/api/2.0/fo/auth/oracle/
[POST]
Create, update, list and delete Oracle records and Oracle system record templates for authenticated scans of Oracle instances. Vulnerability and compliance scans are supported (using VM, PC).
System created authentication records - You can allow the system to create Oracle authentication records for auto discovered instances and scan them. This is supported for Unix installations only. To enable this feature, you must first create Oracle System Record Templates using the is template input parameter and specifying login credentials. See System created Oracle authentication records.
How it works - During scanning we'll authenticate to one or more instances on a single host using all Oracle records in your account. For compliance scans, you can scan multiple Oracle instances on a single host and port combination. Looking for more help? Search for "Oracle Use Cases" in Qualys online help.
Requirement - You must configure login credentials on target hosts before scanning.
Download Qualys User Guide - Oracle Authentication for VM Scans (.zip)
Download Qualys User Guide - Oracle Authentication for Compliance Scans (.zip)
Parameter |
Description |
action={action} |
(Required) Specify create, update, delete (using POST) or list (using GET or POST). See List Auth Records for type |
echo_request={0|1} |
(Optional) Specify 1 to view (echo) input parameters in the XML output. By default these are not included. |
ids={value} |
(Required to update or delete record) Record IDs to update/delete. Specify record IDs and/or ID ranges (for example, 1359-1407). Multiple entries are comma separated. |
title={value} |
(Required to create record, optional to update record) A title for the record. The title must be unique. Maximum 255 characters (ascii). |
comments={value} |
(Optional to create or update record) User defined comments. Maximum of 1999 characters. |
is_template={0|1} |
(Optional for create request, not valid for update request) By default, a new record is a regular Oracle record. Specify 1 to create an Oracle system record template. You must also specify login credentials, which are described below. See System created Oracle authentication records. |
status={0|1} |
(Optional) The record status, active or inactive. By default, a new record is set to active (1). Set to 0 for inactive record or 1 for active record. (This parameter applies to system created and user created Oracle records. It cannot be specified for Oracle system record templates.) |
save_as_user_auth={0|1} |
(Optional for update request, not valid for create request) Specify 1 to update a system created record and save it as a user created record. If another Oracle record already exists with the same IP address and target configuration then an error will be returned. (This parameter applies only to system created Oracle records. It cannot be specified for user created Oracle records and it cannot be specified for Oracle system record templates.) |
is_cdb={0|1} |
(Optional) Indicates whether the database
is a Container Database (CDB). Specify 1 if the database is a
CDB or 0 (the default) if the database is not a CDB. When not
specified, we'll use is_cdb=0. When you list Oracle authentication records with details=All or details=Basic, you will see the IS_CDB value in the XML output for each record. |
Login Credentials |
|
login_type={basic|vault} |
(For create request, password or login_type=vault is required) Login type can be basic (default) or vault. Set to vault if a third party vault will be used to retrieve the password. Vault parameters need to be provided in the record. |
username={value} |
(Required to create record, optional to update record) The user account to be used for authentication to the Oracle database. The username may include 1-31 characters (ascii). |
password={value} |
(Required to create record, optional to update record) The password corresponding to the user account defined in the record for authentication. Maximum 100 characters (ascii). |
vault_id={value} |
(Required to create record, optional to update record). The vault ID from where you want to retrieve the password. Certain vaults support this capability. |
vault_type={value} |
(Required if login_type=vault) The third party vault to be used to retrieve the password for login. Certain vaults support this capability. View our latest Vault Support Matrix |
{vault parameters} |
(Required only when action=create and login_type=vault) Vault specific parameters required depend on the vault type you've selected. See Vault Parameters |
servicename={value} |
(Optional to create or update record) The Oracle service name that identifies the database instance to be authenticated to. A maximum of 30 characters may be specified. The parameters sid and servicename cannot be specified in the same request. |
port={value} |
