Integrating With CyberArk Enterprise Password Vault
Nessus Manager provides an option for CyberArk Windows integration. Complete the following steps to configure Nessus Manager with CyberArk for Windows.
- CyberArk account
- Nessus Manager account
To configure Windows integration:
- Log in to Nessus.
- Click Scans.
Click + New Scans.
The Scan Templates page appears.
Select a Scan Template.
The selected scan template appears.
In the Name box, type a name for the scan.
- In the Targets box, type an IP address, hostname, or range of IP addresses.
- (Optional) Add a description, folder location, scanner location, and specify target groups.
Click the Credentials tab.
The Credentials options appear.
- In the left-hand menu, select Windows.
Click Authentication method.
A drop-down appears.
- Select CyberArk.
Configure each field for Windows authentication.
Caution: Tenable strongly recommends encrypting communication between the Nessus scanner and the CyberArk AIM gateway using HTTPS and/or client certificates. For information on securing the connection, refer to the Nessus User Guide and the Central Credential Provider Implementation Guide located at cyberark.com (login required).
Option Description Required
The username of the target system.
CyberArk AIM Service URL The URL for the CyberArk AIM web service. By default, Nessus uses /AIMWebservice/v1.1/AIM.asmx.
The domain to which the username belongs.
Central Credential Provider Host
The CyberArk Central Credential Provider IP/DNS address.
Central Credential Provider Port
The port on which the CyberArk Central Credential Provider is listening.
Central Credential Provider Username
The username of the vault, if the CyberArk Central Credential Provider is configured to use basic authentication.
Central Credential Provider Password
The password of the vault, if the CyberArk Central Credential Provider is configured to use basic authentication.
The safe on the CyberArk Central Credential Provider server that contained the authentication information that you want to retrieve.
CyberArk Client Certificate The file that contains the PEM certificate used to communicate with the CyberArk host.
CyberArk Client Certificate Private Key The file that contains the PEM private key for the client certificate.
CyberArk Client Certificate Private Key Passphrase The passphrase for the private key, if required.
The AppId that has been allocated permissions on the CyberArk Central Credential Provider to retrieve the target password.
The folder on the CyberArk Central Credential Provider server that contains the authentication information that you want to retrieve.
The PolicyID assigned to the credentials that you want to retrieve from the CyberArk Central Credential Provider.
If CyberArk Central Credential Provider is configured to support SSL through IIS check for secure communication.
Verify SSL Certificate
If CyberArk Central Credential Provider is configured to support SSL through IIS and you want to validate the certificate check this. Refer to custom_CA.inc documentation for how to use self-signed certificates.
CyberArk Account Details Name The unique name of the credential you want to retrieve from CyberArk.
- Click Save.
To verify the integration is working, click the Launch button (highlighted below) to initiate an on-demand scan.
Once the scan has completed, select the completed scan. Look for the corresponding ID (see chart below), which validates that authentication was successful. If the authentication is not successful, refer to the Debugging CyberArk Issues section of this document.
Plugin Type Plugin ID Postgres 91826 SQL 91825 MySQL 91823