Using Oracle Wallet authentication for Oracle Discovery on Unix/Linux - Support and Troubleshooting

Using Oracle Wallet authentication for Oracle Discovery on Unix/Linux .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Oracle Wallet Authentication for Discovery (Unix/Linux) 1. Overview Discovery can authenticate to Oracle Database using an Oracle Wallet configured on the target Unix/Linux host, instead of using a username and password stored in ServiceNow. This lets customers who already use Oracle Wallet across their estate keep credentials out of ServiceNow while still discovering Oracle instances and related components.

The feature is off by default and must be enabled explicitly.

2. How Discovery authenticates when the feature is enabled When Oracle Wallet authentication is enabled, the supported Discovery patterns:

Locate the Oracle installation on the target host. Use the Oracle Wallet that is already configured on that host to connect to the database. Run the SQL queries needed to collect Oracle Instance details and related component data. Send no Oracle username or password from ServiceNow during these queries. 3. Enabling the feature Setting Value System property glide.discovery.oracle_wallet_authentication Type True / False Default false (disabled) Effect when true Discovery patterns listed in section 5 will use Oracle Wallet authentication on Unix/Linux targets. To enable , set the property to true in your ServiceNow instance. To turn it off again, set it back to false .

Note: Until the property is set to true , Discovery continues to use standard username/password credentials and behavior is unchanged.

4. Prerequisites on the target host The following must be true on each Oracle host before Discovery can authenticate with the wallet. The customer is responsible for confirming each item on the host; ServiceNow Support cannot troubleshoot wallet-side issues that have not first been validated locally on the target.

The Discovery user can SSH to the host. This is the same requirement as any other Unix Discovery. An Oracle Wallet is configured and working on the host for the intended OS user. Logged in locally as that user, the customer must be able to connect to the database with no password prompt, using the example from the Oracle documentation: CONNECT /@db_connect_string Per Oracle's documentation, each user account must have its own unique connection string . The connection string used here must be the one configured in the wallet for the OS user that Discovery will run Oracle commands as (commonly oracle ). The Discovery user can run Oracle commands as the Oracle OS account (commonly oracle ) using sudo , without a password prompt. A typical sudoers entry that meets this requirement: ALL=(oracle) NOPASSWD: /bin/bash Replace with the OS user that the MID Server uses for SSH, and oracle with whatever OS account owns the Oracle installation in your environment. If any of these conditions is not met, Discovery will not be able to authenticate using the wallet on that host.

Before opening a ServiceNow support case: Confirm prerequisite 2 by running CONNECT /@db_connect_string on the target host, logged in as the OS user Discovery will use. If that command does not succeed without a password, the issue is with the Oracle Wallet configuration on the host and must be resolved with your Oracle DBA / OS team before ServiceNow Support can assist. This KB is not a substitute for a working Oracle Wallet configuration. 5. Supported Discovery patterns (Unix/Linux) Oracle Wallet authentication is supported by the following Discovery patterns:

Oracle DB on Unix Oracle Enrich Attributes E-Business Suite Oracle Unix for SAM customers Update Oracle RAC Single Node CI Get Oracle Instance size info Get Oracle Health Report Extend Oracle Instance Get Catalogs info Oracle option extension for Unix Oracle GLAS Data Collection V1 Oracle GLAS Data Collection V2 Patterns not listed above continue to use standard credential-based authentication.

6. What changes for the customer Credentials in ServiceNow: You no longer need to store Oracle database credentials in ServiceNow for the supported patterns, provided every target host has a working Oracle Wallet for the intended OS user. What is discovered: The data collected by the supported patterns is the same as before. Only the way Discovery authenticates changes. Reverting: Setting glide.discovery.oracle_wallet_authentication back to false returns Discovery to standard credential-based authentication immediately on the next run. Summary Oracle Wallet authentication for Discovery removes Oracle DB credentials from ServiceNow for the supported Unix/Linux patterns. It does not change what is discovered, only how Discovery authenticates. The wallet itself is owned and maintained by the customer on the target host: Discovery will only succeed where SSH, a working wallet for the intended OS user (verifiable with CONNECT /@db_connect_string ), and passwordless sudo to the Oracle OS account are all in place. Validate those three items on the host before opening a ServiceNow support case.

References Oracle — About credential wallets: https://docs.oracle.com/en/database/oracle/machine-learning/oml4py/2/mlpug/oracle-wallets.html Oracle — Managing the Secure External Password Store for Password Credentials: https://docs.oracle.com/en/database/oracle/oracle-database/21/dbseg/configuring-authentication.html#GUID-803496D2-19C7-4F02-94EC-C13EDD8FB17B