Scan Configuration

Required User Role: Standard, Scan Manager, or Administrator

To configure an Akeyless PAM credential in a Tenable Vulnerability Management scan:

  1. In Tenable Vulnerability Management, navigate to Scans.

  2. Create, or edit, a scan.

  3. Navigate to Credentials and select the appropriate credential type (SSH, Windows, or Database).

  4. From the Authentication Method dropdown, select Akeyless.

  5. Configure the options described in the following table.

    Option Description Required
    Akeyless Host The hostname or IP address of your Akeyless instance. For the Akeyless SaaS platform, use api.akeyless.io. Yes
    Akeyless Port The port on which the Akeyless API communicates. By default, Tenable uses 443. Yes
    Akeyless API URL An optional base URL path appended to the host when constructing API requests. Leave blank for the default Akeyless SaaS or gateway API. No
    Access ID The Access ID associated with your Akeyless authentication method. This value begins with p- for SaaS auth methods. Yes
    Authentication Method The method used to authenticate to Akeyless. Select Access Key, Universal Identity, or Certificate. Yes
    Access Key The Access Key secret corresponding to the Access ID. Displayed when the Authentication Method is set to Access Key. Yes (if using Access Key authentication)
    UID Token Source Whether to supply the Universal Identity token directly or read it from a file on the scanner. Possible options are Manual and File. Displayed when the Authentication Method is set to Universal Identity. Yes (if using Universal ID authentication)
    Universal Identity Token The UID token used for Universal Identity authentication. Displayed when UID Token Source is set to Manual. Yes (if using manual Universal ID entry)
    Universal Identity Token File The absolute path to a file on the Tenable Nessus scanner host that contains the UID token. Displayed when UID Token Source is set to File. Yes (if using file-based Universal Identity)
    Client Certificate The PEM-format client certificate file used for certificate-based (mTLS) authentication. Displayed when the Authentication Method is set to Certificate. Yes (if using Certificate Authentication)
    Private Key The PEM-format private key file corresponding to the client certificate. Displayed when the Authentication Method is set to Certificate. Yes (if using Certificate Authentication)
    Passphrase For Private Key The passphrase protecting the private key, if the key is encrypted. Displayed when the Authentication Method is set to Certificate. No
    Credential ID The full path of the Akeyless secret that contains the target login credentials, for example /scan/linux/webserver. Yes
    Secret Type The type of Akeyless secret to retrieve. Select Static for static secrets or Rotated for rotated secrets. Static by default. Yes
    Use SSL Whether to use SSL/TLS when communicating with the Akeyless host. Enabled by default. Yes
    Verify SSL Certificate Whether to verify the Akeyless host SSL certificate. Disable only in test environments. Yes
    Use Kerberos KDC If enabled, Kerberos authentication is used to log in to the Windows target. Requires KDC host, port, transport, and domain. Applies to SSH and Windows credentials only. No
    Elevate privileges with The privilege escalation method to use after login (for example, sudo). Applies to SSH credentials only. No
    Escalation Credential ID The Akeyless secret path for the escalation account credentials. If not specified, the primary Credential ID is used for both login and escalation. Applies to SSH credentials only. No
  6. Save the credential and launch the scan.