Create, update, list and delete IBM DB2 records for vulnerability and compliance scans (using VM, PC). This record is used for authenticated scanning of one or more DB2 instances on a single host. Want to scan multiple instances? See "Multiple DB2 Instances" in online help.
Requirement - You must set up target hosts per the Qualys User Guide.
Download Qualys User Guide - IBM DB2 Authentication (.zip)
|
Parameter |
Required/Optional |
Data Type |
Description |
|---|---|---|---|
|
action={action} |
Required | String |
Specify create, update, delete (using POST) or list (using GET or POST). See List Auth Records for type |
|
echo_request={0|1} |
Optional | Integer |
Specify 1 to view (echo) input parameters in the XML output. By default these are not included. |
|
ids={value} |
Required to update or delete record | Integer |
Record IDs to update/delete. Specify record IDs and/or ID ranges (for example, 1359-1407). Multiple entries are comma separated. |
| vault_id={value} | Required only when action=create and login_type=vault | Integer | The ID of the vault you want to use to retrieve the password for login. |
| vault_type={value} | Required only when action=create and login_type=vault | Boolean | The third party vault to be used to retrieve the password for login. Certain vaults support this capability. See “Vault Support Matrix” in the API User Guide. The following vault types are supported for IBM DB2 at this time: ARCON PAM, CA Access Control, CyberArk AIM, CyberArk PIM Suite, HashiCorp, Lieberman ERPM, Quest Vault, Thycotic Secret Server |
| {vault parameters} | Required only when action=create and login_type=vault | Integer | Vault specific parameters required depend on the vault type you’ve selected. See “Vault Definition” in the API User Guide to know which parameters are required for each vault type. |
|
title={value} |
Required to create record | String |
The title for the record. The title must be unique and may include a maximum of 255 characters (ascii). |
|
comments={value} |
Optional | String |
User defined notes about the record. Maximum of 1999 characters (ascii). |
|
pc_only={0|1} |
Optional to create or update record | Integer |
Specify pc_only=1 if the record will be used for compliance scans only. |
|
Login Credentials |
|||
| login_type={basic| vault} |
Optional | Boolean | The login type is basic by default. Specify login_type=vault to use a third party vault to retrieve the password for authentication. Vault parameters need to be provided in the record. |
|
username={value} |
Required to create record, optional to update record | String |
The user name for a DB2 database account. A maximum of 13 characters (ascii) may be specified. |
|
password={value} |
Required to create record, optional to update record | String |
The password for a DB2 database account. Maximum 100 characters (ascii). |
|
database={value} |
Required to create record, optional to update record | String |
The name of the DB2 database. A maximum of 8 characters (ascii) may be specified. |
|
port={value} |
Required to create record, optional to update record | Integer |
The port the database instance is running on. |
|
Target Hosts |
|||
|
ips={value} |
Required to create record, optional to update record | Integer |
Add IP addresses of the hosts you want to scan using this record. Overwrites (replaces) the IP address(es) in the IP list for an existing authentication record. The IPs you specify are added, and any existing IPs are removed. You may enter a combination of IPs and IP ranges. |
|
add_ips={value} |
Optional to update record | Integer |
Add IP address(es) to the IP list for an existing authentication record. You may enter a combination of IPs and IP ranges. |
|
remove_ips={value} |
Optional and valid to update record | Integer |
IPs to be removed from your record. You may enter a combination of IPs and ranges. Multiple entries are comma separated. |
|
network_id={value} |
Optional to create or update record, and valid when the networks feature is enabled | Integer |
The network ID for the record. |
|
OS Parameters |
|||
|
win_db2dir={value} unix_db2dir={value} |
Optional | Path |
The path to the DB2 runtime library if you want the service to perform OS-dependent compliance checks. This is the location where DB2 has been installed on the server. Maximum of 255 characters. |
|
win_prilogfile={value} unix_prilogfile={value} |
Optional | Path |
The path to the primary archive location if you want the service to perform OS-dependent compliance checks. This is the directory where the primary log files are located. Maximum of 255 characters. |
|
win_seclogfile={value} unix_seclogfile={value} |
Optional | Path |
The path to the secondary archive location if you want the service to perform OS-dependent compliance checks. Maximum of 255 characters. This parameter specifies the number of secondary log files that are created and used for recovery log files (only as needed). It is set by the DB2 logsecond parameter. |
|
win_terlogfile={value} unix_terlogfile={value} |
Optional | Path |
The path to the tertiary archive location if you want the service to perform OS-dependent compliance checks. Maximum 255 characters. This parameter specifies a path to which DB2 will try to archive log files if the log files cannot be archived to either the primary or the secondary (if set) archive destinations because of a media problem affecting those destinations. It is set by the DB2 failarchpath parameter. |
|
win_mirlogfile={value} unix_mirlogfile={value} |
Optional | Path |
The path to the mirror archive location if you want the service to perform OS-dependent compliance checks. Maximum 255 characters. If mirrorlogpath is configured, DB2 will create active log files in both the log path and the mirror log path. All log data will be written to both paths. The mirror log path has a duplicate set of active log files. If the active log files are destroyed by a disk error or human error, the database can still function. |
In this sample, we’re creating a new record and specifying a CyberArk AIM vault.
API request
curl -u "USERNAME:PASSWORD" -H "X-Requested-With:curl" -d"action=create&title=MyDB2Record&username=joe_user&login_type=vault&vault_id=45014&vault_type=CyberArkAIM&folder=Root\Windows7&file=rd.txt&database=db2&port=1234&ips=10.11.12.13" "https://<qualys_base_url>/api/2.0/fo/auth/ibm_db2/"
XML output
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE BATCH_RETURN SYSTEM "https://<qualys_base_url>/api/2.0/batch_return.dtd"> <BATCH_RETURN> <RESPONSE> <DATETIME>2021-10-11T11:48:03Z</DATETIME> <BATCH_LIST> <BATCH> <TEXT>Successfully Created</TEXT> <ID_SET> <ID>112491</ID> </ID_SET> </BATCH> </BATCH_LIST> </RESPONSE> </BATCH_RETURN>
The service has the ability to authenticate to multiple DB2 instances on a single host during scanning. For a vulnerability scan, an instance "uniqueness" is defined by an IP address and port. For a compliance scan, an instance "uniqueness" is defined by an IP address, port and database name. The setting for "pc_only" has an impact on how the services determines the uniqueness of a DB2 instance.
Let’s say you want to define these DB2 records in your account.
| IP Address | Port | Database Name | pc_only=0|1 | |
|---|---|---|---|---|
| Record 1 | 10.10.31.178 | 5000 | SAMPLE | pc_only=0 |
| Record 2 | 10.10.30.159 | 5000 | TOOLS | pc_only=0 |
| Record 3 | 10.10.30.159 | 5000 | SAMPLE | pc_only=1 |
Record 1 and Record 2 will be used for vulnerability scans and compliance scans. You’ll
notice Records 2 and 3 have the same IP address and port but different database names -
this is allowed because Record 3 is used for compliance scans only.
When specifying the path to configuration files, these special characters are not allowed:
For Windows:
; & | # % ? ! * ` ( ) [ ] ” ’ > < = ^ /
For Unix:
; & | # % ? ! * ` ( ) [ ] ” ’ > < = ^ \
<platform API server>/api/2.0/batch_return.dtd
<platform API server>/api/2.0/fo/auth/ibm_db2/auth_ibm_db2_list_output.dtd