Advertisements
RSS

Tag Archives: Cloud

How to setup SSH access to Oracle Compute Cloud Service Instances

After playing around with the CLI it’s time to run some instance on the Oracle Compute Cloud Service. Oracle offers a broad range of images divided in 3 categories namely: Oracle images, Private images and Marketplace. The marketplace holds almost 400 turn-key solutions (from PeopleSoft to WordPress) where the category Oracle images are mostly Oracle Enterprise Linux distributions.

For this blog I will start a Oracle Linux 7.2 machine on the Oracle Compute Cloud and connect through SSH from my own machine.

Setting up security (SSH)

First we need to create a private and public keypair to authenticate against the Linux instance. Where the private key is safely stored on my desktop, the public key will be uploaded to the Oracle Compute Cloud. Run the following command:

jvzoggel$ ssh-keygen -b 2048 -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/jvzoggel/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): verySecret1
Enter same passphrase again: verySecret1
Your identification has been saved in /Users/jvzoggel/.ssh/id_rsa.
Your public key has been saved in /Users/jvzoggel/.ssh/id_rsa.pub.

In the Oracle Compute Cloud Service console we select Network -> SSH Public Keys.
Select the generated .pub file (which holds your public key and is safe to share).

Now that the Oracle cloud knows our public key it can allow secure authentication to it’s instances. However we need to do some security configuration to make sure the SSH traffic will be able to passthrough. This can be done during the instance creation, but I think it’s better to do it upfront.

Creating a secure ip list (source)

Under Network -> Shared Network -> Security IP-Lists we add a new entry. Any entry can hold multiple IP ranges, but in our case we will just add 1 IP address which is our public IP address on the internet. If you don’t know what your IP is entering the WWW then google on “what is my IP address” and many sites will help you out. Enter your address as shown below and select create.

Creating a secure list (target)

The next step is to create a security list. A security list is a bundle of 1 to many instances that you can use as source or destination in security rules. Before we create our security rule and even instance, we create the list upfront that will hold that 1 instance for security rule destination.

Creating a secure rule (bring it all together)

You can use security rules to control network access between your instances and the Internet. In this case we will create a rule that allows only SSH traphic, from our own machine to the soon to be created instance in our (now empty) security list. Oracle Compute recognises a lot of default security applications among them SSH. Make sure to select the IP list as source and list as destination.

Security should be all set, let’s start our first instance.

Creating a secure Instance on Oracle Compute Cloud

Under Instances -> Instance we select Oracle Images and get a latest version of Oracle Enterprise Linux. Make sure not to select Review and Create but use the “>” button on the right of it. My opinion the UX is not really explanatory here, it would be better to label it “Configure and Create” or something.

Go through the wizard and during the Instance step make sure to add the public SSH key we uploaded earlier. This will allow access to our instance with SSH without the need of a password.

In the Network step of the wizard we add the new instance to our freshly created security list. With this, the instance will inherit all the security rule configurations we made earlier.

Finish the wizard and wait for the Compute Cloud Orchestration to complete. After that your instance should be running.

Proof of the pudding

Check the public IP of your Oracle Compute Cloud instance and use it in your shell to connect with the SSH command.

And voila…

jvzoggel$ ssh -i /Users/jvzoggel/.ssh/id_rsa opc@120.140.10.50 
[opc@bd8ee6 /]
[opc@bd8ee6 /]$ whoami
opc
[opc@bd8ee6 /]$
[opc@bd8ee6 /]$ cat /etc/oracle-release
Oracle Linux Server release 7.2

References

Advertisements
 
2 Comments

Posted by on 26-04-2017 in Uncategorized

 

Tags: , , , ,

Using the Oracle Public Cloud Command Line Interface (CLI)

The Oracle Public Cloud Command-Line Interface is a utility to enable management of your cloud environment from the command line. The current release (1.1.0) only supports the Compute service, but Oracle states that additional service support coming in future releases

I like command line interfaces and being familiar with Oracle’s cloud competitors implementation I was curious. So I downloaded the CLI tool here and since I had already python installed on my OS X the startup time as a newcomer is relatively short.

