Certificate Authentication
In Tenable Enclave Security, you can configure SSL client certificate authentication to allow users to log in to the interface using a certificate (such as a smart card, PIV, or CAC) instead of a standard username and password. Certificate-based authentication provides a higher level of security than passwords by requiring physical or digital tokens.
SSL Client Certificate Authentication
Tenable Enclave Security supports certificate authentication for users via integrated Tenable Enclave Security components. You can configure the system to require a certificate, make it optional, or use it for specific organizational requirements.
Before you begin
-
Confirm you have a valid Certificate Authority (CA) that has signed the user certificates.
-
Ensure the CA certificate is trusted by your Tenable Enclave Security deployment.
-
Confirm that users have an existing account in Tenable Security Center that matches the Common Name (CN) or Subject Alternative Name (SAN) of their certificate.
-
Authentication processes are handled by the main Tenable Security Center pod. Ensure your cluster meets the Tenable Enclave Security System Requirements to maintain authentication performance.
To configure certificate authentication for Tenable Enclave Security:
-
Access your Kubernetes cluster via the CLI.
-
Locate the Tenable Security Center pod:
kubectl get pods -n <your-namespace>
-
Open a shell to the pod:
kubectl exec -it <sc-pod-name> -n <your-namespace> -- /bin/bash
-
Open the /opt/sc/support/conf/sslverify.conf file in a text editor.
-
Edit the SSLVerifyClient setting using one of the following values:
-
none: (Default) The system does not accept SSL certificates for authentication.
-
require: The system requires a valid SSL certificate for all user logins.
-
optional: The system accepts a certificate but does not require it. If a certificate is not presented, users can log in with a username and password.
-
-
(Optional) Edit the SSLVerifyDepth setting to specify the length of the certificate chain the system should accept.
-
0: Accepts self-signed certificates.
-
1: Accepts certificates signed by a known CA but no intermediate certificates.
-
2: Accepts a certificate chain with up to one intermediate certificate.
-
-
Save the file and exit the pod.
-
Restart the Tenable Security Center service or delete the pod to trigger a restart and apply the changes:
kubectl delete pod <sc-pod-name> -n <your-namespace>
Container Security Scanner Certificate Configuration
When Tenable Enclave Security is configured with certificate-based authentication, or when your registry uses a custom certificate, the Container Security scanner requires additional certificate configuration to complete the mutual TLS (mTLS) handshake. You can provide certificate files using command-line flags or environment variables.
Configure a Certificate for Tenable Enclave Security Authentication
If Tenable Enclave Security uses certificate-based authentication, the Container Security scanner cannot complete the mTLS handshake because it does not provide a client certificate by default. Provide the certificate and key using one of the following methods.
Before you begin
-
Confirm you have a valid certificate and private key that are trusted by your Tenable Enclave Security deployment.
Command-line flags
-
--tes-cert: Path to the Tenable Enclave Security certificate.
-
--tes-key: Path to the private key.
Example:
./consec run --tes-cert /etc/certs/certificate.pem --tes-key /etc/certs/key.pem
Environment variables
-
TES_CERT_PATH: Path to the TLS certificate.
-
TES_KEY_PATH: Path to the corresponding private key.
Example:
export TES_CERT_PATH=/etc/certs/certificate.pem
export TES_KEY_PATH=/etc/certs/key.pem
./consec run
Configure a CA Certificate for a Custom Registry
If your registry uses a custom certificate, the Container Security scanner cannot verify it against a known authority. Provide the CA certificate using one of the following methods.
Command-line flag
-
--registry-cacert: Path to the CA certificate.
Example:
./consec run --registry-cacert /etc/certs/ca.crt
Environment variable
-
REGISTRY_CACERT_PATH: Path to the CA certificate.
Example:
export REGISTRY_CACERT_PATH=/etc/certs/ca.crt
./consec run
Deployment Assessment Scanner Certificate Configuration
When Tenable Enclave Security is configured with certificate-based authentication, or when your registry uses a custom certificate, the deployment assessment scanner requires additional configuration. You provide certificate files as part of the helm upgrade command.
Configure a Certificate for Tenable Enclave Security Authentication
If Tenable Enclave Security uses certificate-based authentication, the tes-deployment-assessment service cannot complete the mTLS handshake because it does not provide a client certificate by default. Add the following flags to the existing helm upgrade command described in Install the Deployment Assessment Agent.
--set-file clientCerts.tes.cert=<path/to/certificate.pem>
--set-file clientCerts.tes.key=<path/to/key.pem>
Example:
helm upgrade --install tes-deployment-assessment \
-n tes-deployment-assessment \
-f values.yaml \
-f {cluster_name}.yaml \
--set-file clientCerts.tes.cert=<path/to/certificate.pem> \
--set-file clientCerts.tes.key=<path/to/key.pem> \
tenable/tes-deployment-assessment
Configure a CA Certificate for a Custom Registry
If your registry uses a custom certificate, the tes-deployment-assessment service cannot verify it against a known authority. Add the following flag to the existing helm upgrade command described in Install the Deployment Assessment Agent.
--set-file clientCerts.registry.caCert=<path/to/ca.crt>
Example:
helm upgrade --install tes-deployment-assessment \
-n tes-deployment-assessment \
-f values.yaml \
-f {cluster_name}.yaml \
--set-file clientCerts.registry.caCert=<path/to/ca.crt> \
tenable/tes-deployment-assessment
Rotate Certificates in an Existing Deployment
Use the following procedure to update certificates in an existing deployment and restart the pods to apply the changes.
Before you begin
-
Confirm you have installed or upgraded to the latest Helm charts and configured the certificates previously.
To rotate certificates in an existing deployment assessment deployment:
-
Run the following command with the updated certificate paths:
helm upgrade tes-deployment-assessment tes-deployment-assessment \
-n tes-deployment-assessment \
--reuse-values \
--set-file clientCerts.tes.cert=<path/to/certificate.pem> \
--set-file clientCerts.tes.key=<path/to/key.pem> \
--set-file clientCerts.registry.caCert=<path/to/ca.crt>
-
Restart the pods to apply the changes:
kubectl rollout restart deployment tes-deployment-assessment -n tes-deployment-assessment