Connecting to a Compute Instance

The image that was used to create the instance might not be the most up-to-date version that is available. Best practice is to check for and install operating system updates whenever you log in to an instance, especially when you log in for the first time.

Prerequisites

You need the following information to connect to an instance:

• The public IP address of the instance.

  You can get the address from the Instance Details page in the Compute Web UI. Click Dashboard, and click the Compute/View Instances button. Click the name of your instance. On the instance details page, click the Networking tab. The Public IP Address is in the Instance Access section.

• For UNIX instances: The full path to the private key portion of the SSH key pair that you used when you launched the instance.

  For more information about key pairs, see Managing Key Pairs.

• The initial user name for the instance.

  The initial user name for an instance is determined by the image that was used to create the instance. Images fall into these categories:

  • Images provided with Private Cloud Appliance:

    If you used an image that is provided with the appliance such as Oracle Linux or Oracle Solaris to launch the instance, the user name is opc.

  • Custom images:

    The initial user depends on how the image was configured before it was imported as a custom image.

• (In some circumstances) The initial user password.

  The initial user password for an instance is determined by the image that was used to create the instance. Images fall into these categories:

  • Images provided with Private Cloud Appliance:

    Instances launched using an Oracle Linux or Oracle Solaris image that was provided by Oracle use SSH to authenticate a user, and there is no initial password required.

  • Custom images:

    The initial password depends on how the image was configured before it was imported as a custom image.

Managing Key Pairs

The method you use to log into an instance depends on how the image that was used to launch the instance was configured.

• Images provided with Private Cloud Appliance launch instances that use an SSH key pair instead of a password to authenticate a remote user. These images also include the cloud-init toolkit (required for SSH authentication) in launched instances.

• Custom images might be configured with the cloud-init toolkit and use SSH for authentication, or the image might be configured to use its own set of credentials to authenticate a user. For example, the image might require a password. If the image requires a password, you don't need to create an SSH key pair.

Note:

Only instances that were created with the cloud-init toolkit can use SSH key pairs.

A key pair consists of a private key and public key. You keep the private key on your computer and provide the public key when you create an instance. When you connect to the instance using SSH, you provide the path to the private key in the SSH command.

You can have as many key pairs as you want, or you can keep it simple and use one key pair for all or several of your instances.

To create your own key pairs, you can use a third-party tool such as OpenSSH on UNIX systems (including Linux, Oracle Solaris, BSD, and macOS) or PuTTY Key Generator on Microsoft Windows.

Required SSH Public Key Format

If you provide your own key pair, it must use the OpenSSH format.

A public key has the following format:

key_type public_key optional_comment

For example, an RSA public key looks like this:

ssh-rsa AAAAB3BzaC1yc2EAAAADAQABAAABAQD9BRwrUiLDki6P0+jZhwsjS2muM
...
yXDus/5DQ== rsa-key-20201202

For images provided with the appliance, these SSH key types are supported: RSA, DSA, DSS, ECDSA, and ED25519.

If you bring your own image, you're responsible for managing the SSH key types that are supported.

For RSA, DSS, and DSA keys, a minimum of 2048 bits is recommended. For ECDSA keys, a minimum of 256 bits is recommended.

Prerequisites

• If you're using a UNIX system, you probably already have the ssh-keygen utility installed. To determine whether it's installed, type ssh-keygen on the command line. If it's not installed, you can download OpenSSH for UNIX from http://www.openssh.com/portable.html and install it.

• If you're using a Microsoft Windows operating system, you will need PuTTY and the PuTTY Key Generator. Download PuTTY and PuTTYgen from https://www.putty.org and install them.

Creating an SSH Key Pair on the Command Line

1. Open a shell or terminal for entering the commands.

2. At the prompt, enter ssh-keygen and provide a name for the key when prompted. Optionally, include a passphrase.

3. Do one of the following:

   • On UNIX systems:

     Use this command to set the file permissions so that only you can read the private key file:

     chmod 400 private_key_file

     private_key_file is the full path and name of the file that contains the private key associated with the instance you want to access.

