for more details, Col.11 lines 46-67- Col.12, lines 1-58… in step 106, when a storage processor services a host processor request for creation of a new storage object, the key management client of the storage processor issues a "get key" request to the key management server for the new storage object. The "get key" parameters sent to the key management server include: (i) the domain name of the namespace of the storage object; (ii) the object ID; (iii) the key policy; (iv) an encryption endpoint identifier; and (v) a context parameter for end-to-end checking. The key policy includes the block encryption algorithm for the key, the encryption mode for multiple block encryption, the key length, and the key lifetime. The key management server checks the "get key" parameters against the context parameter to detect any corruption of the "get key" parameters, looks up the specified domain name to verify that the domain name has been registered, and compares the requested key policy with any key policy requirements that have been registered with the domain name, in order to select a key policy for creating the requested key. The key management server does a lookup of the object ID in existing entries in the key store for the domain name in order to determine whether a key has already been assigned to the specified object ID in the namespace of the specified domain name. The key management server returns an error message if the key management server requests a key for a new object and the server already finds that a data encryption key has already been created for the object. Otherwise, in accordance with the selected key policy, the key management server creates a new key UUID and a new data encryption key and encodes the new data encryption key together with the specified object ID with the key encryption key for the specified encryption endpoint in the namespace of the specified domain. In step 107, the key management server returns, to the key management client, the key UUID, the wrapped key information, and the selected key policy that was actually used in creating the wrapped key. In step 108, the array key management and encryption module load its key table with the object ID to wrapped key info. relationship, and loads its device table with the object ID to key UUID, device info., and key policy relationship. At this point, the key management server and the storage system have been initialized for encryption or decryption of the object and for recovery from corruption of the key information for the object], and [see FIG.11-12, 14 and corresponding text for more details].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Botes, and Fors with the teaching of Harwood in order for providing a method of operation in a data processing system including a storage area network and a key management server for providing data encryption keys to the storage area network [ Harwood, Col.2, lines 27-30, Abstract].
Regarding claims 2, 12, and 19, Botes discloses, wherein the node is a host computer and the LKM executes in a logical partition of the host computer [¶243, a service configured to run on customer facilities, such as running in a virtual machine or container, could be used to mediate key exchanges necessary for secure communications between replicating storage systems (716, 718, 720)], and [¶148].
Regarding claims 3, and 13 Botes discloses, wherein the providing the secure data transfer comprises managing private keys for at least a subset of the plurality of channels.  
[¶169, Readers will appreciate that the storage systems described above may be configured to support the storage of (among of types of data) blockchains. Such blockchains may be embodied as a continuously growing list of records, called blocks, which are linked and secured using cryptography], and [¶245, some communications may be encrypted and secured].
Regarding claims 7, and 16, Botes discloses wherein the node is a host computer or a storage array [¶78, storage array controller 101 includes one or more host bus adapters 103A-C that are coupled to the processing device 104 via a data communications link 105A-C. In implementations, host bus adapters 103A-C may be computer hardware that connects a host system (e.g., the storage array controller) to other network and storage arrays], and [¶243, In the example method depicted in FIG. 7, configuring (704) one or more data communications links (716, 718, 720) between each of the plurality of storage systems (714, 724, 728) to be used for synchronously replicating the dataset (712) may be carried out, for example, by configuring the storage systems (716, 718, 720) to communicate via defined ports over a data communications network, by configuring the storage systems (716, 718, 720) to communicate over a point-to-point data communications link between two of the storage systems (716, 724, 728), or in a variety of ways.
Regarding claim 8, Botes discloses, wherein the other node is a host computer or a storage array [¶78, storage array controller 101 includes one or more host bus adapters 103A-C that are coupled to the processing device 104 via a data communications link 105A-C. In implementations, host bus adapters 103A-C may be computer hardware that connects a host system (e.g., the storage array controller) to other network and storage arrays], and [0243] In the example method depicted in FIG. 7, configuring (704) one or more data communications links (716, 718, 720) between each of the plurality of storage systems (714, 724, 728) to be used for synchronously replicating the dataset (712) may be carried out, for example, by configuring the storage systems (716, 718, 720) to communicate via defined ports over a data communications network, by configuring the storage systems (716, 718, 720) to communicate over a point-to-point data communications link between two of the storage systems (716, 724, 728), or in a variety of ways].