(Optional to create record) The port number that the Oracle database instance is running on. When not specified, the “All Ports” option is used and the scanning engine will authenticate to the database instance on each port that the Oracle service is detected on. Ports used for Oracle authentication These parameters are mutually exclusive: instance and auto_discover_instances=1. |
pc_only={0|1} |
(Optional to create record, valid when the compliance module is enabled) Specify 1 to perform compliance scans on multiple instances running on host and port combinations in this record. This parameter must be specified if this Oracle record has some host and port combination, which is already defined in another record. Note, however, when pc_only=1 is specified, the record will be used for compliance scans only. When not specified, the record will be used for vulnerability scans and compliance scans. |
Target Hosts |
|
ips={value} |
(Required to create record) The IP address(es) the server will log into using the record’s credentials. Multiple entries are comma separated. (Optional to update record) IPs specified will overwrite existing IPs in the record, and existing IPs will be removed. This parameter and the add_ips parameter or the remove_ips parameter cannot be specified in the same request. |
add_ips={value} |
(Optional to update record) Add IPs and/or ranges to the IPs list for this record. Multiple IPs/ranges are comma separated. This parameter and the ips parameter cannot be specified in the same request. |
remove_ips={value} |
(Optional to update record) IPs to be removed from your record. You may enter a combination of IPs and ranges. Multiple entries are comma separated. This parameter and the ips parameter cannot be specified in the same request. |
network_id={value} |
(Optional to create or update record, and valid when the networks feature is enabled) The network ID for the record. |
OS Parameters Windows |
OS Parameters are used for compliance scans only. |
perform_windows_os_checks={0|1} |
(Optional) Specify 1 to perform OS-dependent compliance checks for the Oracle technology during Windows authenticated compliance scans. These checks are assigned to the control category “Databse Setttings” in the sub-category “DB OS-dependent Controls”. |
win_ora_home_name={value} |
(Required if perform_windows_os_checks=1 is specified, otherwise invalid) The Windows Oracle Home name. Example: OraHome1 |
win_ora_home_path={value} |
(Required if perform_windows_os_checks=1 is specified, otherwise invalid) The Windows Oracle Home path. Example: c:\Program Files\Oracle\10 |
win_init_ora_path={value} |
(Required if perform_windows_os_checks=1 is specified, otherwise invalid) The pathname to the Windows init(SID).ora file. Example: c:\Program Files\oracle\dbs\initORA10.ora |
win_spfile_ora_path={value} |
(Required if perform_windows_os_checks=1 is specified; otherwise invalid) The pathname to the Windows spfile(SID).ora file. Example: c:\Program Files\oracle\network\admin\spfileORA10.ora |
win_listener_ora_path={value} |
(Required if perform_windows_os_checks=1 is specified; otherwise invalid) The pathname to the Window listener.ora file. Example: c:\Program Files\oracle\network\admin\listener.ora |
win_sqlnet_ora_path={value} |
(Required if perform_windows_os_checks=1 is specified; otherwise invalid) The pathname to the Windows sqlnet.ora file. Example: c:\Program Files\oracle\network\admin\sqlnet.ora |
win_tnsnames_ora_path={value} |
(Required if perform_windows_os_checks=1 is specified; otherwise invalid) The pathname to the Windows tnsnames.ora file. Example: c:\ProgramFiles\oracle\network\admin\tnsnames.ora |
OS Parameters Unix |
OS Parameters are used for compliance scans only. |
perform_unix_os_checks={0|1} |
(Optional) Specify 1 to perform OS-dependent compliance checks for the Oracle technology during Unix authenticated compliance scans. These checks are assigned to the control category "Databse Setttings" in the sub-category "DB OS-dependent Controls". |
perform_unix_opatch_checks={0|1} |
(Optional) Specify 1 to perform OPatch checks using the OPatch binary to return a list of all installed patches for the Oracle instance. In a case where perform_unix_os_checks=1 is specified and perform_unix_opatch_checks=0 is specified (or this parameter is not specified), the service checks for patch information from the Oracle database directly; information in the database may not be accurate so the list of installed patches returned by the service also may not be accurate. |
unix_ora_home_path={value} |
(Required if perform_unix_os_checks=1 and/or perform_unix_opatch_checks=1 is specified, otherwise invalid) The Unix Oracle Home path. Example: /usr/opt/oracle/10 |
unix_init_ora_path={value} |
(Required if perform_unix_os_checks=1 and/or perform_unix_opatch_checks=1 is specified, otherwise invalid) The pathname to the Unix init(SID).ora file. Example: /usr/opt/oracle/dbs/initORA10.ora |
unix_spfile_ora_path={value} |
(Required if perform_unix_os_checks=1 and/or perform_unix_opatch_checks=1 is specified, otherwise invalid) The pathname to the Unix spfile(SID).ora file. Example: /usr/opt/oracle/network/admin/spfileORA10.ora |
unix_listener_ora_path={value} |
(Required if perform_unix_os_checks=1 and/or perform_unix_opatch_checks=1 is specified, otherwise invalid) The pathname to the Unix listener.ora file. Example: /usr/opt/oracle/network/admin/listener.ora |
unix_sqlnet_ora_path={value} |
(Required if perform_unix_os_checks=1 and/or perform_unix_opatch_checks=1 is specified, otherwise invalid) The pathname to the Unix sqlnet.ora file. Example: /usr/opt/oracle/network/admin/sqlnet.ora |
unix_tnsnames_ora_path={value} |
(Required if perform_unix_os_checks=1 and/or perform_unix_opatch_checks=1 is specified, otherwise invalid) The pathname to the Unix tnsnames.ora file. Example: /usr/opt/oracle/network/admin/tnsnames.ora |
unix_invptrloc={value} |
(Optional if perform_unix_opatch_checks=1 is specified, otherwise invalid) The pathname to the Unix oraInst.loc file. Use this parameter to identify a custom inventory for patches. Example: /usr/opt/oracle/network/admin/oraInst.loc |
The “All Ports” option is used when the port parameter is not specified (the default). You may only create one Oracle record with this setting for each host. When All Ports is defined the scanning engine uses the credentials in the record to attempt authentication to the database instance (SID or service name) when a port-specific record does not exist. The scanning engine will authenticate to the database instance on each port the Oracle service is detected on.
A single port is used when the port parameter is specified (e.g. port=1521). The same port number cannot be entered in multiple Oracle records for the same host, unless the compliance module is enabled and pc_only=1 is specified.
How it works - When the scanning engine detects an Oracle instance on a host, it first checks to see if you have an authentication record with the database instance and port specified. If you have a port-specific record, then it uses the credentials in that record to attempt authentication to the database instance. If a port-specific record does not exist (or if authentication fails), then the scanning engine checks to see if you have an authentication record set to “All Ports” for the host and uses the credentials in that record to attempt authentication to the database instance.
When we auto discover Oracle instances, we’ll discover the target configuration for each instance but not the login credentials. We’ve introduced a new configuration called “Oracle System Record Template” that you’ll use to provide Oracle login credentials for system created records. You’ll create the system record template and then select it in the option profile used for discovery scans. The template is linked automatically to the system created records created as a result of the scan.
- We’ll auto discover Oracle instances on each scanned host and create authentication records for those instances. We support auto discovery and system record creation for Oracle instances running on Unix platforms. Make sure you have Unix authentication records in your account for hosts running Oracle.
- When we create Oracle authentication records for discovered instances, we’ll insert the credentials from the Oracle system record template you selected in the option profile.
- You can easily rotate Oracle passwords. Simply edit the credentials in the Oracle system record template and all Oracle records linked to the template will be updated to use the new credentials with no additional scan or action by you.
- You can edit individual Oracle system created records and save them as user created. This allows you to change the credentials for individual records without changing the credentials for all records associated with a template.
Here’s the basic flow for Oracle instance discovery and auto record creation. Note - We support auto discovery and system record creation for Oracle instances running on Unix platforms. Make sure you have Unix authentication records in your account for hosts running Oracle.
1) Create an Oracle system record template (using is_template input parameter) and enter the login credentials you want to use for system created records.
2) Select the Oracle system record template in the compliance option profile you want to use for discovery scans.
3) Launch your discovery scan. Your scan results will list the auto discovered instances.
4) List your Oracle authentication records. For each system created record, you’ll see the template associated with the record.
API request
curl -u "USERNAME:PASSWORD" -H "X-Requested-With: curl" -d
"action=create&is_template=1&title=OracleRecordTemplate&username=OracleUser&password=Password"
"https://qualysapi.qualys.com/api/2.0/fo/auth/oracle/"
<platform API server>/api/2.0/batch_return.dtd
<platform API server>/api/2.0/fo/auth/oracle/auth_oracle_list_output.dtd