   • On a Microsoft Windows system using OpenSSH:

     1. In Windows Explorer, navigate to the private key file, right-click the file, and then click Properties.

     2. On the Security tab, click Advanced.

     3. Ensure that the Owner is your user account.

     4. Click Disable Inheritance, and then select Convert inherited permissions into explicit permissions on this object.

     5. Select each permission entry that is not your user account and click Remove.

     6. Ensure that the access permission for your user account is Full control.

     7. Save your changes.

Creating an SSH Key Pair Using PuTTY Key Generator

Perform this procedure on your Microsoft Windows system.

1. Open puttygen.exe.

   For example, navigate to C:\Program Files\PuTTY and double-click puttygen.exe.

   The PuTTY Key Generator window opens.

2. Specify a key size of 2048 bits.

   In the Parameters area at the bottom of the window, enter 2048 in the field for the Number of bits in a generated key.

3. Click the Generate button.

4. Move your mouse around the blank area in the PuTTY window to generate random data in the key.

   As you move your mouse, you should see the green progress bar advance.

   When the progress bar is full, the key is generated. Generating the key can take several seconds to several minutes.

   When the key generation is complete, the public key appears in the window under Public key for pasting into OpenSSH authorized_keys file.

5. Leave the Key passphrase field blank.

6. Click the Conversions menu at the top of the window, and then click Export OpenSSH key.

   When prompted to save this key without a passphrase, click Yes.

7. When prompted to save the private key, select a location and name of your choice.

8. Select all of the generated key that appears under Public key for pasting into OpenSSH authorized_keys file, copy it using Ctrl+C, paste it into a text file, and then save the file in the same location as the private key. (Do not use Save public key because it does not save the key in the OpenSSH format.)

   You can name the key anything you want, but for consistency, use the same name as the private key and a file extension of .pub. For example, mykey.pub.

9. Do one of the following:

   • On a UNIX system:

     Use the following command to set the file permissions so that only you can read the private key file:

     chmod 400 private_key_file

     private_key_file is the full path and name of the file that contains the private key associated with the instance you want to access.

   • On a Microsoft Windows system:

     1. Navigate to the private key file, right-click on the file, and then click Properties.

     2. On the Security tab, click Advanced.

     3. Ensure that the Owner is your user account.

     4. Click Disable Inheritance, and then select Convert inherited permissions into explicit permissions on this object.

     5. Select each permission entry that is not your user account and click Remove.

     6. Ensure that the access permission for your user account is Full control.

     7. Save your changes.

10. Note the names and location of your public and private key files. You will need the public key when launching an instance. You will need the private key to access the instance via SSH.

Connecting to a Linux or Oracle Solaris Instance

You can connect to a running instance by using a Secure Shell (SSH) or Remote Desktop connection. Most UNIX systems include an SSH client by default.

Note:

If you created an instance without an SSH key, you can stop the instance, attach the boot volume to a new instance, and configure SSH on the new instance.

Connecting from a UNIX System

1. Open a terminal window or shell.

2. Use this command to connect to the instance:

   ssh –i private_key_file username@public-ip-address

   • private_key_file is the full path and name of the file that contains the private key associated with the instance you want to access.

   • username is the default user name for the instance. See Prerequisites.

   • public-ip-address is your instance IP address that you can get from the Compute Web UI. See Get the Instance IP Address.

Connecting from Microsoft Windows Using OpenSSH

1. Open Windows PowerShell.

2. Use this command to connect to the instance:

   ssh –i private_key_file username@public-ip-address

   • private_key_file is the full path and name of the file that contains the private key associated with the instance you want to access.

   • username is the default user name for the instance. See Prerequisites.

   • public-ip-address is your instance IP address that you can get from the Compute Web UI. See Get the Instance IP Address.

Connecting from Microsoft Windows Using PuTTY

Use the following procedure if the instance uses a key pair that you created using PuTTY Key Generator as described in Creating an SSH Key Pair Using PuTTY Key Generator.

1. Open PuTTY.

2. In the Category pane (on the left), select Session and enter the following:

   • Host Name (or IP address): username@public-ip-address

     • username is the default user name for the instance. For instances launched from images provided with Private Cloud Appliance, the default user name is opc.

     • public-ip-address is your instance IP address.

