CBH

What Is CBH?

Cloud Bastion Host (CBH) is a unified security management and control platform. It provides account, authorization, authentication, and audit management services that enable you to centrally manage cloud computing resources.

CBH provides various functional modules, such as department, user, resource, policy, operation, and audit modules. It integrates functions such as single sign-on (SSO), unified asset management, multi-terminal access protocols, file transfer, and session collaboration. With the unified O&M login portal, protocol-based forward proxy, and remote access isolation technologies, CBH enables centralized, simplified, secure management and maintenance auditing for cloud resources such as servers, cloud hosts, databases, and application systems.

How to Configure a CBH Instance Quickly

CBH can monitor the usage of the CBH system, monitor O&M activities of each managed resource, and identify suspicious O&M actions in real time. This protects resources and data from being accessed or damaged by external or internal users. CBH reports alarms to customers, who can then more easily handle or audit O&M issues in a timely, centralized manner. To do all these, you only need to configure your CBH instance first.

1. Log in to the management console.
2. On the management console, choose Security and Compliance > Cloud Bastion Host. In the upper right corner of the page, click Buy CBH. When your CBH instance is ready, click Remote Login in the Operation column to go to the CBH system login page.
   

   • When the first time you log in to a CBH system as user admin, enter the login password you configure when you purchase the corresponding CBH instance. System administrator admin is the default user. It is the first account that can be used to log in to a CBH system and has the highest operation permissions. Its permissions cannot be deleted or changed.
   • After logging in to a CBH system for the first time, all users need to change the password and bind the mobile number as prompted.
   Figure 1 Logging In to a CBH Instance
   

3. After logging in to a CBH system, choose User > User. In the upper right corner of the displayed page, click New. In the displayed dialog box, create a user.
   

   • By default, there are four roles: system administrator, policy administrator, audit administrator, and O&M personnel. The admin user can create a custom role to assign system operation permissions.
   • You need to set LoginName to a unique name in the CBH system.
   • After a user is created, you can enable multi-factor authentication for the user to log in to the CBH system.
   Figure 2 New User
   

4. After creating a user, add a host resource. To do so, choose Resource > Host. On the displayed page, click New in the upper right corner. In the dialog box displayed, complete basic settings and network settings.
   

   • Host Address indicates the IP address used for communication between the host and CBH instance. You can select the EIP or private IP address assigned to the host. You are advised to select an available private IP address.
   • You can use enhanced editions to manage databases in the Host module. Currently, four types of databases are supported: MySQL, SQL Server, Oracle, and DB2.
   • Application resources are managed through the Windows remote access function. You need to configure an application server first.
   • After a resource is added to CBH, you still need to add a resource account to log in to the resource O&M system You can use any of the following login modes:

     Automatic login: You use CBH to manage resource account usernames and passwords. In this mode, you do not need to enter the username and password for logging in to a specific resource.

     Manual login: The Empty account is automatically generated when adding resources to CBH. When logging in to a resource, you need to enter the account username and password.

     Sudo login: When a user logs in to a specific resource as a sudoer, the user is automatically switched to a privileged account.

   Figure 3 New Host
   

5. Click Next, configure host account information, and click OK.
6. Choose Policy > ACL Rules and click New in the upper right corner. In the displayed dialog box, configure an access control rule.
   

   • Access control rules are used to associate users with resources by granting specific permissions for certain resources to a specific user. CBH system users can operate and maintain resources only after being authorized.
   • IP Limit is used to set the local IP address of a user to restrict or allow the user from the IP address to access resources.
   Figure 4 New ACL Rule
   

7. Click Next, associate the user with the host resource, and click OK.
8. Log in to the CBH system using the created user and choose Operation > Host Operation.
9. Select the target host resource and click Login and perform O&M as needed. For details, see Logging In to Host Resources.
   

   • For host resources with SSH, Telnet, or Rlogin protocol configured, you can use an SSH client for O&M.
   • For host resources with FTP, SFTP, or SCP protocol configured, you need to use the FTP, SFTP, or SCP client for O&M, respectively.
   • For MySQL, SQL Server, Oracle, and DB2 host resources, you need to configure an SSO tool and database management tool first. Then you can use the SSO tool to call the database client and implement resource O&M.
   • For host resources with SSH, RDP, VNC, or Telnet protocol configured, you can use web browsers for O&M. For application resources, you can use only web browsers for remote access and O&M.