Add and configure an application - Bastionhost - Alibaba Cloud Documentation Center

Add an application to Bastionhost to give O&M engineers controlled browser-based access to internal web applications — without exposing credentials or direct network paths.

Prerequisites

Before you begin, ensure that you have:

An application server added and deployed. See Add and deploy an application server
A remote client added. See Add a remote client

Add an application

Log on to the Bastionhost console. In the top navigation bar, select the region where your bastion host resides.
In the bastion host list, find the bastion host you want to manage and click Manage.
In the left-side navigation pane, choose Assets > Applications.
On the Applications tab, click Create Application.

In the panel that appears, configure the following parameters and click OK.

Parameter	Description
Application Name	A display name for the application. Must be 1–128 characters, cannot start with a special character, and can contain periods (.), underscores (_), hyphens (-), backslashes (\\), and spaces.
Application Server	The application server that proxies traffic to the application.
Associate Remote Client	The remote client (browser environment) used for O&M sessions.
Application Type	Set automatically based on the selected remote client.
Destination URL	(Google Chrome remote clients only) The URL that opens automatically when an O&M session starts.
O&M Access Rules	(Google Chrome remote clients only) Access control rules for the O&M session. See Configure O&M access rules below.

Configure O&M access rules

If the associated remote client is Google Chrome, configure the following access controls:

Only Same URLs as Destination IP Addresses/Domain Names Are Allowed: Turn on this switch to restrict O&M engineers to URLs that match the destination IP address or domain name, plus any URLs explicitly allowed in the rules below.
Blacklist/Whitelist: Add specific URLs to a blacklist (deny access) or whitelist (allow access).

Example: If Destination URL is https://example.com, the switch is on, and https://example.com/help is in the blacklist, engineers can access all resources under https://example.com except those in the /help directory.

Enable automatic logon to a web application

If the associated remote client is Google Chrome or Mozilla Firefox, configure autofill so that O&M engineers can log on to the web application without manually entering credentials. Autofill works by running a script that locates the username field, password field, and logon button, then fills them in using a stored application account.

Autofill does not work for web applications that require CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) verification. For web applications that require a verification code, engineers still need to enter the code manually after the username and password are filled in automatically.

Setting up autofill involves two tasks:

Generate an autofill script using the browser plug-in.
Create an application account to store the credentials.

Generate an autofill script

The browser plug-in runs only in Google Chrome, but the autofill scripts it generates work for applications in both Google Chrome and Mozilla Firefox.

Log on to the Bastionhost console. In the top navigation bar, select the region where your bastion host resides.
In the bastion host list, find the bastion host you want to manage and click Manage.
In the left-side navigation pane, choose Assets > Applications.
On the Applications tab, find the web application and click Edit in the Actions column.
On the Application Configurations tab, click Download the browser plug-in. Save the package to your local machine and decompress it.
Add the plug-in to your Google Chrome extensions by uploading the extracted extension file, then run the plug-in.
Open the logon page of the web application in Google Chrome, click the plug-in, and then click Start. The following figure shows an example logon page for Resource Access Management (RAM) users:
As prompted, right-click the username input box, the password input box, and the logon button in sequence to capture the information needed for the script.
- Right-click the username input box:
- Right-click the password input box:
- Right-click the logon button:
The plug-in generates an autofill script and copies it to your clipboard. Go back to the Application Configurations tab in the Bastionhost console, paste the script in the Autofill Script section, and click Update.

Create an application account

Store the credentials that autofill will use when engineers start an O&M session.

Log on to the Bastionhost console. In the top navigation bar, select the region where your bastion host resides.
In the bastion host list, find the bastion host you want to manage and click Manage.
In the left-side navigation pane, choose Assets > Applications.
On the Applications tab, find the application and click Edit in the Actions column.
On the Application Account tab, click Create Application Account. In the Create Application Account panel, specify the logon name and password and then click OK.

More operations

Task	Steps
Edit an application	On the Applications tab, find the application and click Edit in the Actions column. You can change information such as the application name and associated application server.
Delete an application	On the Applications tab, find the application and click Delete in the Actions column.