Versions Compared

Old Version 6

changes.mady.by.user W.Erber

Saved on

compared with

New Version Current

changes.mady.by.user W.Erber

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Anchor
TOC
TOC
Include Page
KBCOMMON:KB-CSSstyle
KBCOMMON:KB-CSSstyle

Contents

Table of Contents
excludeContents
stylesquare

There are several ways to access the Charon-SSP AWS Instance.

...

AWS Security Groups Overview

Access to an AWS cloud instance can be controlled by 

  • an external firewall,
  • the operating system firewall of the instance,
  • AWS security groups, and
  • AWS network ACLs.

A network ACL applies to a subnet as a whole. Only one network ACL per subnet is allowed. The rules in a network ACL are stateless (i.e., return traffic must be explicitly allowed). Rules can be defined for inbound or outbound traffic, they can allow or deny traffic, and they are evaluated starting from the lowest rule number. After the first match the search is terminated. The default network ACL allows all inbound and outbound IP traffic.

A security group can be seen as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you must assign a security group to the instance. If no custom security group is specified, a default security group will be created and associated with the instance. You can add rules to each security group that allow traffic to or from its associated instances. The rules of a security group can be modified at any time, and the modifications are automatically applied to all instances that are associated with the security group. If there is more than one security group associated with an instance, the rules of all groups are combined.

Security groups in a VPC are associated with network interfaces. Changing an instance's security groups changes the security groups associated with the primary network interface (eth0). Additional security groups can be associated with any other network interfaces added to an instance.

Points to note with respect to security groups:

  • By default, all outbound traffic is allowed.
  • Rules in a security group always define what is permitted. They cannot be used to deny specific traffic.
  • Response traffic to traffic that was permitted by a rule is always allowed (connection tracking).
  • A security group cannot allow more permissive access to a subnet than the permitted traffic defined in the network ACL of the subnet.

Please see the relevant AWS documentation for more information and configuration details.

Div
classpagebreak


Connecting to the Cloud Instance

During the configuration of your instance you should have created a security group allowing at the minimum SSH access to the instance. If this has been done correctly, you can, for example, use SSH from the command-line or from a tool such as PuTTY to access the command-line of the charon user user sshuser (for a Charon prepackaged marketplace images) or your custom user (for RPM installations) on the Charon -SSP host instance.

If you select your instance in the instance list and then click on Connect, you will see the instructions for connecting via SSH.

In particularAs shown in the image below, you will see in particular

  • the name of the private key that must be used to connect to the instance, and
  • the public DNS name of the instance, and
  • a sample user name that must be adapted to the actual user name to be used for your instance.

The following image shows an example:

Image Removed

...

Image Added

Please note:

  • The file permissions of the private key file must be set such that the file is only readable by the user

...

To connect to the instance as the user charon, use the following command:

...

The parameter ServerAliveInterval will protect the connection from timing out.

Below, you see sample output of a login:

Code Block
languagetext
$ ssh -o ServerAliveInterval=30 -i ./we-test-key2.pem charon@3.81.64.139
Last login: Tue May 21 05:34:33 2019 from myhost.example.com
[charon@ip-172-31-38-252 ~]$ pwd
/home/charon

...

If the information is correct, the Charon-SSP Manager welcome screen will be displayed:

Image Removed

...

classpagebreak

...

  • (e.g.,

...

File transfer using SFTP

The SSH security group definition is also used to allow SFTP access to the Charon-SSP AWS instance. This allows file transfers to and from the Charon-SSP AWS instance. The user for file transfers is the storage user.

To connect to the instance as the user storage, use the following command:

...

Code Block
languagetext
$ sftp -i ./we-test-key2.pem storage@3.81.64.139
Connected to storage@3.81.64.139.
sftp> pwd
Remote working directory: /
sftp> ls
storage

...

Connecting with the Charon-SSP Manager

To manage Charon-SSP and the emulated SPARC systems, you must connect to the Charon-SSP AWS instance with the Charon-SSP Manager. The Charon-SSP Manager is the main interface to all important functions of the Charon-SSP software.

Prerequisites:

  • The Charon-SSP Manager must be installed on your local system.
  • For access via the public IP address of the instance:
    • The Security Group on your local system must at least allow SSH access. This allows the built-in SSH tunneling of the Charon-SSP Manger to work. Should you not use SSH tunneling, you must open up additional ports (9091 for the Manager communication, any ports used for the emulated system serial console ports, and ports used for the graphical emulation). However, if the connection runs over the Internet, Stromasys recommends strongly to use SSH tunneling. Otherwise, your Charon-SSP cloud instance and any emulated systems running on it can easily be compromised.
    • The public key installed in .ssh/authorized_keys of the charon user of the Charon-SSP AWS instance must be copied to the local system. The Charon-SSP Manager needs this key to set up SSH tunneling.
    • Public IP address of the Charon-SSP AWS instance.
  • For access via an SSH-based VPN:
    • Active SSH-based VPN (see SSH VPN Operation)
    • Private IP address of the Charon-SSP host in the VPN

Copying the Public Key to the Local System

(info) Required if the integrated SSH tunnel of Charon Manager is to be used.

If not yet done, the public key of the key-pair associated with the Charon-SSP AWS instance must be copied to your local system.

To copy the Charon-SSP AWS public key to the local system, perform the following steps:

...

$ cat ~/.ssh/authorized_keys

Copy the content into the paste-buffer.

...

Start the Charon-SSP Manager

Start the Charon-SSP Manager using the following command:

...

This will open the login window of the Charon-SSP Manager.

...

Image Removed

...

Image Removed

...

On this tab

  • enter the public IP address or the private VPN IP address of your Charon-SSP instance,
  • enter the Charon-SSP management password (default: stromasys), and 
  • enable the SSH tunnel configuration unless you use a connection across a secure VPN.

...

If using the Manager's integrated SSH tunnel: On this tab

  • enter the Charon-SSP user (charon),
  • enter the path to the private and public key files (click on the three dots to open a file browser),
  • enter the passphrase for the private key if required, and
  • adjust the server port (default 22).

...

  • # chmod 400 <private-key-file>).
  • PuTTY uses a different key file format. It comes with tools to convert between its own .ppk format and the format of OpenSSH used by the default Linux tools.

There are several ways to connect to your Charon cloud instance using this basic SSH protocol access. Some of them are described in the following sections below.

Child pages (Children Display)
alltrue

Div
classpagebreak