Access rights for scanning Oracle Databases
How to configure access permissions
The product determines the license status of Oracle databases on the queried server systems. In addition to system information, information from the Oracle databases must also be queried.
The product does neither read application-specific nor customer-specific data.
The query of the databases is configured out-of-the-box so that no special user has to be created in the databases to be queried in order to capture all necessary information. All running instances are recognized on the systems. After a change into the context of the process owner, the read access to the database takes place with this UID.
Alternatively, you can create a new database user or use an existing user. These database users require read-only access only. The database user can be identical on all server systems for all Oracle databases running there. See following chapter, how to grant access to that user.
Granting Access for a specific user
Using Grant Script
The grant script MUST be called as SYSDBA (or comparable role) with the right to create users! The grant scripts must be executed once for each database instance to be queried.
The grant script is called:
@novaratio_grantscript.sql <user> <password> <tablespace> <ORACLE_SID>
The parameters when calling the grant script mean:
- <user> is a new username. If it already exists, the system issues a corresponding message.
- <password> is the password with which the new user can be logged in. The password follows the general rules of the specified database policies.
- <tablespace> is an existing table space. If this is missing, an error message is issued and the user is not created.
- <SID> is the ORACLE_SID of the database where the user is to be created. If it does not exist, an error message is issued and the user is not created.
For Oracle 12c with Pluggable Databases (PDB): The grant script MUST be executed in the CDB$ROOT. It automatically creates the transferred user in the CDB$ROOT as well as in all PDBs generated for the CDB.
Filing of logon data
If the data query of the server systems is executed using a specific database user, the user name and password must be stored.
This logon data must be stored by the administrator on the respective server systems in a corresponding logon data file. This file can contain several logon data, i.e. valid combinations of user name and password, and can be used identically on several server systems.
The entries in the logon data file are line-oriented with a tabulator as the separator between user name and password (comment lines are not allowed!):
User1 password1 User2 password2
Under Windows, the logon data file is expected in the following path after the installation of the agent:
%Program Files (x86)%\eRunbook\product\agent\tools\login
For Unix/Linux, the login data file is stored under the following path after the agent installation:
/opt/eRunbook/product/agent/tools/login
In order to use the "login" file for the system query, the setting of the "swdetection_client.conf" file must be adjusted.
On Windows this file is located at:
windows/tools/swdetection_windows.conf
On Linux or UNIX this file is located at:
<OS>/tools/swdetection_unix_client.conf
This file already contains predefined entries for two Oracle DB query variants, of which only one may be active at any one time:
- Query with OS Authentication
- Query with "login" file (standard user)
[1] Standard OS Authentication
By default, the configuration file is set up for queries using OS authentication:
[OracleDB] name=Oracle Database vendor=Oracle Corporation check_installation=swdetection_oracledb.sh check_installation check_instance=swdetection_oracledb.sh check_instance NOVA_INSTALLATION_DIRECTORY data_installation=swdetection_oracledb.sh data_installation data_instance=swdetection_oracledb.sh data_instance NOVA_INSTANCE_NAME ##[OracleDB] ##name=Oracle Database ##vendor=Oracle Corporation ##check_installation=swdetection_oracledb.sh check_installation loginfile ##check_instance=swdetection_oracledb.sh check_instance loginfile NOVA_INSTALLATION_DIRECTORY ##data_installation=swdetection_oracledb.sh data_installation loginfile ##data_instance=swdetection_oracledb.sh data_instance loginfile NOVA_INSTANCE_NAME
[2] User Login Authentication
In case you want to use the "login" file, the block for standard OS authentication must be set in comments (using the "##" characters) while the block for login authentication must not start with the comment characters:
##[OracleDB] ##name=Oracle Database ##vendor=Oracle Corporation ##check_installation=swdetection_oracledb.sh check_installation ##check_instance=swdetection_oracledb.sh check_instance NOVA_INSTALLATION_DIRECTORY ##data_installation=swdetection_oracledb.sh data_installation ##data_instance=swdetection_oracledb.sh data_instance NOVA_INSTANCE_NAME [OracleDB] name=Oracle Database vendor=Oracle Corporation check_installation=swdetection_oracledb.sh check_installation loginfile check_instance=swdetection_oracledb.sh check_instance loginfile NOVA_INSTALLATION_DIRECTORY data_installation=swdetection_oracledb.sh data_installation loginfile data_instance=swdetection_oracledb.sh data_instance loginfile NOVA_INSTANCE_NAME