   • Port: 22

   • Connection type: SSH

3. In the Category pane, expand Window, and then select Translation.

4. In the Remote character set drop-down list, select UTF-8. The default locale setting on Linux instances is UTF-8, and this setting configures PuTTY to use the same locale.

5. In the Category pane, expand Connection, expand SSH, and then click Auth.

6. Click Browse, and then select your .ppk private key file.

7. Click Open to start the session.

   If this is your first time connecting to the instance, you might see a message that the server's host key is not cached in the registry. Click Yes to continue the connection.

Tip:

If the connection fails, you might need to update your PuTTY proxy configuration.

Next Actions

• Add storage. See Block Volume Storage, Object Storage, and File System Storage.

• Install software on the instance.

• Configure and enable additional users to connect to your instance.

The utilities you use to perform the administrative tasks vary depending on the type of OS in the instance. For additional administrative information, refer to the documentation for the OS. These documentation libraries provide helpful information:

• Oracle Operating Systems Documentation

• Oracle Virtualization Documentation

Connecting to a Microsoft Windows Instance

You can connect to a Microsoft Windows instance using a Remote Desktop connection. Most Microsoft Windows systems include a Remote Desktop client by default.

Enabling Remote Desktop Protocol Access

To enable Remote Desktop Protocol (RDP) access to the Microsoft Windows instance, you need to add a stateful ingress security rule for TCP traffic on destination port 3389 from source 0.0.0.0/0 and any source port. You can implement this security rule in either a network security group that the Microsoft Windows instance belongs to, or a security list that is used by the instance's subnet.

Using the Compute Web UI

1. Click Dashboard, and click the Networking/View Virtual Cloud Networks button.

2. Select the compartment where your VCN is located.

3. Click the name of the VCN for which you want to enable RDP access.

4. Perform one of the following actions:

   • Add an ingress security rule to an NSG:

     NSG security rules provide a virtual firewall for cloud resources in the VCN.

     1. On the VCN details page, under Resources, click Network Security Groups.

     2. Click the name of the network security group for which you want to add a rule.

     3. On the network security group details page, under Resources, click Security Rules, and click the Create Security Rules button.

     4. In the Create New Network Security Group Rules dialog, click Allow Rules for Ingress, and enter the following values for the rule:

        • Stateless: Leave the check box empty to indicate stateful.

        • Ingress Type: CIDR

        • Ingress CIDR: 0.0.0.0/0

        • IP Protocol: TCP

        • Source Port Range: Leave empty to indicate All.

        • Destination Port Range: 3389

        • Description: An optional description of the rule.

     5. Click the Create button in the dialog.

   • Add an ingress rule to a VCN security list:

     Security list rules provide a virtual firewall for instances that use this VCN.

     1. On the VCN details page, under Resources, click Security Lists.

     2. Click the name of the security list for which you want to add a rule.

     3. On the security list details page, under Resources, click Ingress Rules, and click the Create Ingress Security Rule button.

     4. In the Create Security List Rule dialog, enter the following values for the rule:

        • Stateless: Leave the check box empty to indicate stateful.

        • Ingress CIDR: 0.0.0.0/0

        • IP Protocol: TCP

        • Source Port Range: Leave empty to indicate All.

        • Destination Port Range: 3389

        • Description: An optional description of the rule.

     5. Click the Create Security List Rule button in the dialog.

Connecting with an RDP Client

1. Open the Remote Desktop client.

2. In the Computer field, enter the public IP address of the instance. You can retrieve the public IP address from the Compute Web UI. See Get the Instance IP Address.

3. The User name depends on how the image was configured. If you don't know the user name, consult with your administrator.

   Note:

   Depending on the Remote Desktop client you are using, you might have to connect to the instance before you can enter this credential.

4. Click Connect to start the session.

5. Accept the certificate if you are prompted to do so.

6. If you are connecting to the instance for the first time, enter the initial password that was provided to you by your administrator when you launched the instance. You will be prompted to change the password as soon as you log in. Your new password must be at least 12 characters long and must comply with the Microsoft password policy.

   Otherwise, enter the password that you created. If you are using a custom image, you might need to know the password for the instance that the image was created from.

7. Press Enter.

Next Actions

• Add storage. See Block Volume Storage, and Object Storage File System Storage.

• Install software on the instance.

• Configure and enable additional users to connect to your instance.