Regarding claims 9, and 17, Botes discloses, wherein the channel is a host bus adapter (HBA) [¶78, storage array controller 101 includes one or more host bus adapters 103A-C that are coupled to the processing device 104 via a data communications link 105A-C. In implementations, host bus adapters 103A-C may be computer hardware that connects a host system (e.g., the storage array controller) to other network and storage arrays].
Regarding claim 10, Botes discloses, wherein the LKM is further configured to provide a secure data transfer between two of the plurality of channels on the node
[¶243, a service configured to run on customer facilities, such as running in a virtual machine or container, could be used to mediate key exchanges necessary for secure communications between replicating storage systems (716, 718, 720)].
Regarding claims 11, and 18, these claims are interpreted and rejected for the same rational as set forth in claim 1.

Claims 4-6, 14-15, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. (US2018/0260125) issued to Botes and in view of US Patent No. (US2005/0135622) issued to Fors and in view of US Patent No. (US9,498,417) issued to Harwood and further in view of application RU2663476C2 issued to Oleg Makhotin.
Regarding claims 4, 14, and 20, Botes, Fors, and Harwood do not explicitly disclose, however Makhotin discloses  wherein the establishing a connection comprises initiating a request to the EKM for the connection, the request comprising an authentication certificate assigned to the node [¶147,  additionally, the payee information may include a merchant ID that is provided to the merchant application 121 (or to the merchant server associated with the merchant application 121) during the registration phase for the remote transaction processing service or the remote key manager 140. In some embodiments, the payee information may be used to identify the merchant certificate to be provided to the remote key manager 140 (for example, for embodiments in which the mobile payment application 123 transmits the merchant certificate to the remote key manager 140)], and [¶¶ [ 27, 29, 70, 72, 106, 123, 174, 182].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Botes, Fors, and Harwood with the teaching of Makhotin in order to verify the authenticity of the authentication data and authorize the requested transaction (or other operation) associated with the remote transaction through a secure and efficient communication architecture. In addition, authentication data may include two-factor authentication by including device authentication data (e.g., security value generated using a shared secret) and user (e.g., personal identification number, password code, etc.) in one process data exchange and authentication. The digital signature can confirm the authenticity of the sender and the integrity of the signed document due to the so-called principle of non-denial, which does not allow the denial of what is signed. A certificate or other data that includes a digital signature by a signatory is said to be "signed" by a signatory. [ Makhotin, ¶¶23, 69].
Regarding claims 5, Botes,  Fors , and Harwooddo not explicitly disclose, however Makotin discloses wherein the connection is established based at least in response to the EKM recognizing the authentication certificate [¶147,  additionally, the payee information may include a merchant ID that is provided to the merchant application 121 (or to the merchant server associated with the merchant application 121) during the registration phase for the remote transaction processing service or the remote key manager 140. In some embodiments, the payee information may be used to identify the merchant certificate to be provided to the remote key manager 140 (for example, for embodiments in which the mobile payment application 123 transmits the merchant certificate to the remote key manager 140)], and [¶¶ [ 27, 29, 70, 72, 106, 123, 174, 182].
Regarding claims 6, and 15,  Botes, Harwood, and Mokhotin  do not explicitly disclose, however, FORS discloses, wherein the request is a key management interoperability protocol (KMIP) message that is sent via a transport layer security (TLS) session to the EKM  [See FIG.5 and corresponding text for more detail, client key manager(503), server key manger(511)], and  [0045]  515 RequestAppKey: MN(Mobile Node) requests a key from Client Key Manager for MIP(Mobile Internet protocol)], and [0046] 517 RetriveAppKey: Client Key Manager retrieves the Key for MIP from Persistent Storage][0047] 519 Kmip: Key for MIP is passed to the  Key Manager], and [0048] 521 Kmip: Key for MIP is passed to the MN], and [0052] 528 RequestAppKey: RADIUS Server requests the Application Key for MIP from the Key Manager], and [0053] 529 RetreiveAppKey: Key Manager retrieves Application Key for MIP from Persistent Storage], and [0054] 531 Kmip: The Key for MIP is passed to the Key Manager], and [0055] 533 Kmip: The Key for MIP is passed to the RADIUS Server]. [ ¶22, [0022] The L2 Authentication Client 201 and Server 301 are each used in establishing a network connection, specifically for the Layer 2 authentication… Examples of L2 Authentication processes or methods include using EAP-TLS denotes EAP with Transport Level Security extensions].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Botes, Harwood, and Mokhotin with the teaching of Fors in order to implement methods and functionality for effecting upper layer security schema based on lower layer keying processes within such communication units operating within such networks [Fors, Abstract, ¶1].

