HTTPS for Tenable Identity Exposure Web Application

When the Tenable Identity Exposure installation process installs the Security Engine Node (SEN), it creates a self-signed certificate and binds it to the Tenable Identity Exposure web application to let you access Tenable Identity Exposure via HTTPS.

For example, if the SEN server's IP address is 10.0.48.55, you can log in to the Tenable Identity Exposure web application at https://10.0.48.55 after installation.

Tenable Identity Exposure provides a default self-signed certificate for your convenience. But to secure fully the web application, you must change this IIS certificate for a valid one, such as a signed certificate from the organization’s PKI/internal Certificate Authority.

Moreover, the SSL/TLS protocols versions and their enabled cipher suites have globally configured settings in the underlying Windows operating system (OS). Tenable Identity Exposure does not modify these settings, so you must configure them to obtain the desired level of security in line with your organization’s requirements.

In the absence of specific requirements and within a modern environment, Tenable recommends that you enable TLS 1.2. You can enable TLS 1.3 if you use Windows Server 2022 with the compatible Tenable Identity Exposure version. You should also disable weak cipher suites (DES, 3DES, RC2, RC4, AES 128, etc.)

Refer to the Microsoft documentation to Restrict the use of certain cryptographic algorithms and protocols in Schannel.dll. Use the configuration method that your organization recommends to deploy those settings (for example local configuration, GPO, third-party tool, etc.) However, Tenable does not offer support around this.

For more information, see: