Windows Integration

To configure with CyberArk using Windows integration:

  1. Log in to
  2. In the upper-left corner, click the button.

    The left navigation plane appears.

  3. In the left navigation plane, click Settings.

    The Settings page appears.

  4. Click the Credentials widget.

    The Credentials page appears. The credentials table lists the managed credentials you have permission to view.

  5. Click the button next to the Credentials title.

    The credential form plane appears.

  1. In the Host section, click Windows.

    The selected credential options appear.

  2. In the Authentication Method drop-down, select CyberArk.

    The CyberArk options appear.

  3. Configure the CyberArk credentials.

    Caution: Tenable strongly recommends encrypting communication between your on-site scanner and the CyberArk AIM gateway using HTTPS and/or client certificates. For information on securing the connection, refer to the User Guide and the Central Credential Provider Implementation Guide located at (login required).

    Option Description Required

    CyberArk Host

    The IP address or FQDN name for the CyberArk AIM Web Service.



    The port on which the CyberArk API communicates. By default, uses 443.



    The Application ID associated with the CyberArk API connection.


    Client Certificate The file that contains the PEM certificate used to communicate with the CyberArk host.


    Client Certificate Private Key The file that contains the PEM private key for the client certificate.


    Client Certificate Private Key Passphrase The passphrase for the private key, if required.

    yes, if private key requires

    Get credential by The method with which your CyberArk API credentials are retrieved: Username or Identifier yes

    (If Get credential by is set to Username) The username of the CyberArk user to request a password from.

    yes, for Username
    Domain (If Get credential by is set to Username) The domain to which the username belongs, if applicable. no

    (If Get credential by is set to Username) The CyberArk safe the credential should be retrieved from.

    yes, for Username
    Account Name (If Get credential by is set to Identifier) The unique account name or identifier assigned to the CyberArk API credential. yes, for Identifier

    Use SSL

    If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS.


    Verify SSL Certificate

    If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate.


  4.  Click Save.


  1. To verify the integration is working, click the Launch button to initiate an on-demand scan.

  2. After the scan completes, click the scan to view the results.

  3. Look for Plugin ID 10394. This validates that the authentication was successful. If the authentication is not successful, refer to the Debugging CyberArk Issues section of this document.