The initial setup

We need 3 variables to connect to the Oracle Cloud:

  • The REST API endpoint
  • domain/username
  • password

You can get the REST endpoint by logging in to the Oracle Cloud and check the service details under Oracle Compute Cloud Service.

So we get the REST Endpoint here for our OPC_API and the OPC_USER is a combination of prefix “/Compute-“, your domain and your Cloud username. So run the next 2 commands in your shell (and use your own version off course):

export OPC_API="https://api-z00.compute.us1.oraclecloud.com"
export OPC_USER=/Compute-gse00000001/cloud.admin

We need to paste the password in a textfile, because the oracle-compute CLI otherwise will tell us:
ValidationError: Secure argument “password” can only be read from a file or terminal, but the argument “xxxxx” is not a regular file

So create a pwd.txt, store the password there and

chmod 600 /full/path/to/password/file

Authentication

Next step is getting authenticated against the Oracle Compute Cloud.

oracle-compute auth /Compute-gse00000001/cloud.admin pwd.txt

This command returns an authentication token and sets the OPC_COOKIE environment variable. The token expires after 30 minutes. As the CLI tool handles authentication by managing the cookies file, you don’t need to run the export command yourself.

The authentication token expires 30 minutes from the time you run the auth command. The refresh_token command extends the expiry of the current authentication token with another 30 minutes, but not beyond the session expiry time, which is 3 hours.

oracle-compute refresh_token

You can now use all the CLI commands like list, delete, add, create, discover, get and more. At least for 30 minutes :)

References

 
2 Comments

Posted by on 25-04-2017 in Uncategorized

 

Tags: , , ,

How to push to AWS CodeCommit from Mac OS X

When trying to commit to a AWS CodeCommit GIT repository I receive the following error:

jvzoggel$ git push
 fatal: unable to access 'https://git-codecommit.eu-west-1.amazonaws.com/v1/repos/myProject/': The requested URL returned error: 403

The Amazon website states:

If you are using macOS, use HTTPS to connect to an AWS CodeCommit repository. After you connect to an AWS CodeCommit repository with HTTPS for the first time, subsequent access will fail after about fifteen minutes. The default Git version on macOS uses the Keychain Access utility to store credentials. For security measures, the password generated for access to your AWS CodeCommit repository is temporary, so the credentials stored in the keychain will stop working after about 15 minutes. To prevent these expired credentials from being used, you must either:

  • Install a version of Git that does not use the keychain by default.
  • Configure the Keychain Access utility to not provide credentials for AWS CodeCommit repositories.

I used the second option to fix it, so:

  1. Open the Keychain Access utility (use Finder to locate it)
  2. Search for git-codecommit
  3. Select the row, right-click and then choose Get Info.
  4. Choose the Access Control tab.
  5. In Confirm before allowing access, choose git-credential-osxkeychain, and then choose the minus sign to remove it from the list.

screen-shot-2017-02-15-at-19-21-22

After removing git-credential-osxkeychain from the list, you will see a pop-up dialog whenever you run a Git command. Choose Deny to continue. The pop-up is really annoying so I will probably switch over to SSH soon.

References

 

 
Leave a comment

Posted by on 18-02-2017 in Uncategorized

 

Tags: , , , ,

How to install AWS CLI on Mac OS X

The 2nd time last month I had to do it myself / figure it out / explain it so I decided to note it down.

Install AWS CLI on your OSX

jvzoggel$ brew install awscli
jvzoggel$ echo 'complete -C aws_completer aws' >> ~/.bashrc

AWS Identity and Access Management

From the IAM console create your personal access key ID and secret access key. Make sure to note them both down in a safe place !

screen-shot-2017-02-15-at-18-43-45

Configure the aws-cli

Use the generated AWS IAM credentials to configure your AWS CLI  for connection.

jvzoggel$ aws configure
 AWS Access Key ID [None]: xxxxxxxxx
 AWS Secret Access Key [None]: xxxxx
 Default region name [None]: eu-west-1
 Default output format [None]:

jvzoggel$ aws --version
 aws-cli/1.11.48 Python/2.7.10 Darwin/16.4.0 botocore/1.5.11

 

References

 
Leave a comment

Posted by on 16-02-2017 in Uncategorized

 

Tags: , ,

Cloud integration using federation between Microsoft Office 365 Azure Active Directory (AAD) and Amazon Web Service (AWS)

Not an Oracle blog for a change, but when an organization uses both Amazon Web Services (AWS) and Microsoft Office 365 it is possible to allow single sign-on with the internal LDAP Microsoft uses (Azure AD). Since RubiX uses both cloud products since day 1, I decided to look into integration between both products when Microsoft recently allowed SAML federation.

