Windows Integration

To configure Windows integration:

  1. Log in to Tenable Security Center.

  2. In the top navigation bar, click Scanning.

    A menu appears.

  3. Click Credentials.

    The Credentials page appears.

  4. Click +Add at the top of the screen.

    The Add Credential page appears.

  1. In the Windows section, click CyberArk Vault.

    The Add Credential page appears.

  1. Configure each field for Windows authentication.

    Option Description Required

    CyberArk Host

    The IP address or FQDN name for the CyberArk AIM Web Service.

    yes

    Port

    The port on which the CyberArk API communicates. By default, Tenable uses 443.

    yes

    AppID

    The Application ID associated with the CyberArk API connection.

    yes
    Client Certificate

    The file that contains the PEM certificate used to communicate with the CyberArk host.

    Note: Customers self-hosting CyberArk CCP on a Windows Server 2022 and above should follow the guidance found in Tenable’s Community post about CyberArk Client Certification Authentication Issue.

    no
    Client Certificate Private Key The file that contains the PEM private key for the client certificate.

    yes, if private key is applied
    Client Certificate Private Key Passphrase The passphrase for the private key, if required.

    yes, if private key is applied

    Kerberos Target Authentication

    If enabled, Kerberos authentication is used to log in to the specified Linux or Unix target.

    no

    Key Distribution Center (KDC)

    (Required if Kerberos Target Authentication is enabled) This host supplies the session tickets for the user.

    yes

    KDC Port

    (Required if Kerberos Target Authentication is enabled.) The port on which the Kerberos authentication API communicates. By default, Tenable uses 88.

    no yes

    KDC Transport

    (Required if Kerberos Target Authentication is enabled.) The KDC uses TCP by default in Linux implementations. For UDP, change this option. If you need to change the KDC Transport value, you may also need to change the port as the KDC UDP uses either port 88 or 750 by default, depending on the implementation.

    no yes

    Domain

    (Required if Kerberos Target Authentication is enabled) The domain to which Kerberos Target Authentication belongs, if applicable.

    yes
    Get credential by

    The method with which your CyberArk API credentials are retrieved. Can be Username, Identifier, or Address.

    The method with which your CyberArk API credentials are retrieved. Can be Username, Identifier, Address, or Parameters.

    Note: The frequency of queries for Username is one query per target. The frequency of queries for Identifier is one query per chunk. This feature requires all targets have the same identifier.

    		 yes
    Account Name (If Get credential by is Identifier) The unique account name or identifier assigned to the CyberArk API credential. no
    Address

    (If Get credential by is Address or Parameters) The address unique to the CyberArk API credential.

    		 no
    Username

    (If Get credential by is Username or Parameters) The username of the CyberArk user to request a password from.

    		 no
    Safe

    The CyberArk safe the credential should be retrieved from.

    		 no

    Use Target IP Address

    (If Get credential by is Parameters) When enabled, the integration appends the target address to the credential query, which limits the query to accounts matching the scan target’s address. This is ignored if Address is set.

    no

    Folder

    (If Get credential by is Parameters) The folder of the credential.

    no

    Database

    (If Get credential by is Parameters) The database of the credential.

    no

    Query

    (If Get credential by is Parameters) Specify a custom “free query” using account properties. When this method is specified, all other search criteria are ignored.

    no

    Query Format

    (If Get credential by is Parameters) Defines the query format. Allowed values are Exact and Regexp. The default is Exact. This value is ignored unless the Query option was specified.

    no

    Use SSL

    If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS.

    no

    Verify SSL Certificate

    If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate.

    no
    CyberArk credential field mapping to the CyberArk Accounts detail view in the CyberArk console:

    Note: The Username option also adds the Address parameter of the API query and assigns the target IP of the resolved host to the Address parameter. This may lead to failure to fetch credentials if the CyberArk Account Details Address field contains a value other than the target IP address.

    Caution: Tenable strongly recommends encrypting communication between the Tenable Security Center scanner and the CyberArk AIM gateway using HTTPS and/or client certificates. For information on securing the connection, refer to Tenable Security Center User Guide and the Central Credential Provider Implementation Guide located at cyberark.com (login required).

  2. Click Submit.
  3. Next, follow the steps for Add the Credential to the Scan.