Windows Integration

To configure Tenable.io with CyberArk using Windows integration:

  1. Log in to Tenable.io.
  2. In the upper-left corner, click the button.

    The left navigation plane appears.

  3. In the left navigation plane, click Settings.

    The Settings page appears.

  4. Click the Credentials widget.

    The Credentials page appears. The credentials table lists the managed credentials you have permission to view.

  5. Click the button next to the Credentials title.

    The credential form plane appears.

  1. In the Host section, click Windows.

    The selected credential options appear.

  2. In the Authentication Method drop-down, select CyberArk.

    The CyberArk options appear.

  3. Configure the CyberArk credentials.

  1. Caution: Tenable strongly recommends encrypting communication between your on-site scanner and the CyberArk AIM gateway using HTTPS and/or client certificates. For information on securing the connection, refer to the Tenable.io User Guide and the Central Credential Provider Implementation Guide located at cyberark.com (login required).

    Option Description Required

    Username

    The username of the target system.

    yes

    CyberArk AIM Service URL The URL for the CyberArk AIM web service. By default, Tenable.io uses /AIMWebservice/v1.1/AIM.asmx.

    no

    Domain

    The domain to which the username belongs.

    no

    Central Credential Provider Host

    The CyberArk Central Credential Provider IP/DNS address.

    yes

    Central Credential Provider Port

    The port on which the CyberArk Central Credential Provider is listening.

    yes

    Central Credential Provider Username

    The username of the vault, if the CyberArk Central Credential Provider is configured to use basic authentication.

    no

    Central Credential Provider Password

    The password of the vault, if the CyberArk Central Credential Provider is configured to use basic authentication.

    no

    Safe

    The safe on the CyberArk Central Credential Provider server that contained the authentication information that you want to retrieve.

    yes

    CyberArk Client Certificate The file that contains the PEM certificate used to communicate with the CyberArk host.

    no

    CyberArk Client Certificate Private Key The file that contains the PEM private key for the client certificate.

    no

    CyberArk Client Certificate Private Key Passphrase The passphrase for the private key, if required.

    no

    AppId

    The AppId that has been allocated permissions on the CyberArk Central Credential Provider to retrieve the target password.

    yes

    Folder

    The folder on the CyberArk Central Credential Provider server that contains the authentication information that you want to retrieve.

    yes

    PolicyId

    The PolicyID assigned to the credentials that you want to retrieve from the CyberArk Central Credential Provider.

    no

    Use SSL

    If CyberArk Central Credential Provider is configured to support SSL through IIS check for secure communication.

    no

    Verify SSL Certificate

    If CyberArk Central Credential Provider is configured to support SSL through IIS and you want to validate the certificate check this. Refer to custom_CA.inc documentation for how to use self-signed certificates.

    no

    CyberArk Account Details Name The unique name of the credential you want to retrieve from CyberArk.

    no

  1. Click Save.

Verification

  1. To verify the integration is working, click the Launch button to initiate an on-demand scan.

  2. After the scan completes, click the scan to view the results.

  3. Look for Plugin ID 10394 . This validates that the authentication was successful. If the authentication is not successful, refer to the Debugging CyberArk Issues section of this document.