Managing Host Resources Using a Bastion Host
A bastion host can manage hosts through a wide range of protocols, such as SSH, RDP, VNC, Telnet, FTP, SFTP, SCP, and Rlogin, covering Windows hosts, Linux hosts, and databases.
This topic describes how to use a bastion host to centrally manage your host resources. We will introduce how to add a host resource, import host resources from a file, import host resources from a cloud platform, automatically discover host resources, and clone host resources.
Constraints
- The total number of host and application resources to be added cannot exceed the number of assets.
- The values of Protocol and Host Address must be unique in a bastion host. This means the host resources to be managed must be unique. Otherwise, when you create a host resource with the same configuration, an error message will be displayed, indicating that the host resource already exists.
- To set Department to a superior department for a host resource, you must have management permissions for the Department module. For details about how to edit the role permissions of a user, see Editing Role Information.
Prerequisites
You have the operation permissions for the Host module.
Adding a Host Resource
- Log in to your bastion host.
- Choose Resource > Host in the navigation pane on the left.
- Click New in the upper right corner of the page.
Enter the required network information and basic information of the host resource you want to add.Figure 1 New Host
Table 1 Host resource network parameters Parameter
Description
Host Name
Custom name of the host resource. A host name must be unique in a bastion host.
Protocol
Type of the protocol configured for the host.
.
Supported protocols: SSH, RDP, VNC, Telnet, FTP, SFTP, SCP, and Rlogin
Host Address
Host IP address that can be used to establish connection with your bastion host.
- Select the EIP or private IP address of the host. Private IP addresses are recommended.
- By default, the IPv4 address of the host is used. After an IPv6 address is enabled for a host, select either the IPv4 address or IPv6 address.
NOTE:
A private IP address on the same VPC network recommended. The network stability and proximity will affect the O&M activities through a bastion host. The external access port of the private IP address is not restricted by the network security (security group and ACL) policies. While the port for external access over an EIP is restricted by network security policies. So a managed host resource may become inaccessible over an EIP through the basion host.
So we recommend private IP addresses.
Port
Port number of the host.
OS Type
(Optional) Type of the host OS or device OS.
- The default value is empty. You need to select an OS type based on the type of the added resources.
- 14 OS types are supported, including Linux, Windows, Cisco, Huawei, H3C, DPtech, Ruijie, Sugon, Digital China sm-s-g 10-600, Digital China sm-d-d 10-600, ZTE, ZTE5950-52tm, Surfilter, and ChangAn.
- In addition, system administrator admin can customize OS types.
- For details, see OS Types.
Terminal Speed
If you select Rlogin for Protocol, you can select different terminal speed.
Encode
If you select SSH or TELNET for Protocol, the Chinese character can be used on the O&M page.
The options are UTF-8, Big5, and GB18030.
Terminal Type
If you select SSH or TELNET for Protocol, you can specify the O&M terminal you want.
The options are Linux and Xterm.
Options
(Optional) Select File Manage, X11 forward, Uplink Clipboard, Keyboard Audit, and/or Downlink Clipboard.
- File Manage: This option is supported only by SSH, RDP, and VNC hosts.
- Clipboard: This option is supported only by SSH, RDP, and Telnet hosts.
- X11 forward: This option is supported only by SSH hosts.
- Keyboard Audit: Only RDP, VNC, and protocol hosts can be configured.
Department Name
Department to which the host resource belongs.
Label
(Optional) You can customize a label or select an existing one.
Remarks
(Optional) Provides the description of the host resource.
- Click Next and start to add resource accounts.
Table 2 Parameters of managed host accounts Parameter
Description
Add Account
When to add the account. The options are Rightnow and Afterward.
- If you select Rightnow, continue the configuration on the page to add the account immediately.
- If you select Afterward, no further configuration is required on the page. You can add the account information later in the resource list or on the resource details page.
Login Type
Login method. You can select Auto Login, Manual Login, Sudo Login, or CSMS Credentials Login.
- If you select Auto Login, Account and Password are mandatory.
- If you select Manual Login, Account and Password are optional.
- If you select CSMS Credentials Login, make sure you have available credentials.