The utilities you use to perform the administrative tasks vary depending on the type of OS in the instance. For additional administrative information, refer to the documentation for the OS.

Remotely Troubleshooting an Instance by Using a Console Connection

Important:

Instance console connections are for troubleshooting purposes only. To connect to a running instance for administration and general use, use a Secure Shell (SSH) or Remote Desktop connection as described in Connecting to a Linux or Oracle Solaris Instance and Connecting to a Microsoft Windows Instance.

The following are example situations when you need to remotely troubleshoot an instance:

• An imported or customized image does not complete a successful boot

• A previously working instance stops responding

The following is the process to remotely connect to an instance by using a console connection:

1. Create an instance console connection.

2. Set up a secure tunnel.

   • To connect to the instance VNC console, set up a secure tunnel to the VNC server on the instance.

   • To connect to the instance serial console, set up a secure tunnel to the serial console device on the instance.

3. Complete the connection between the local system and the instance.

   • To connect to the instance VNC console, open a VNC viewer such as RealVNC Viewer on the local system.

   • To connect to the instance serial console, open an SSH connection on the local system to the serial console device on the instance. Only one serial connection can be made at one time.

To disconnect from the instance console, close the SSH connection that you initiated on the local host.

Console Connection Prerequisites

Ensure that you have the following resources on the system that you plan to use to connect to the instance console.

• SSH key pair

  If you do not already have an SSH key pair, you can use the ssh-keygen utility on UNIX systems or PuTTY puttygen.exe on Windows systems. Specify a key size of 2048 bits (this value should be the default). Give the key a name. You do not need to provide a passphrase; using a passphrase makes it more difficult to automate connecting. See also Managing Key Pairs.

• Command-line shell and SSH client

  On Windows systems, use one of the following:

  • Windows PowerShell

    If you use PowerShell to connect to the VNC server on the instance, plink.exe is required. plink.exe is the command link connection tool included with PuTTY. You can install PuTTY or install plink.exe separately. For installation information, see https://www.putty.org.

  • Git for Windows

    Git for Windows includes OpenSSH.

  • Windows Subsystem for Linux (WSL)

    WSL includes OpenSSH.

• VNC viewer to connect to the VNC console

Complete the following configuration on the Private Cloud Appliance where the instance that you need to connect to remotely resides.

• Ensure that you belong to a group that has the following permissions. See Managing Policies.

  Allow group group_name to manage instance-console-connection in tenancy
  Allow group group_name to read instance in tenancy

• Create an instance console connection. You will need your SSH key pair. See Creating an Instance Console Connection.

Creating an Instance Console Connection

Before you can connect to an instance VNC console or serial console you need to create an instance console connection.

Note:

Instance console connections are limited to one client at a time. If the client attempts to connect but fails to connect within five minutes, the connection is closed and a different client can connect. During the five-minute timeout, any attempt to connect a different client fails.

The instance console connection resource provides the command that you need to create the secure tunnel. The command is a little different depending on whether your local system is UNIX or Windows and whether you want to connect to the VNC console or the serial console on the instance.

One component that all of these commands have in common is proxy_host. The proxy_host is the IP address of the master management node, which must be running the VM Console Service. The proxy host must be accessible on the public network at proxy_host:443.

Using the Compute Web UI

1. On the Dashboard click the Compute/View Instances button.

2. If the instance where you want to create a console connection is not listed, use the Compartment drop-down menu above the instances list to select the correct compartment.

3. Click the name of the instance where you want to create a console connection.

4. On the instance details page, scroll to the Resources section and click Console Connection.

5. If a console connection does not already exist, click the Create Console Connection button.

6. Provide the public key portion of your SSH key.

   In the Create Console Connection dialog, do one of the following to enter your public SSH key:

   • Select the key file(s).

     • Click inside the Drag and Drop box to open a file browser and select the file.

     • Drag the file from your file browser listing and drop the file on the Drag and Drop box.

   • Paste the public key(s). Copy your public SSH key text, and paste the text into the field.

7. Click the Create Console Connection button in the dialog.

   When the console connection has been created and is available, the state changes to Active.

Using the OCI CLI

1. Get the following information:

   • The OCID of the instance where you want to create the console connection: oci compute instance list

   • Your SSH public key file.

2. Determine whether a console connection already exists for this instance.

   $ oci compute instance-console-connection list -c ocid1.compartment.unique_ID \
   --instance-id ocid1.instance.unique_ID

3. Run the create console connection command.

   $ oci compute instance-console-connection create --instance-id ocid1.instance.unique_ID \
   --ssh-public-key-file public_SSH_key_path
   {
     "data": {
       "compartment-id": "ocid1.compartment.unique_ID",
       "connection-string": "ssh -i private_SSH_key_path -t -p 443 user_name@proxy_host tty@instance_OCID",
       "defined-tags": {},
       "fingerprint": "SHA256:unique_ID",
       "freeform-tags": {},
       "id": "ocid1.instanceconnectionconsole.unique_ID",
       "instance-id": "ocid1.instance.unique_ID",
       "lifecycle-state": "ACTIVE",
       "service-host-key-fingerprint": null,
       "vnc-connection-string": "ssh -i public_SSH_key_path -p 443 -L local_vnc_port:localhost:remote_vnc_port user_name@proxy_host vnc@ocid1.instance.unique_ID"
     },
     "etag": "afc7eb68-5f1a-40cc-8dc3-8a1cae237230"
   }

   The value of connection-string is the SSH connection string for the instance serial console connection. The value of vnc-connection-string is the SSH connection string for the instance VNC console connection.

   See the beginning of this topic for a description of proxy_host.

4. When you are finished using this instance console connection, use the following command to delete the connection.

   $ oci compute instance-console-connection delete \
   --instance-console-connection-id ocid1.instanceconnectionconsole.unique_ID

What's Next

Continue to Connecting to the Instance VNC Console or Connecting to the Instance Serial Console.

Connecting to the Instance VNC Console

After you create the instance console connection, set up a secure tunnel to the VNC server on the instance, and connect using a VNC client.

Set Up a Secure Tunnel to the VNC Server

Use one of the following procedures to set up a secure tunnel to the VNC server on the instance:

• Connecting to the VNC Console from a Linux or macOS System

  In addition to native Linux or macOS systems, use this procedure if you are using Git for Windows or Windows Subsystem for Linux.

• Connecting to the VNC Console from a Microsoft Windows System

  Use this procedure if you are using PowerShell and .ppk keys.

The VNC console connection uses SSH port forwarding to create a secure connection from your local system to the VNC server attached to your instance's console.

Caution:

Although SSH port forwarding is a secure way to use VNC over the internet, opening a port on a multiuser system makes that port available to all users on that system until a VNC client connects. For this reason, Oracle does not recommend using this method on a multiuser system unless you secure the port or you isolate the VNC client by running it in a virtual environment.

Open a VNC Client

After the secure tunnel is established, open a VNC client on your local system. For example, execute a command such as the following on the local host, or open a VNC client on the local host in some other way.

$ vncviewer localhost:local_vnc_port

Specify localhost as the host to connect to, and set the port to the local_vnc_port port that is listed in the VNC connection string from Creating an Instance Console Connection. The procedures in Connecting to the VNC Console from a Linux or macOS System and Connecting to the VNC Console from a Microsoft Windows System describe how to retrieve this connection string. The default value for local_vnc_port is port 5900.

Note:

Remote management for Remote Desktop on macOS uses port 5900. Because VNC console connections in Private Cloud Appliance also use port 5900, VNC console connections are not compatible with remote management. To use VNC console connections on macOS, disable remote management.

Note:

The macOS built-in VNC client, Screen Sharing.app does not work with VNC console connections in Private Cloud Appliance. Use a different VNC client, such as RealVNC Viewer.

Note:

When you connect, you might see a warning from the VNC client that the connection is not encrypted. Because you are connecting through SSH, the connection is secure, so this warning is not an issue.

Connecting to the VNC Console from a Linux or macOS System

This procedure sets up a secure tunnel to the VNC server on the instance using OpenSSH on a Linux or macOS system. macOS and most Linux and other UNIX operating systems include the SSH client OpenSSH by default.

In addition to native Linux or macOS systems, use this procedure if you are using Git for Windows or Windows Subsystem for Linux.

Use either the Compute Web UI procedure or the OCI CLI procedure to get the VNC connection string from the instance console connection. Then open the VNC client on your local system.

The VNC connection string has the following format:

ssh -i private_key_path -p 443 -L local_vnc_port:localhost:remote_vnc_port user_name@proxy_host vnc@instance_OCID

See Creating an Instance Console Connection for a description of proxy_host.

Using the Compute Web UI

1. On the Dashboard, click the Compute/View Instances button.

2. If the instance that you want to remotely connect to is not listed, use the Compartment drop-down menu above the instances list to select the correct compartment.

3. Click the name of the instance that you want to remotely connect to.

4. On the instance details page, scroll to the Resources section, and click Console Connection.

5. For the active console connection, click the Actions menu, and then click Copy VNC Connection for Linux/Mac.

6. Verify the value of the -i parameter in the copied connection string.

   The -i parameter in the connection string specifies the location of the path to the private key to be used for authentication.

   If necessary, replace the value of the -i parameter with the correct path to your private key file.

7. Paste the VNC connection string from the preceding step into a terminal window, and then press Enter to set up the secure tunnel.

8. Go to Open a VNC Client.

Using the OCI CLI

1. Get the OCID of the console connection for the instance that you want to remotely connect to:

   $ oci compute instance-console-connection list -c ocid1.compartment.unique_ID \
   --instance-id ocid1.instance.unique_ID

2. Get the VNC connection string for Linux/Mac.

   $ oci compute instance-console-connection get \
   --instance-console-connection-id ocid1.instanceconnectionconsole.unique_ID

   Copy the value of the vnc-connection-string property.

3. Verify the value of the -i parameter in the copied connection string.

   The -i parameter in the connection string specifies the location of the path to the private key to be used for authentication.

   If necessary, replace the value of the -i parameter with the correct path to your private key file.

4. Paste the VNC connection string into a terminal window, and then press Enter to set up the secure tunnel.

5. Go to Open a VNC Client.

Connecting to the VNC Console from a Microsoft Windows System

This procedure sets up a secure tunnel to the VNC server on the instance using PowerShell and .ppk keys on a Microsoft Windows system.

Use either the Compute Web UI procedure or the OCI CLI procedure to get the VNC connection string from the instance console connection. Then open the VNC client on your Windows system.

The VNC connection string has the following format. If you use Windows PowerShell, you must use plink.exe.

plink.exe -ssh -i ppk_private_key_path -P 443 -L local_vnc_port:localhost:remote_vnc_port user_name@proxy_host vnc@instance_OCID

See Creating an Instance Console Connection for a description of proxy_host.

Using the Compute Web UI

1. On the Dashboard, click the Compute/View Instances button.

2. If the instance that you want to remotely connect to is not listed, use the Compartment drop-down menu above the instances list to select the correct compartment.

3. Click the name of the instance that you want to remotely connect to.

4. On the instance details page, scroll to the Resources section, and click Console Connection.

5. For the active console connection, click the Actions menu, and then click Copy VNC Connection for Windows.

6. Verify the value of the -i parameter in the copied connection string.

   The -i parameter in the connection string specifies the location of the path to the .ppk private key to be used for authentication. The default value for this parameter references an environment variable that might not be configured on your Windows client, or it might not represent the location where the private key file is saved.

   Replace the value of the -i parameter with the actual path to your .ppk private key file.

7. Paste the modified VNC connection string into a Windows PowerShell terminal window, and then press Enter to set up the secure connection.

8. Go to Open a VNC Client.

Using the OCI CLI

1. Get the following information:

   • The OCID of the console connection for the instance that you want to remotely connect to:

     $ oci compute instance-console-connection list -c ocid1.compartment.unique_ID \
     --instance-id ocid1.instance.unique_ID

   • The path to your .ppk private key file.

2. Get the VNC connection string for Windows.

   Run the get plink connection string command:

   $ oci compute instance-console-connection get-plink-connection-string \
   --instance-console-connection-id ocid1.instanceconnectionconsole.unique_ID \
   --private-key-file private key file

   The value of the --private-key-file option is the path to the .ppk private key to be used for authentication. This value is inserted into the generated connection string as the value of the -i option.

   Copy this output plink.exe VNC connection string.

