Default language.

Discovering hosts in OCI by using OCI bastion

Discovering hosts in Oracle Cloud Infrastructure (OCI) by using OCI bastion enables you to perform detailed discovery of Linux hosts running in OCI without requiring further credentials. The OCI bastion also supports Windows hosts, though a PowerShell credential is required for the targets.

Related topics

Discovering cloud services
Discovering Oracle Cloud Infrastructure
OCI Bastion troubleshooting 

Discovering a Linux host in OCI uses an existing OCI credential to access the OCI bastion. The OCI bastion establishes an SSH session to Linux hosts, and creates a managed SSH session to discover the target hosts. When connected, you can interact with the target resource by using any software or protocol supported by SSH. 

Discovering a Windows host in OCI uses an existing OCI credential to access the OCI bastion. The OCI bastion uses SSH port forwarding to access the Windows host using Windows PowerShell. The credential used to access the Windows host is a normal BMC Helix Discovery Windows PowerShell credential that must be valid for the scanned IP address.

Where the OCI bastion cannot establish a managed SSH session to Linux hosts, the session falls back to a port-forwarding SSH session to access the host. SSH port forwarding requires a valid SSH credential for the scanned IP address.

The benefits of using OCI bastion to discover hosts in OCI are as follows:

  • Your OCI estate's Linux hosts can be discovered using your existing OCI credentials.
  • The OCI estate's Windows hosts can be discovered using the OCI bastion, though it needs a Windows host credential. 
  • Irrespective of how your OCI deployment's network is segmented, the single OCI credential enables you to discover all of it.

When you discover hosts by using the OCI bastion, the target is known to be hosted in OCI, so cloud detection is disabled, and only the appropriate methods are used. In a normal IP scan of a host, cloud detection is used to determine whether the target is cloud-hosted and, if so, to detect the cloud provider. 

An OCI bastion is associated with a single Virtual Cloud Network (VCN). You cannot create a bastion in one VCN and then use it to access target resources in a different VCN. 

This section introduces OCI Bastion.

OCI bastion overview

OCI bastion enables you to access target resources without public endpoints. Authorized users can connect from specific IP addresses to target resources using Secure Shell (SSH) sessions. When connected, users can interact with the target resource by using any SSH-supported software or protocol.
  

To create a bastion instance to discover hosts in OCI

  
There are prerequisites for using a bastion to scan Linux and Windows hosts.

Prerequisites for Linux hosts

Make sure that the Bastion plugin is enabled in Management and is running on target Linux hosts.

Prerequisites for Windows hosts

To scan Windows OCI compute instances by using OCI Bastion with PowerShell:

  1. In BMC Discovery, create PowerShell credentials for the specific Windows hosts and users. 
  2. Enable remote PowerShell on the target Windows OCI host by running the PowerShell command Enable-PSRemoting -Force
  3. You need to manage Windows passwords and users on your side, so develop and maintain a password management plan for Windows hosts that you want to scan. Note that when a Windows host is created, it is automatically assigned a password, so make sure to change and store it securely.
      

To create the bastion

After you have fulfilled the prerequisites: 

  1. Create a bastion in the target VCN. See Creating a bastion for more information.
  2. Verify access by checking that the target resource allows incoming traffic from the bastion.
Important

If no Windows hosts are discovered, verify all the prerequisites and try increasing the Session Connection Delay value in the OCI credentials settings.

Setting up OCI bastion permissions

Before you can discover hosts by using the OCI bastion, you must create a policy to provide use bastion and manage bastion-session to the group used by BMC Helix Discovery:

Allow group DiscoveryUsers to use bastions
Allow group DiscoveryUsers to read instances
Allow group DiscoveryUsers to read vcn
Allow group DiscoveryUsers to manage bastion-session
Allow group DiscoveryUsers to read subnets
Allow group DiscoveryUsers to read instance-agent-plugins
Allow group DiscoveryUsers to read vnic-attachments
Allow group DiscoveryUsers to read vnics

The bastion plugin must be enabled in the Oracle Cloud Agent for a managed SSH session with a Linux host.

For further information about OCI bastion permissions, see the following OCI documentation:

Discovering OCI hosts by using an OCI bastion

You need not add any OCI bastion-specific information to an OCI credential. However, some Bastion Session options might need modification if you experience connection problems.

Scope

For IP addresses scanned through an OCI bastion, the scope of an IP address is set to the ID of the Virtual Cloud Network that they and the Bastion are in.
 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*