Default language.

Important This documentation space contains information about the SaaS version of BMC Helix Discovery. If you are using the on-premises version of BMC Helix Discovery, see BMC Helix Discovery 25.2 (On-Premises).

Discovering hosts in OCI by using OCI bastion

Discovering hosts in Oracle Cloud Infrastructure (OCI) by using OCI bastion enables you to perform detailed discovery of Linux hosts running in OCI without requiring further credentials. The OCI bastion also supports Windows hosts, though a PowerShell credential is required for the targets.

Related topics

Discovering cloud services

Discovering Oracle Cloud Infrastructure

Discovering a Linux host in OCI uses an existing OCI credential to access the OCI bastion. The OCI bastion establishes an SSH session to Linux hosts, and creates a managed SSH session to discover the target hosts.

Discovering a Windows host in OCI uses an existing OCI credential to access the OCI bastion. The OCI bastion uses SSH port forwarding to access the Windows host using Windows PowerShell. The credential used to access the Windows host is a normal BMC Helix Discovery Windows PowerShell credential that must be valid for the scanned IP address.

Where the OCI bastion cannot establish a managed SSH session to Linux hosts, the session falls back to a port-forwarding SSH session to access the host. SSH port forwarding requires a valid SSH credential for the scanned IP address.

The benefits of using OCI bastion to discover hosts in OCI are as follows:

  • Your OCI estate's Linux hosts can be discovered using your existing OCI credentials.
  • The OCI estate's Windows hosts can be discovered using the OCI bastion, though it needs a Windows host credential. 
  • Irrespective of how your OCI deployment's network is segmented, the single OCI credential enables you to discover all of it.

When you discover hosts by using the OCI bastion, the target is known to be hosted in OCI, so cloud detection is disabled, and only the appropriate methods are used. In a normal IP scan of a host, cloud detection is used to determine whether the target is cloud-hosted and, if so, to detect the cloud provider. 

An OCI bastion is associated with a single Virtual Cloud Network (VCN). You cannot create a bastion in one VCN and then use it to access target resources in a different VCN. 

This section introduces OCI Bastion.

OCI bastion overview

OCI bastion enables you to access target resources without public endpoints. Authorized users can connect from specific IP addresses to target resources using Secure Shell (SSH) sessions. When connected, users can interact with the target resource by using any SSH-supported software or protocol. 

Setting up OCI bastion permissions

Before you can discover hosts by using the OCI bastion, you must create a policy to provide use bastion and manage bastion-session to the group used by BMC Helix Discovery:

Allow group discovery to use bastion
Allow group discovery to manage bastion-session

The bastion plugin must be enabled in the Oracle Cloud Agent for a managed SSH session with a Linux host.

For further information about OCI bastion permissions, see the following OCI documentation:

Discovering OCI hosts by using an OCI bastion

You need not add any OCI bastion-specific information to an OCI credential. However, some Bastion Sessions options might need modification if you experience connection problems. See add a new OCI discovery run

Scope

For IP addresses scanned through an OCI bastion, the scope of an IP address is set to the ID of the Virtual Cloud Network that they and the Bastion are in.

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*