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Kuroda (US6,915,434) [(36) FIG. 11 is a block diagram of the configuration of the electronic data storage apparatus according to the second embodiment of the present invention. As compared with the configuration according to the first embodiment shown in FIG. 2, a master key storage unit 20 for storing a master key which is a common key shared by all electronic data storage apparatuses is the only difference from the configuration according to the first embodiment], and [(37) FIG. 12 is a flowchart of the process of generating an individual key using a master key according to the second embodiment of the present invention. In FIG. 12, when an instruction to generate an individual key is received in step S70, the identification information about each electronic data storage apparatus, for example, an ID of the electronic data storage apparatus, is obtained by the control unit 11 in step S71, and a master key stored in the master key storage unit 20 is obtained by the key management unit 12 in step S72. In step S73, the encryption unit 13 encrypts the electronic data storage apparatus identification information using the master key, and an individual key is generated. The encrypting process is described later. Then, in step S74, the key management unit 12 sets the generated individual key in the individual key storage unit 14, thereby terminating the process].
LiJima (US5293029) [(63) In this manner, one key data and one encryption algorithm of a plurality of key data and a plurality of encryption algorithms held in the IC card are designated by the terminal, and data to be written is encrypted by using the designated key data and encryption algorithm. Therefore, even if the IC card is used in a plurality of applications, verification key data and encryption algorithms can be selectively used for the respective applications, and security between the applications can be ensured].
Bunch (US20190238323) [ KEY MANAGERS FOR DISTRIBUTED COMPUTING SYSTEMS USING KEY SHARING TECHNIQUES, Abstract].
Neerumalla (US2019/0068370) [KEY MANAGERS FOR DISTRIBUTED COMPUTING SYSTEMS]. 
Przykucki (US8266433) [Method and System for Automatically Migrating Encryption Keys Between Key Managers in A Network Storage System, Abstract].
Buer (US2010/0290624) [Key Management System and Method].
Kao (US6275944) [ Method and System for Single Sign on Using Configuration Directives with Respect to Target Types, ¶¶ 29, 40].
Fang (US6240512) [ Single Sign-on (SSO) Mechanism Having Master Key Synchronization].
Carlson (US2009/0049311) [ Efficient Elimination of Access to Data on A Writable Storage Media].
WO2019/225921 [METHOD FOR STORING DIGITAL KEY AND ELECTRONIC DEVICE].
CN 1359574 A [certificate, authentication see the claims].
Scheidt (US6490680) [(47) A user's certificate is contained in that user's credentials so that it can be sent with Constructive Key Management objects that the user has signed. The recipient of a Constructive Key Management object uses the Credential Manager's public key to decrypt the sender's certificate and recovers that user's public key. The sender's public key is used to verify the digital signature on that Constructive Key Management object].
Gade (20100031045) [METHODS AND SYSTEM AND COMPUTER MEDIUM FOR LOADING A SET OF KEYS, ¶¶45-46].
Kobata(20060005237)[¶9] A digital certificate uses public key cryptography to authenticate the identity of a communicating party. A digital certificate for a particular identity is issued by a certification authority (CA). The identity presents the digital certificate and the identity's public key to an authenticating service that uses the digital certificate and public key to confirm the identity of the presenter of the public key], and [¶¶10,38-40].

Applicants are encouraged to take advantage of the After Final Consideration Pilot 2.0 (AFCP 2.0) which authorizes non-production time for consideration of responses filed after a final rejection. The purpose of the pilot is to compact prosecution of the case. The request must include 1) A signed AFCP request form (PTO/SB/434 or equivalent) that includes a statement that applicant is requesting consideration under the AFCP; 2) An amendment to at least one independent claim that does not broaden the scope of the independent claim in any aspect; and 3) A statement that applicant is willing and available to participate in any interview initiated by the examiner concerning the present response.  In the limited amount of non-production time if the examiner’s consideration of a proper AFCP 2.0 request and response does not result in a determination that all pending claims are in condition for allowance, the examiner will request an interview with the applicant to discuss the response. For more info, please visit http://www.uspto.gov/patent/initiatives/after-final-consideration-pilot-20

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.                                                                                                                                                                                                                                                                                                                                                                    Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAHRIAR ZARRINEH whose telephone number is (571)272-1207. The examiner can normally be reached Monday-Friday, 8:30am-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached on 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SHAHRIAR ZARRINEH/Examiner, Art Unit 2496