Over the past month, I received a couple of requests from Windows administrators to help decipher the console connection instructions for Oracle Cloud Infrastructure. Because I previously wrote about how to build secure connections for graphical applications for Linux, I thought that this would be good topic to write about.
To start, the documented instructions on how to create and use a console connection are accurate and succinct, but they are written for a general audience. To help Windows administrators, specifically, establish a console connection, this post provides a step-by-step process for getting to a Windows console.
Creating the Required Key Pairs
The first thing you need to do is to create a set of SSH keys. "But wait!" you may say. "This is Windows. Why do I need SSH?" Well, Oracle Cloud Infrastructure uses SSH tunnels to create fully secure connections into the console. Then, we run whatever protocol we need within those tunnels—in this case, VNC. So although SSH is not common within the Windows community for connecting to consoles, we use it to ensure that all console connections, Windows or Linux, are secure.
Some terms you should know:
- Key pair: The set of files that SSH uses to establish a connection. Each file contains a different encryption key.
- Public key: The part of the key pair that you can "safely" put on remote systems. The public key is useless by itself; it requires the other half (the private key) to work. Private keys cannot be generated from public keys.
- Private key: The part of the key pair that you use to create the connection and tunnel. This key must be protected because it helps to establish connections to any endpoints that you have used its associated public key with.
- Passphrase: A password that you can optionally apply to a private key that prevents the key from being used if the wrong password is applied. If your private key is "acquired," having a passphrase can prevent it from being used by anyone else.
Follow these steps to create your key pairs:
- Install a VNC viewer on your desktop.
- Install PuTTY and PuTTYgen.
- Open PuTTYgen.
- Click Generate, and then move the cursor around in the blank area in the window to generate random data for the key.
- Optionally, enter a passphrase. For the console, a passphrase is typically not needed.
- Click Save private key. Name the key something that is relevant (I named mine mykey.ppk).
- Open Notepad.
- Copy the text in the Public key for pasting into OpenSSH authorized_keys file box in the PuTTY window and paste it into Notepad.
- Save the text with the same name as the private key but with .pub as the extension. For example, I saved mine as mykey.pub.
- Note the path to both the public and private key files.
You have to create only a single key pair for all the console connections; you can reuse it as often as you like. Each console is created with its own unique connection string, so there is no danger of connecting to the wrong console using the same key.
If you lose your key pair, forget your passphrase, or think that your private key has been compromised, generate a new set. You will also have to delete and re-create the console connection because you cannot substitute a new key for an old one.
Creating the Console Connection
Now that you have your key pair, you are ready to create your console connection. The console connection is simply a resource that is associated with your Windows instance running in your tenancy, just like a VNIC, block storage, or anything else. Console connections can be created (or destroyed) at any time after the instance is provisioned, even before you log in to the instance for the first time. To create a console connection after the initial provisioning is completed, follow these steps:
- When the instance is in a Running state, click Console Connections under Resources on the instance details page.
- Click Create Console Connection.
- In the dialog box, click Browse and select the public key part of the key (the .pub file).
- Click Create Console Connection in the dialog box.
As mentioned previously, if you need to change the key out for some reason, you must delete and re-create the console connection. This does not affect the connection to the instance outside of the console, so you can safely do this as needed.
Using the Console
Now you are ready to use the console. Before you connect to it, however, you must get the connection string and modify it to fit your configuration.
- For the active console connection, click the Actions menu (three dots) and select Connect with VNC.
- In the Connect with VNC dialog box, select Windows.
- Copy the connection string to Notepad.
- Copy the full path to the private key file (the .ppk file) and substitute that path for all occurrences of $env:homedrive$env:homepath\oci\console.ppk in the connection string. For example, my path name is C:\Users\nelsos\mykey.ppk.
Note: If you are planning to keep the console connection available and reuse it in the future, save this connection string locally so you do not have to regenerate it every time you make a connection. You can even save it as a .ps1 file and run it as a PowerShell script.
- Copy the resulting command into a PowerShell window and run it.
- When you see Store key in cache? (y/n), type y. This is shown the first time that console is connected.
When the cursor appears back in the login, your connection is ready. Keep this PowerShell session running because it is maintaining the connection you will use for VNC to communicate securely with the console endpoint.
- Open your VNC viewer and connect to localhost:5900.
If you get an "Unencrypted connection" security warning, it is safe to click Continue. The SSH tunnel created by the console connection provides an encrypted tunnel to the console so VNC does not have to.
- Log in to your instance with your instance credentials. Happy consoling!
The process for connecting to a console might seem long, but you have to perform many of the steps only once, and it is necessary to ensure that you always have a secure session available to the instance's console. Although this console is not intended for everyday use (there are easier and better ways to get to Windows instances), it is fully functional and allows you to get to instances that need work done at a console instead of via RDP. Hopefully this description is helpful to all those Windows administrators out there trying to get console connections to their instances.