To use the bwCloud infrastructure, registration is required. If this is not yet the case, then simply follow our step-by-step instructions as described under First steps. The registration is based on the usage of bwIDM (Federal Identity Management of the Baden-Württemberg universities) which is why, in principle, all members of institutions in Baden-Württemberg can use the bwCloud. Registration for the bwCloud is currently handled centrally via a server of University of Freiburg.

Please note: Do not store any personal and/or sensitive data or information in the bwCloud. We can't provide a sufficient level of protection in order to meet the requirements of ZENDAS regarding data protection etc.

Create SSH key pair (Windows, PuTTYgen)[ssh_key_gen_win]

This step-by-step guide describes the process of creating a SSH key pair (public and secret SSH key) under Windows with PuTTYgen.

First PuTTYgen must be installed. The public SSH key can then be uploaded to the bwCloud environment. In combination with the personal secret SSH key, it is then possible to log in to the the created virtual machines.

PuTTYgen installation
Download the program puttygen.exe.

  1. For example, go to the page
  2. On the website, click on Download PuTTY.
  3. Search on the page that opens afterwards for the source 'puttygen.exe (a RSA and DSA key generation utility)'.
  4. Save the appropriate program for your system (64-bit x86 or 64-bit x86).
  5. Start the program/ file putty.exe directly.

SSH-Key generating Create an SSH key pair and put it in the right format.

  1. Choose the following settings: the type RSA, the bit strength at least 4096 and a password for the key.
  2. Click the Generate button to the right of the Generate a public/private key pair label.
  3. Move the mouse over the screen with irregular movements to generate enough entropy for key generation. When the key generation is completed successfully, the public key is displayed in a text box
  4. Open a simple text editor (e.g. Notepad) and copy the generated public key from the text field into the editor.
  5. Change the format of the key to a one-liner. ssh-rsa AAAAB3N...SMQQ==
  6. Save the public key in a directory.
  7. Save the private key in the same directory as the public key before. To do this, click the Save private key button.

Additional Steps

  1. Then proceed with the setup of the PuTTY environment as described in Set up SSH client PuTTY
  2. Now register the public SSH key in the bwCloud environment Import the just created public key. Proceed as described in SSH key registration and follow the steps described there Working steps.
Slideshow ausklappen Step-by-step instructions and slideshow unfold

⇈ Top

SSH key registration[ssh_key]

We recommend you to register your public personal SSH key in our bwCloud environment. This public SSH key is automatically inserted into the system whenever a virtual machine is started (applies only to Linux-based virtual machines). You can then log in to the system from remote / outside via SSH.

  1. Log into the bwCloud as described in First steps: Schritt 3
  2. Click below Project → Compute on Key pairs You will see an overview of the key pairs you have (already) imported.
  3. Click on the button Import key pair in the upper right corner. A dialog opens.
  4. Name your SSH key with a unique name and copy the public SSH key into the text field below. Then click on the button Import key pair. If the process was successful, you will get an overview with the imported SSH key(s).
Slideshow ausklappen Step-by-step instructions and slideshow unfold

⇈ Top

Setting up the PuTTY SSH client (Windows)[putty]

The SSH client PuTTY is a simple and free program to get access to the started instances via SSH under Windows. This step-by-step guide describes how to set up the program to access the virtual machines with the previously generated public and private SSH keys.

PuTTY installation
Download the PuTTY program. There are two ways to do this.

  1. To do this, go to the central page , for example, and click on the Download PuTTY link there.
  2. The page that then opens refers to the sources.

Option Source 'MSI (Windows Installer)':

  1. Save the appropriate installer for your system (64-bit x86 or 64-bit x86).
  2. Start the installation process.
  3. Start the PuTTY program.

Option Source 'putty.exe (the SSH and Telnet client itself)':

  1. Save the appropriate installer for your system (64-bit x86 or 64-bit x86).
  2. Start the program/ file putty.exe directly.

PuTTY setup

  1. Start PuTTY.
  2. Click on the ConnectionSSHAuth items in the left menu tree.
  3. Now click on the Browser button below the text Private key file for authentication:. Now select the file with your private SSH key.
  4. If you do not want to repeat this process every time, we recommend saving the current PuTTY settings as a profile. To do this, click on the topmost item Session in the menu tree on the left.
  5. Now name the current settings (and session) either with your own name and/or click on the Save button.
  6. Now restart PuTTY. The previously selected secret SSH key is selected again.
Slideshow ausklappen Step-by-step instructions and slideshow unfold

⇈ Top

Starting an instance[launch_instance]

