Skip to content

Qualys integration

AQtive Guard can import scans from Qualys and generate a cryptographic analysis of available data.

Requirements

To streamline scanning, first gather all the required information in a safe place. Refer to the links provided for instructions on obtaining each item.

AQtive Guard requirements

  • The AQtive Guard API URL. This is in the format <app-base-url>/api/v2.
  • Your AQtive Guard API Key. Refer to Retrieve the API key.
  • The target project and its project ID. This is where the scan file will be uploaded for analysis and reporting. You’ll find these in the AQtive Guard Web Interface, as instructed in Create a new project and Find the project ID.

Qualys requirements

  • Node LTS (20.14.0) or newer
  • The Qualys Gateway URL you will connect to. Refer to the Qualys guide, Identify your Qualys platform.
  • A username and password for the Qualys admin account to be used for authentication.

Ingest Qualys data

Follow these instructions to run a scan and ingest Qualys data for analysis by AQtive Guard.

Important

Before you begin, review the Requirements and ensure you have all the information AQtive Guard and Qualys need to run the scan script.

Run the following terminal command to ingest Qualys data:

Bash
./ingest-qualys \
  --qualys-gateway-url=<qualys-gateway-url> \
  --qualys-username=<qualys-username> \
  --qualys-password=<qualys-password> \
  --aqg-api-key=<aqg-api-key> \
  --aqg-project-id=<aqg-project-id> \
  --aqg-api-url=<aqg-api-url>
In the AQtive Guard Web Interface, select Scans from the menu bar to view the scan data. Refer to Scans for details.

Required arguments

These arguments are required:

  • qualys-gateway-url - the base URL of the Qualys gateway.
  • qualys-username - username required to authenticate with the Qualys API.
  • qualys-password - password associated with the username for authentication.
  • aqg-api-key - AQtive Guard API key.
  • aqg-project-id - ID for the AQtive Guard project where the scan file will be uploaded.
  • aqg-api-url - AQtive Guard API URL, in the format <app-base-url>/api/v2.

Optional arguments

The following optional arguments may be added to the request from Qualys:

  • since - Indicates the starting point in time (in ISO 8601 format or a timestamp) from which data should be ingested.
  • metadata-out - specifies the file path where metadata output should be saved.
  • qualys-tag - provides tags to identify the endpoints to be analyzed. Multiple values are accepted.
  • aqg-profile-id- AQtive Guard profile used to analyze traces; default project profile is used if not specified.

Edge Cases

The following defaults are used due to limitations in Qualys scan data:

  • The Key Exchange algorithm:
    • is calculated based on incomplete data from Qualys.
    • defaults to ECDH for TLSv1.3.
    • ECDH with key size strictly higher than 256 defaults to secp256r1.
  • Only the leaf certificate is reported. The complete chain is unknown by Qualys.
  • The Source IP is always 64.41.200.1.

Use

Refer to:

  • Dashboard to view, assess, and analyze your cryptographic inventory and health across all projects.