In this blog I will demonstrate how to connect Amazon Web Services (AWS) to the internal Azure Active Directory (AAD) that is used by Microsoft. As a result of this blog your users should be able to login to AWS from the Office 365 menu.

RESULT

1. Configure Microsoft Office 365 / Azure Active Directory (AAD)

Go to your Administration console and select Azure AD from ADMIN

AZURE000_01

In the Azure AD console select “Active Direcory”, click on your Office 365 domain name and the AD menu should open. Click on “Applications” from the top menu

AZURE000

By defaut you will see a lot of Microsoft web applications, so we click on “Add+” on the bottom menu. Then select “Add application from the gallery”

AZURE000-2

The AWS application will be added to your list. Select Configure Single Sign-On next.

AZURE001

We will select the 1st option (MS AAD SSO) to establish federation between AAD & AWS. The Federated Single Sign-On enables the users in your organization to be automatically signed in to a third-party application like AWS by using the AAD user account information. In this scenario, when you have already been logged into Office 365 the federation eliminates the need for you to login again to AWS.

AZURE002

In this case, we don’t need to perform any extra advanced settings. So NEXT

AZURE003

Download the metadata XML and store it for future use and make sure to accept the checkbox

AZURE004

Go to the users tab and assign (bottom button) your users that are allowed to login to AWS

AZURE011

Before we can finalize our SSO from AAD, we first need to setup AWS.

2. Configure Amazon Web Service (AWS)

Login to your AWS account and select the Identity & Access Management

EC2001

First we will create an Identity Provider for AAD.
Select SAML as Provider Type and choose a logical name (I use “Office365” in my example).
Browse to the exported metadata we downloaded from the AAD console earlier.

Important: check your metadata xml file

  • The exported metadata XML file from Azure might be encoded as UTF-8 with byte order mark (BOM). Make sure to convert it to UTF-8 without BOM otherwise the AWS console will not be able to import it.
  • Make sure to remove the <?xml version=”1.0″?> on line 1, otherwise AWS will not be able to parse the file

EC2001_provider

As a result we now have a SAML provider configured, so time to set some roles.
Select Roles in the IAM menu, select “Create New Role” and give your role a logical name (I use “RubixUsers” here)
In the Role Type select “Grant Web Single Sign-On (WebSSO) access to SAML providers“.

EC2004

  • Select the SAML provider we trust, so we use the earlier created “Office365” provider here.
  • Next step we can customize the policy, which we won’t do so next.
  • In the next step we can select the policy you want to attach to your SSO users.
    You can go fine grained with policies, but for now I will use the default PowerUser policy
  • The last screen you will receive a review of the configuration, make sure to note down the Role ARN and Thrusted Entities
    Role ARN = arn:aws:iam::[customerID]:role/[RoleName]
    Trust = arn:aws:iam::[customerID]:saml-provider/[ProviderName]

EC2001_review

 

3. Configure Microsoft Office 365 / Azure Active Directory (AAD) – part 2

Go back to the AAD management console (https://manage.windowsazure.com).
Select applications -> Amazon Web Services (AWS) -> Attributes

Add the following 2 attributes:

EC2_attributes

 

4. Result

With these configuration steps you are now able to login to AWS from your Office 365 apps tile.

RESULT

 
2 Comments

Posted by on 16-10-2015 in Uncategorized

 

Tags: , , , , , , ,

Request, Activate & Administer a Oracle Cloud service

Rick Green from Oracle explains in these two video’s (from the Oracle Learning YouTube Channel) how to request and activate an Oracle Cloud (trial) Service and how to administer these cloud services.

Part 1 – Requesting and Activating an Oracle Cloud Trial Service

Part 2 – Administering a New Oracle Cloud Service

 
Leave a comment

Posted by on 06-06-2013 in Oracle

 

Tags: ,