TLS Installation Types
Tenable Identity Exposure requires Transport Layer Security (TLS) to encrypt internal communications between Tenable Identity Exposure components (micro-services) .
Tenable Identity Exposure enables TLS on protocols by using HTTPS instead of HTTP, AMQPS (AMQP+TLS) instead of AMQP (Advanced Message Queuing Protocol), and TLS encryption for MS-SQL.
Tenable Identity Exposure offers four types of TLS setups during the installation, from the least to the most hardened:
Installation Option | Recommended For | Encryption Between Internal Communications and Tenable Identity Exposure Components | Peer Verification | CA Certificate Requirement for Secure Relay |
---|---|---|---|---|
No TLS | A trusted network of machines. An easy installation with little configuration. This option falls back to the "Default TLS" option. | Not encrypted. Every component communicates in plain text, except for the Secure Relay that interacts with the Directory Listener. | Disabled Tenable Identity Exposure does not check server certificates. This setup is not resistant to active MITM attacks.
|
Install the public part of the Certificate Authority (CA) generated during the installation located at C:\Tenable\Tenable.ad\DirectoryListener\envoy_server\certs on each machine where you install the Relay. |
Default TLS (no "Expert mode") |
An organization without its own internal public key infrastructure (PKI) that requires protection against passive eavesdropping. |
Encrypted using an internal PKI for Tenable Identity Exposure with its own certificates and private keys, which the installation automatically generates and stores on the disk of the first machine. |
||
Default TLS ("Expert mode") | ||||
Note: The default TLS installations — one that uses the "Expert" mode and one that does not — are essentially the same.
|
||||
Custom TLS Without Peer Verification | An organization with its own internal PKI that requires protection against passive eavesdropping. | Encrypted, using certificates from your internal PKI. Certificates must contain the IP address of the corresponding machine in the Subject Alternative Name (SAN) extension and a signature from the provided Certificate Authority (CA). | Disabled
Tenable Identity Exposure does not check server certificates. This setup is not resistant to active MITM attacks. |
Supply the CA that signed the provided server certificate on each machine where you intend to install the Relay. Tenable does not provide the specific path, as it is assumed that you have access to the CA. |
Custom TLS With Peer Verification | An organization with its own internal public key infrastructure (PKI) that requires protection against both passive eavesdropping and man-in-the-middle (MITM) attacks. | Encrypted, using certificates from your internal PKI. Certificates must contain the IP address of the corresponding machine in the Subject Alternative Name (SAN) extension and have a signature from the provided Certificate Authority (CA). | Enabled
Tenable Identity Exposure checks server certificates. This setup is resistant to active MITM attacks. |
It is possible to update the TLS certificate either during an upgrade of Tenable Identity Exposure or if you need to renew an expired certificate, as follows:
-
Update the certificate (CRT) and KEY files in the default folder Tenable\Tenable.ad\Certificates.
Note: If your new certificate is in Personal Information Exchange (PFX) format, you can use the installed openssl.exe command line to extract the CRT and KEY.