3. Paste the plink.exe VNC connection string into a Windows PowerShell terminal window, and then press Enter to set up the secure tunnel.

4. Go to Open a VNC Client.

Connecting to the Instance Serial Console

After you create the instance console connection, set up a secure tunnel to the instance serial console. Use an SSH client to connect to the serial console. You can use the same SSH key for the serial console that was used when you launched the instance, or you can use a different SSH key.

Only one serial connection can be made to any given compute instance at one time. Therefore, only one user can connect to the serial console of any given compute instance at one time. A different user at another time can use the same SSH key for the serial console or a different SSH key.

When you are finished with the serial console, terminate the SSH connection and delete the serial console connection.

Set Up a Secure Tunnel to the Serial Console

Use one of the following procedures to set up a secure tunnel to the serial console on the instance:

• Connecting to the Serial Console from a Linux or macOS System

  In addition to native Linux or macOS systems, use this procedure if you are using Git for Windows or Windows Subsystem for Linux.

• Connecting to the Serial Console from a Microsoft Windows System

  Use this procedure if you are using PowerShell and .ppk keys.

Validating Server Host Keys

After the secure tunnel is established, connect to the instance serial console by using an SSH client.

When you first connect to the serial console, you are prompted to validate the fingerprint of the server host key. The fingerprint of the server host key is the SHA256 hash of the server host's public SSH key. The server SSH handshake response is signed with the associated private key. Validating the server host key's fingerprint protects against potential attacks.

When you make a manual connection to the serial console, the fingerprint of the server host key is not automatically validated. To manually validate the fingerprint, compare the value of the fingerprint that appears in the terminal when you connect to the fingerprint value that is displayed in the Compute Web UI or in the output from the instance console connection get command.

• Compute Web UI. Go to the instance details page, scroll to the Resources section, and click Console Connection. The table displays the fingerprint of the server host key.

• OCI CLI. Check the value of the fingerprint property in the output from the following command:

  $ oci compute instance-console-connection get \
  --instance-console-connection-id ocid1.instanceconnectionconsole.unique_ID

Connecting to the Serial Console from a Linux or macOS System

This procedure sets up a secure SSH-based communication channel from the local Linux or macOS host to the remote serial console device associated with the instance. macOS and most Linux and other UNIX operating systems include the SSH client OpenSSH by default.

Note:

The minimum version required for OpenSSH to connect to the serial console from Linux and macOS is OpenSSH 7.2.

In addition to native Linux or macOS systems, use this procedure if you are using Git for Windows or Windows Subsystem for Linux.

Use either the Compute Web UI procedure or the OCI CLI procedure to get the serial connection string from the instance console connection.

The serial connection string has the following format:

ssh -i private_key_path -t -p 443 user_name@proxy_host tty@instance_OCID

See Creating an Instance Console Connection for a description of proxy_host.

Using the Compute Web UI

1. On the Dashboard, click the Compute/View Instances button.

2. If the instance that you want to remotely connect to is not listed, use the Compartment drop-down menu above the instances list to select the correct compartment.

3. Click the name of the instance that you want to remotely connect to.

4. On the instance details page, scroll to the Resources section, and click Console Connection.

5. For the active console connection, click the Actions menu, and then click Copy Serial Console Connection for Linux/Mac.

6. Verify the value of the -i parameter in the copied connection string.

   The -i parameter in the connection string specifies the location of the path to the private key to be used for authentication.

   If necessary, replace the value of the -i parameter with the correct path to your private key file.

7. Paste the serial connection string into a terminal window, and then press Enter to set up the secure tunnel to the serial console device on the instance.

8. If prompted, validate and accept the fingerprint of the server host key. See Validating Server Host Keys.

9. Press Enter again to activate the console.

10. On the Private Cloud Appliance, Reset or Soft Reset the instance. See Stopping, Starting, and Resetting an Instance.

    If the instance is functional and the connection is active, the serial output appears in your console. If serial output does not appear in the console, the instance operating system is not booting.

Using the OCI CLI

1. Get the OCID of the console connection for the instance that you want to remotely connect to:

   $ oci compute instance-console-connection list -c ocid1.compartment.unique_ID \
   --instance-id ocid1.instance.unique_ID

2. Get the serial connection string for Linux/Mac.

   $ oci compute instance-console-connection get \
   --instance-console-connection-id ocid1.instanceconnectionconsole.unique_ID

   Copy the value of the console-connection-string property.