- If you select Sudo Login, a password is mandatory.
NOTE:
If you select the key pair automatic login mode, select Allow to change the SSH Key when creating a password change policy, or manual password change may fail.
Account
Account username of the managed host.
NOTE:If the AD domain service is installed on the host, the added account is Domain name\Host account name, for example, ad\administrator.
Password
Password of the account being added.
By default, Verify is selected. After the account is added, the system automatically verifies the status of the account.
NOTE:- Verification succeeded. After the account is verified, the host resource information is saved.
- Verification failed
- If the system prompts that the verification times out, return to the configuration window and modify the resource information.
- If the system prompts that the account password is incorrect, return to the configuration window and change the account password.
SSH Key
Authentication method that can be configured for host resources using the SSH protocol.
After the configuration, an SSH key is preferentially used to log in to a related host resource.
Passphrase
Private key sequence corresponding to the SSH key. This parameter is optional.
- You do not need to enter the password for logging in to the host when no private key password is generated.
- You need to enter the private key password each time you log in to the host when the private key password is generated.
Description
Brief description of the account.
If no accounts are configured for the managed hosts, account [Empty] is generated by default. When you log in to the managed host through a bastion host for operations, select [Empty] and enter the username and password of an account of the host.
- Click OK. After the account is verified, you can then view the new host resource under the Host tab.
Importing Host Resources from a File
To import application server from a file, the file must be in .csv, .xls, or .xlsx format.
- Log in to your bastion host.
- Choose Resource > Host in the navigation pane on the left.
- Click Import in the upper right corner of the page.
- Select From file for Import.
- Click Download next to Download template.
- Enter the information of host resources according to the configuration requirements in the template file.
Table 3 Template parameters Parameter
Description
Name
(Mandatory) a user-defined host resource name.
IP address/domain name
(Mandatory) IP address or domain name of a host.
Protocol
(Mandatory) Select the protocol type of the host resource. Only one protocol type can be selected for a certain type of host resource.
.
Supported protocols: SSH, RDP, VNC, Telnet, FTP, SFTP, SCP, and Rlogin
Port
(Mandatory) Enter the host port number.
OS Type
Enter the operating system type of the host.
Department Name
(Mandatory) the department to which the host resource belongs. The department structure must be complete.
- Only one department structure can be entered, and a resource can belong to only one department.
- By default, the department can be set to HQ. Use a comma (,) to separate a department and its lower-level department.
- Only the department that has been created in the system can be entered.
Label
Label of the host resource.
- You can enter multiple labels and separate them with commas (,).
Remarks
Provides supplementary information about the host resource.
Account
Account of the host resource.
- If this parameter is left blank, no Empty account will be generated.
Logon Type
Method to log in to the host resource.
- This parameter can be set to Auto Login, Manual Login, or Sudo Login.
IS Sudo
Whether to set the account as a sudo account.
- This parameter can be set to Yes or No.
Password
Password of the account for logging in to the resource.
SSH Key
Authentication method that can be configured for SSH hosts.
After the configuration, an SSH key is preferentially used to log in to a related host resource.
passphrase
Private key sequence mapped to the SSH key.
You need to enter the private key password each time you log in to the host when the private key password is generated.
For details, see How Do I Configure an SSH Key for Logging In to a Managed Host?
Oracle Param
This parameter is mandatory for Oracle hosts.
- This parameter can be set to SERVICE_NAME or SID.
- Separate multiple parameter values with commas (,).
SERVICE_NAME or SID
This parameter is mandatory for Oracle hosts.
- Separate multiple parameter values with commas (,).
Login Role
This parameter is mandatory for Oracle hosts.
- This parameter can be set to normal, sysdba, or sysoper.
- Separate multiple parameter values with commas (,).
Database Name
This parameter is mandatory for the DB2 databases.
- Select the database name or instance name.
- Separate multiple parameter values with commas (,).
Instance Name
This parameter is mandatory for the DB2 databases.
- Select the database name or instance name.
- Separate multiple parameter values with commas (,).
Switch From
For a host resource using the SSH protocol, enter its account username and set it to a sudo account.
