HTTPS for Tenable Identity Exposure Web Application

When the Tenable Identity Exposure installation process installs the Security Engine Node (SEN), it creates a self-signed certificate and binds it to the Tenable Identity Exposure web application to let you access Tenable Identity Exposure via HTTPS.

For example, if the SEN server's IP address is 10.0.48.55, you can log in to the Tenable Identity Exposure web application at https://10.0.48.55 after installation.

Tenable Identity Exposure provides a default self-signed certificate for your convenience. But to secure fully the web application, you must change this IIS certificate for a valid one, such as a signed certificate from the organization’s PKI/internal Certificate Authority.

Moreover, the SSL/TLS protocols versions and their enabled cipher suites have globally configured settings in the underlying Windows operating system (OS). Tenable Identity Exposure does not modify these settings, so you must configure them to obtain the desired level of security in line with your organization’s requirements.

In the absence of specific requirements and within a modern environment, Tenable recommends that you enable TLS 1.2. You can enable TLS 1.3 if you use Windows Server 2022 with the compatible Tenable Identity Exposure version. You should also disable weak cipher suites (DES, 3DES, RC2, RC4, AES 128, etc.)

Refer to the Microsoft documentation to Restrict the use of certain cryptographic algorithms and protocols in Schannel.dll. Use the configuration method that your organization recommends to deploy those settings (for example local configuration, GPO, third-party tool, etc.) However, Tenable does not offer support around this.

Securing the Login Cookie (for versions 3.77 and later)

Beginning with Tenable Identity Exposure version 3.77, you have the ability to secure the login session cookie by modifying the environment variable KAPTEYN_SERVER_SESSION_COOKIE_SECURE. This change helps ensure that the session cookies are only sent over HTTPS, enhancing the security of the web application.

Prerequisite: Correct HTTPS Configuration

Before enabling this secure cookie setting, you must ensure that you configured HTTPS properly on the Tenable Identity Exposure web application, as described in this section. If not, enabling this setting results in the failure of authentication on the web portal.

This includes verifying the HTTPS configuration and ensuring that the client's web browser properly recognizes the SSL/TLS certificates that the Tenable Identity Exposure web application uses.

  1. Locate the environment variable KAPTEYN_SERVER_SESSION_COOKIE_SECURE on the server that hosts the Kapteyn service.

  2. Set the environment variable KAPTEYN_SERVER_SESSION_COOKIE_SECURE to true. This ensures that the session cookie is marked as secure and only transmits over an HTTPS connection.

  1. Restart the Kapteyn service for the changes to take effect.

For more information, see: