Set Up Oracle Authentication

Create a separate Oracle authentication record for each Oracle instance you want to scan. During scanning we'll authenticate to all Oracle instances defined in all Oracle records in your account.

System-created authentication records

Did you know? You can allow the system to create Oracle authentication records for auto discovered instances and scan them. This is supported for Unix installations only. To enable this feature, you must first create Oracle System Record Templates.

Learn how to set this up >>

Which technologies are supported?

For the most current list of supported authentication technologies and the versions that have been certified for VM and PC by record type, please refer to the following article:

Authentication Technologies Matrix

A few things to consider...

We recommend you review Oracle Use Cases

What credentials should I use?What credentials should I use?

It is strongly recommended that you create one or more dedicated user accounts to be used solely by our service to authenticate to Oracle databases. See our Scanning Tips docs under Quick Links (also available under Help > Resources).

Is the database a Multitenant Container Database?Is the database a Multitenant Container Database?

Be sure to choose the "Is CDB" option on the Target Configuration tab in the Oracle record. When “Is CDB” is selected, the compliance scan will auto discover and assess all accessible Pluggable Databases (PDBs) within the container database (CDB). Learn more about Oracle authentication for CDB/PDBs

Help me with record settings

How do I get started?How do I get started?

- Go to Scans > Authentication.

- Check that you already have a record defined for each host running database instances.

- Create a Oracle record for the database instance. Go to New > Databases > Oracle.

Tell me about the Ports settingTell me about the Ports setting

Port <number>
Enter the port number you want to scan. We'll use the credentials in this record to attempt authentication to the SID on the port you enter here.

All Ports
Select this option and we'll use the credentials in the record to attempt authentication to the SID on all ports the SID is detected on. You may only create one Oracle record with the "All Ports" option per host.

We'll attempt to find a port-specific record firstWe'll attempt to find a port-specific record first

When we detect an Oracle instance on a host at scan time:

First we'll look for a port-specific record for the host and attempt authentication using its credentials.

If a port-specific record is not found or if authentication fails...

Then we'll look for an "All Ports" record for the host and attempt authentication using its credentials.

Want to access the account password from your password vault?Want to access the account password from your password vault?

We support integration with multiple third party password vaults. Just go to Scans > Authentication > Vaults and tell us about your vault system. Then choose Authentication Vault in your record and select your vault name. At scan time, we'll authenticate to hosts using the account name in your record and the password we find in your vault.

Perform OS-dependent compliance checksPerform OS-dependent compliance checks (Windows, Unix)

Select this option on the Windows and/or Unix tab to allow the scanning engine to gather Oracle compliance data at the operating system level.

For Windows, you must also have a Windows record with the same IP addresses as the Oracle record. For Unix, you must have a Unix record with the same IP addresses as the Oracle record.

Your Oracle InstallationYour Oracle Installation

Enter details about your Oracle installation in the fields provided. All fields are required and have a limit of 255 characters.

For Windows, these special characters are not allowed: ; & | # % ? ! * ` ( ) [ ] ” ’ > < = ^ /

For Unix, these special characters are not allowed: ; & | # % ? ! * ` ( ) [ ] ” ’ > < = ^ \

Perform OPatch checksPerform OPatch checks (Unix)

Select this option on the Unix tab to allow the scanning engine to get a list of all installed patches for the Oracle instance. Unix authentication and Oracle Authentication are both required to perform OPatch checks. Learn more

Note - The Oracle installation details you provide on the Unix tab will apply to both types of checks: OS-dependent checks and OPatch checks.

Tell me about TCPS configurationTell me about TCPS configuration

Once you have configured the TCPS connection protocol for your Oracle database, then you can add the same to the Oracle authentication records in the Qualys Platform.

Go to TCPS Configuration tab.
Enter third party CA certificate Cwallet and Ewallet.
Either enter passphrase for the Ewallet or store passphrase in vault you have configured.
To get the passphrase from vault:
1. Turn on the toggle, Get passphrase from vault.
2. Select the vault type from the passphrase vault type and passphrase vault record.
3. Enter passphrase into the Secret Name text box.
Switch SSL Verify to YES to verify the SSL certificates. Enter a list of FQDNs for the hosts that correspond to all host IP addresses on which a custom SSL certificate signed by a trusted root CA is installed. Multiple hosts are comma separated.

Note: You may want to switch SSL Verify to NO to skip SSL verification if the device is not configured with a certificate, the certificate was not issued by a well-known certificate authority (CA) or the certificate is self-signed.

Important notes for Unit ManagersImportant notes for Unit Managers

When a Unit Manager edits a record, the Unit Manager only sees the IPs in the record that they have permission to. Any changes made by the Unit Manager will apply to all hosts defined in the record, regardless of whether all hosts belong to the user's business unit. The record may contain more IPs that are not visible to the Unit Manager.