Switch command
The command to switch over between accounts.
Description
Brief description of the managed resource account.
Account Group
The account group to which the managed resource account belongs.
- A managed resource account can belong to multiple account groups in the same department. Use a comma (,) to separate every two account groups.
- Only the account group that has been created in the system can be entered.
- Click Upload and select the completed template.
- (Optional) Configure Override existing hosts, which is not selected by default.
- Selected: An existing host resource will be overwritten when the existing host resource and the one being imported have the same protocol type@host address:port information.
- Deselected: An existing host resource will be skipped when the existing host resource and the one being imported have the same protocol type@host address:port information.
- Click OK.
- When you import host information by file, provide the host information based on configuration requirements in the .xlsx template file.
- SSH private keys can be used for logging in to hosts over SSH. When you set SSH Key and Passphrase parameters, enter the correct private key and password. After the SSH key public key and passphrase password are configured, the SSH key private key is preferentially used to verify login.
- The SSH key private key and passphrase are optional. You are advised to manage only the host accounts and passwords for managed hosts whose information is imported in batches.
Importing Hosts from a Cloud Platform
You can discover resources in the current region and add them all to your bastion host in just a few clicks.
- Log in to your bastion host.
- Choose Resource > Host in the navigation pane on the left.
- Click Import Cloud Resources in the upper right corner of the page.
Table 4 Parameter description Parameter
Description
Resource Type
You can select the cloud host or cloud database type.
NOTE:Currently, only MySQL, PostgreSQL, and SQL Server databases are supported.
Authentication Type
You can select AK/SK or a cloud service agency.
NOTE:Currently, Platform Bastion Host (PBH) supports only the AK/SK authentication.
Access Key ID
This parameter is mandatory when Authentication Type is set to AK/SK.
To get the access key ID, click the information icon on the right of the text box.
Access Key Secret
This parameter is mandatory when Authentication Type is set to AK/SK.
To get access key secret, click the information icon on the right of the text box of Access Key ID.
Priority of IP imported
You can select Public or Internal.
Options
(Optional) Configure Override existing hosts, which is not selected by default.
- Selected: An existing host resource will be overwritten when the existing host resource and the one being imported have the same protocol type@host address:port information.
- Deselected: An existing host resource will be skipped when the existing host resource and the one being imported have the same protocol type@host address:port information.
Department Name
Department to which the imported host resources belong.
Label
Label attached to the imported host resources.
- Check the information and click Next. On the region selection page, select the region where resources are to be imported.
You can select only one region at a time.
- Confirm the information and click Next. The system automatically completes the import. After the import is finished, check the host list.
Auto Discovery of Host Resources
With the Auto Discover function, you can use Nmap to scan for hosts in a specific IP address or IP address range.
Host resources can be automatically discovered only when the hosts and your bastion host are in the same VPC and the network connection is normal.
- Log in to your bastion host.
- Choose Resource > Host in the navigation pane on the left.
- Click Auto Discover in the upper right corner of the page.
- Enter the IP address and port number of host resources to be imported.
The default ports are 21, 22, 23, 3389, and 5901. You can also add other ports or port ranges.
Figure 2 Auto Discover
- Click OK to start the auto discovery.
- Select the host resources to be imported.
- Enter a host name. If you do not enter the host name, the default host name is the IP address of the host.
- A protocol type is set automatically for the host based on default port. If the host does not match the default port, manually select a protocol type.
- Select the discovered hosts and click Add.
Click Return or Close to return to the host resource list page and view the newly added host resources.
Cloning Host Resources
If you want to add a host as many types of resources to your bastion host, you can add other types of host resources by just modifying configurations of a certain type you have added to CBH.
- Log in to your bastion host.
- Choose Resource > Host in the navigation pane on the left.
- In the Operation column of an added host resource, choose More > Clone.
- Modify information of the host resource and add accounts for the new host resource.
To complete the host clone, modify at least one of the following parameters of the host resource you select: Protocol, Host Address, and Port.
- Click OK.
Batch Exporting Host Resources
Click in the upper right corner of the list to export all data in the list.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.