Enabling access to data

In the following data protection scenarios, you must enable access to data by assigning credential groups to instances in R‑Cloud:

Guest OS Data protection scenario

any

You plan to use the default view when restoring individual files or folders.

Note  If access to the data is enabled at the time of the restore (and not before the backup), individual files or folders can only be restored by using the filesystem view.

For details about the views that are available during the restore, see Restoring individual files or folders.

Linux

  • You plan to protect SAP HANA applications.

  • You plan to use pre‑snapshot or post‑snapshot scripts and run them with a user account that you specify.

Windows

You plan to use pre‑snapshot or post‑snapshot scripts.

Enabling access to instances

To enable access to instances, you must perform the following tasks:

Task Instructions
  1. Configure the port settings on the instances.

Configuring port settings on instances
  1. Configure credentials groups.

Configuring credential groups
  1. Assign credential groups to the instances.

Assigning credential groups

Configuring port settings on instances

The following table lists the inbound ports that you must open on each instance by configuring and applying a network firewall rule:

Guest OS Network service protocol Port Transport protocol
Linux SSH 22 N/A

Windows

WinRM

5986

5985

HTTPS

HTTP

For instructions on how to configure and apply the network firewall rule, see AWS or Google Cloud documentation.

Note  For Google Cloud instances: Optionally, you can make the network firewall rule more restrictive so that it allows network traffic only from legitimate sources and to legitimate targets. To do so, add hycu-network-tag to the network firewall rule.

Configuring credential groups

Prerequisites

  • A user account with sufficient privileges must be configured within each instance:

    • For Windows: User from the Administrators group

    • For Linux: User with sudo privileges and the NOPASSWD option set

    For details on how to do this, see AWS or Google Cloud documentation.

  • For Linux instances:

    • Ensure the following within the instance:

      • The specified user account must be a member of the sudo user group.

      • The following line must be included in the /etc/sudoers file:

        <UserName> ALL=(ALL) NOPASSWD: /opt/hycu/tmp/discoverLinuxMountPointDiskMapping.sh*, /opt/hycu/tmp/hycuflr*, /usr/bin/mount, /usr/bin/umount, /usr/bin/mkdir, /usr/bin/rmdir, /usr/bin/rm
    • Only if you want R‑Cloud to access the instance by using a specific user account with password authentication. The SSH server must be configured to allow password authentication for signing-in on to the instance.

    • For Ubuntu 22.04 instances that have RSA key-based authentication configured:

      You must add the PubkeyAcceptedKeyTypes=+ssh-rsa parameter to the /etc/ssh/sshd_config file, and then restart the SSH service by running the systemctl restart ssh.service command.

Limitation

Only if you use the SSH protocol with public key authentication. If keys are generated with PuttyKeyGen or ssh-keygen using the legacy PEM format, only DSA and RSA keys are supported.

Procedure

  1. In the Instances panel, select the instance to which you want to assign a credential group.

  2. Click Credentials Credentials. The Credential Groups dialog box opens.

  3. Click New New.

  4. In the Credential group name field, enter a name for the credential group.

  5. From the Protocol drop-down menu, select one the following protocol options:

    Protocol option Instructions
    Automatic

    Select this option if you want R‑Cloud to automatically select a protocol for accessing the instance—the SSH protocol (TCP port 22) or the WinRM protocol (TCP port 5985, HTTP transport)—, and then enter the user name and password of a user account that has required permissions to access the instance.

    Use the following format for the user name:

    • Linux: <LocalOrDomainUserName>

    • Windows: <LocalUserName>, <Domain>\<DomainUserName>, <DomainUserName>@<Domain>

    SSH

    Select this option if you want to use the SSH protocol for accessing the instance, and then do the following:

    1. In the Port field, enter the SSH server port number.
    2. From the Authentication drop-down menu, select the type of authentication you want to be used, and then provide the required information:

      Password authentication

      Enter the user name (in the <LocalOrDomainUserName> format) and password of a user account that has required permissions to access the instance.

      Public key authentication

      Do the following:

      1. Enter the user name (in the <LocalOrDomainUserName> format) and password of a user account that has required permissions to access the instance.
      2. Click Browse. Browse for and then select the file with the private key and click Open.

        For information on how to obtain the private key, see Google Cloud or AWS documentation.

      3. Only if the private key is encrypted. Enter the private key passphrase.

      Important  This selection is mandatory in cases where the SSH server is configured to use public key authentication.

    WinRM

    Select this option to use the WinRM protocol for instance access and to enable the credential group adjustment for the actual WinRM server configuration.

    1. From the Transport drop-down menu, select the transport protocol of the WinRM server in the instance.

    2. In the Port field, enter the WinRM server port number.

    3. Enter the user name (in the <LocalOrDomainUserName> format (for Google Cloud) or <localuser>, <domain>\<user>, or <user>@<domain> format for AWS) and the password of a user account that has required permissions to access the instance.
  6. Click Save.

The name of the credential group appears in the list of credential groups in the Credential Groups dialog box.

You can also edit any of the existing credential groups (select a credential group, click Edit Edit, and then make the required modifications) or delete the ones that you do not need anymore (select a credential group, and then click Delete Delete).

Assigning credential groups

You can assign credential groups to instances by using the R‑Cloud web user interface or by using labels or metadata tags. Depending on how you want to assign the credential groups to the instances, see the following topics:

Assigning credential groups by using the R‑Cloud web user interface

Procedure

  1. In the Instances panel, select the instances to which you want to assign a credential group.

  2. Click Credentials Credentials. The Credential Groups dialog box opens.

  3. From the list of credential groups, select the credential group that you want to assign to the selected instances, and then click Assign.

The name of the assigned credential group appears in the Credential group column of the Instances panel. R‑Cloud performs instance and application discovery after you assign the credentials to the instance. The Discovery status in the Instances and Applications panels is updated accordingly.

Tip  If several instances share the same user name and password, you can use multiple selection to assign the same credential group to them.

To unassign a credential group from an instance, in the Instances panel, select the instance, click Credentials Credentials, and then click Unassign.

Assigning credential groups by using labels or metadata tags

You can assign a credential group to an instance by adding the hycu-credential-group tag to the instance in Amazon EC2 or Google Compute Engine as a label or a metadata tag. Use the following name/value pair:

Name Value
hycu-credential-group <CredentialGroupName>

In this case, <CredentialGroupName> is the name of the credential group that you want to assign to the instance.

The credential group is automatically assigned to the instance during the next instance synchronization in R‑Cloud.