  1. Click on Instances in the left menu and on the new page on the button Launch Instance. A dialog opens that guides you through the process step-by-step.
  2. First, enter a meaningful Name for the instance and enter it in the appropriate field. Then click on the Next button below or on Source* in the left menu.
  3. Now select a template on which your instance should be based. In the Allocated area, the selected image is displayed. If you want to discard this selection, click on the Down Arrow in the line.
  4. In the next step the flavor must be selected. This is done again by clicking on the arrow up (bordered in red). If your current quota is too low for a flavor, this is indicated by a yellow warning symbol.
  5. Next, select the network. In most cases you don't need to change nothing here, because the default setting usually fits. As far as the Security Group is concerned, you don't usually have to change anything here either.
  6. In the next step you select the public SSH key that is to be integrated into the instance. This step is very important, because without a public SSH key no access to the running instance is possible.
  7. Now click on the button Launch Instance - and the instance is started
  8. When the instance is completely started and set up, the IP addresses under which it can be reached are displayed in the overview. You can now connect to the instance via SSH. The corresponding SSH usernames can be found in the list, which can be accessed via the link "Current and available images in bwCloud SCOPE"
Slideshow ausklappenFold out instructions and slideshow

⇈ Top

Open a port for remote access[open_port]

By default, a new virtual machine in the bwCloud is initially only accessible from outside via SSH (Port 22), defined by the assigned Security Group. All other ports are closed, i.e. requests on these ports can't get through to the instance. Some information about security with open Ports is in the FAQ mentioned.

For example, if a Web server has to be accessible via HTTPS, the corresponding port (Port 443) in the Security Group must be opened.

The step-by-step instructions explain in detail how to open a port using the Dashboards.

  1. Log in to the bwCloud Visit the Dashboard and enter your access data
  2. Click on the left menu on Network and on the sub-item Security Groups. An overview of the currently defined security groups is displayed. The default group bears the name default.
  3. Click on the button Manage Rules in the corresponding line, an overview of all rules defined for this security group opens
  4. If you want to add a new rule, click the button Add Rule. A dialog opens in which you can describe the new rule.
  5. For example, if you intend to allow access via HTTPS, select HTTPS in the drop-down menu of the first item ("Rule").
  6. Your server should not be accessible from anywhere from the outside. The entry in the field "CIDR" restricts the access to a specific network segment. Enter there the IP-addresses that should be allowed.
  7. Then click Add. The overview is reloaded, and the new rule appears in the list.
  8. If you want to open an individual port, select the value Custom TCP Rule under "Rule" in the dialog.
  9. You can enter the corresponding port number in the "Port" field.
  10. In the "CIDR" field, you can set the access to individual network segments. If you aim to create an IPv6 rule, enter the network segment in IPv6 notation here.
  11. In the field "Direction" you can define the direction: Ingress = Incoming connections, Egress = Outgoing connections
  12. Click Add, and the new rule is created.
  13. Once the rules of a security group change, these changes will take effect for all instances connected to it. So there is no need to reboot the virtual machines!
Slideshow ausklappen Step-by-step instructions and slideshow unfold

⇈ Top

Access via CLI or API[api_token]

Access via CLI ("Command Line Interface") is very useful and useful especially for automated access to bwCloud. Changing the authentication method from username-service password combination to OpenID Connect also changes the way (automated) access via CLI to the bwCloud API is required.

In essence, a special "token" (ID & secret combinatio) has to be generated for external access, which is entered instead of the service password in the scripts and programs that access the bwCloud API. This section explains how this token can be generated:

  1. Log in to the bwCloud as described in "Logging in to the bwCloud".
  2. Click on Identity in the left menu and on the subitem Application Credentials. You will get an overview of the currently created credentials
  3. Click on the button Create Application Credential. A dialog opens where you can configure the new access data
  4. In order to be able to assign afterwards for which purpose you have created which application access data, give the new data record an appropriate meaningful name and description
  5. With the expiration date you define how long the data should be valid. If you do not enter anything here, the data will be valid until 00:00 of the current day.
  6. You can enter your own secret - if the field is left empty, a unique and random password will be generated
  7. The "Unrestricted" checkbox should be activated with the utmost caution: It enables further new application access data to be generated automatically with the generated application access data!
  8. Then click on Create Application Credential
  9. IMPORTANT: You will now be given the opportunity once (!) to a) view the generated data and extract it via copy & paste or b) save it in special files.
    You will be shown three data fields

    1. the ID (<$ID>),
    2. the name you have chosen and
    3. the generated secret (<$SECRET>) of the application access data.

    Save the displayed data or download the file(s) to your computer. Once the window is closed, the password will never be displayed again. Therefore, if you lose the application credentials, they cannot be recovered.

Testing the access data

To test the generated application credentials, we need the generated ID <$ID> and the generated password <$SECRET>. The following curl command can be used to test the application credentials on the command line:

$ curl -i -H "Content-Type: application/json" -d ' { "auth": { "identity": { "methods": ["application_credential"], "application_credential": {  "id": "<$ID>", "secret": "<$SECRET>"}}}}'

To display the answer in a nicer way, the following curl command can be used (Attention: the program "jq" must be installed!):

$ curl -s -H "Content-Type: application/json" -d ' { "auth": { "identity": { "methods": ["application_credential"], "application_credential": {  "id": "<$ID>", "secret": "<$SECRET>"}}}}'  | jq

A successful access will return an x-subject token. Unsuccessful accesses will return a 401 error code

⇈ Top

Privacy statement   |   Impressum   |   Site built with Simple Responsive Template   |   Modified:11.8.2023during the afternoon byJCS