To configure SSH integration:
- Log in to Tenable.io.
- Click Scans.
Click + New Scan.
Select a Scan Template.
The scan configuration page appears.
In the Name box, type a name for the scan.
- In the Targets box, type an IP address, hostname, or range of IP addresses.
- (Optional) Add a description, folder location, scanner location, and specify target groups.
Click the Credentials tab.
The Credentials options appear.
- In the Select a Credential menu, select the Host drop-down.
The CyberArk field options appear.
Configure each field for SSH authentication.
Caution: Tenable strongly recommends encrypting communication between your on-site scanner and the CyberArk AIM gateway using HTTPS and/or client certificates. For information on securing the connection, refer to the Tenable.io User Guide and the Central Credential Provider Implementation Guide located at cyberark.com (login required).
Option Description Required
The IP address or FQDN name for the CyberArk AIM Web Service. This can be the host, or the host with a custom URL added on in a single string.
The port on which the CyberArk API communicates. By default, Tenable.io uses 443.
The Application ID associated with the CyberArk API connection.
Client Certificate The file that contains the PEM certificate used to communicate with the CyberArk host.
Client Certificate Private Key The file that contains the PEM private key for the client certificate.
Client Certificate Private Key Passphrase The passphrase for the private key, if required.
yes, if private key requires
Kerberos Target Authentication
If enabled, Kerberos authentication is used to log in to the specified Linux or Unix target.
Key Distribution Center (KDC)
(Required if Kerberos Target Authentication is enabled.) This host supplies the session tickets for the user.
The port on which the Kerberos authentication API communicates. By default, Tenable.io uses 88.
The KDC uses TCP by default in Linux implementations. For UDP, change this option. If you need to change the KDC Transport value, you may also need to change the port as the KDC UDP uses either port 88 or 750 by default, depending on the implementation.
(Required if Kerberos Target Authentication is enabled.) The domain to which Kerberos Target Authentication belongs, if applicable.
Get credential by
The method with which your CyberArk API credentials are retrieved. Can be Username, Identifier, or Address.
Note: The frequency of queries for Username is one query per target. The frequency of queries for Identifier is one query per chunk. This feature requires all targets have the same identifier.
(If Get credential by is Username) The username of the CyberArk user to request a password from.
no Domain (If Get credential by is Username) The domain to which the username belongs, if applicable. no Safe
(If Get credential by is either Username, Identifier, Address) The CyberArk safe the credential should be retrieved from.
no Account Name (If Get credential by is Identifier) The unique account name or identifier assigned to the CyberArk API credential. no
If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS.
Verify SSL Certificate
If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate.
To verify the integration is working, click the launch button (highlighted below) to initiate an on-demand scan.
Once the scan has completed, select the completed scan and look for Plugin ID 12634, which validates that authentication was successful. If the authentication is not successful, refer to the Debugging CyberArk Issues section of this document.