Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Upgrade IMDSv2 for OCI Instance

  1. Last updated
  2. Save as PDF

IMDSv1 (Instance Metadata Service version 1) and IMDSv2 (Instance Metadata Service version 2) are two versions of the service provided by OCI (Oracle Cloud Infrastructure) to allow instances in an OCI environment to retrieve metadata about themselves, such as instance IDs, security group information, or user data. The key difference between IMDSv1 and IMDSv2 lies in the security mechanisms and how requests are handled.

  • IMDSv1 is simpler and less secure, as it does not have any authorization header in the request.
  • IMDSv2 improves security by introducing an authorization header in the request.

Launch SWG OCI Instance with IMDSv1 

To start SWG OCI instances using IMDSv1, disable the Require an authorization header option under the Instance metadata service settings in the instance launch template.

IMDSv1.png

Launch SWG OCI Instance with IMDSv2 

New instances started using old images (SWG image version 12.2.9 or below) with IMDSv2 fails to work as SSH keys and Initial UI password will be incorrectly applied. IMDSv2 can be strictly enforced in the instance by enabling Require an authorization header under Instance metadata service in the instance launch template. SWG version 12.2.17 or above supports strict IMDSv2 usage.

IMDSv2_1.png

Migrate Existing OCI Instances from IMDSv1 to IMDSv2

To migrate existing SWG OC1 instances from IMDSv1 to IMDSv2, perform the following steps:

  1. Open the navigation menu, select Compute.
  2. Under Compute, select Instances.
  3. Click the instance that you want to disable the IMDSv1 request.
  4. In the Instance Details section, next to Instance metadata service,
  5. Click Edit.
  6. Select the Version 2 only option for the Allowed IMDS version.
  7. Click Save changes.

Existing-IMDSv2.png

NOTE: If an SWG instance is launched from image version 12.2.9 or earlier, disabling IMDSv1 may prevent the SSH banner from being prepared correctly. To resolve this after migrating to IMDSv2, replace the add-ssh-banner.sh script located at /usr/local/bin using the latest add-ssh-banner.sh script.

Example: This script is responsible for populating the SSH banner using values retrieved from the metadata service.

SSH banner.png

If the OCI instance was started using SWG image version 12.2.17 or later, it functions normally after migrating from IMDSv1 to IMDSv2.




 

 

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.