3. Verify the value of the -i parameter in the copied connection string.

   The -i parameter in the connection string specifies the location of the path to the private key to be used for authentication.

   If necessary, replace the value of the -i parameter with the correct path to your private key file.

4. Paste the serial connection string into a terminal window, and then press Enter to set up the secure tunnel to the serial console device on the instance.

5. If prompted, validate and accept the fingerprint of the server host key. See Validating Server Host Keys.

6. Press Enter again to activate the console.

7. On the Private Cloud Appliance, RESET or SOFTRESET the instance. See Stopping, Starting, and Resetting an Instance.

   If the instance is functional and the connection is active, the serial output appears in your console. If serial output does not appear in the console, the instance operating system is not booting.

Connecting to the Serial Console from a Microsoft Windows System

This procedure sets up a secure SSH-based communication channel from the local Microsoft Windows host to the remote serial console device associated with the instance. Use PowerShell and .ppk keys on the local Windows system. Use an SSH client such as OpenSSH to connect to the serial console.

Note:

The minimum version required for OpenSSH to connect to the serial console from Windows is PuTTY (0.75).

Use either the Compute Web UI procedure or the OCI CLI procedure to get the serial connection string from the instance console connection.

The serial connection string has the following format. If you use Windows PowerShell, you must use plink.exe.

plink.exe -ssh -i ppk_private_key_path -t -P 443 user_name@proxy_host tty@instance_OCID

See Creating an Instance Console Connection for a description of proxy_host.

Using the Compute Web UI

1. On the Dashboard, click the Compute/View Instances button.

2. If the instance that you want to remotely connect to is not listed, use the Compartment drop-down menu above the instances list to select the correct compartment.

3. Click the name of the instance that you want to remotely connect to.

4. On the instance details page, scroll to Resources, and click Console Connection.

5. For the active console connection, click the Actions menu, and then click Copy Serial Console Connection for Windows.

6. Verify the value of the -i parameter in the copied connection string.

   The -i parameter in the connection string specifies the location of the path to the .ppk private key to be used for authentication. The default value for this parameter references an environment variable that might not be configured on your Windows client, or it might not represent the location where the private key file is saved.

   Replace the value of the -i parameter with the actual path to your .ppk private key file.

7. Paste the modified serial connection string into a Windows PowerShell terminal window, and then press Enter to set up the secure tunnel to the serial console device on the instance.

8. If prompted, validate and accept the fingerprint of the server host key. See Validating Server Host Keys.

9. Press Enter again to activate the console.

10. On the Private Cloud Appliance, Reset or Soft Reset the instance. See Stopping, Starting, and Resetting an Instance.

    If the instance is functional and the connection is active, the serial output appears in your console. If serial output does not appear in the console, the instance operating system is not booting.

Using the OCI CLI

1. Get the following information:

   • The OCID of the console connection for the instance that you want to remotely connect to:

     $ oci compute instance-console-connection list -c ocid1.compartment.unique_ID \
     --instance-id ocid1.instance.unique_ID

   • The path to your .ppk private key file.

2. Get the serial connection string for Windows.

   Run the get plink connection string command:

   $ oci compute instance-console-connection get-plink-connection-string \
   --instance-console-connection-id ocid1.instanceconnectionconsole.unique_ID \
   --private-key-file private key file

   The value of the --private-key-file option is the path to the .ppk private key to be used for authentication. This value is inserted into the generated connection string as the value of the -i option.

   Copy this output plink.exe serial connection string.

3. Paste the plink.exe serial connection string into a Windows PowerShell terminal window, and then press Enter to set up the secure tunnel to the serial console device on the instance.

4. If prompted, validate and accept the fingerprint of the server host key. See Validating Server Host Keys.

5. Press Enter again to activate the console.

6. On the Private Cloud Appliance, RESET or SOFTRESET the instance. See Stopping, Starting, and Resetting an Instance.

   If the instance is functional and the connection is active, the serial output appears in your console. If serial output does not appear in the console, the instance operating system is not booting.