Database (Legacy) Integration

Caution: Support for SOAP requests are no longer be supported by CyberArk as of December 31, 2024. If you are using the CyberArk Legacy Integration which utilizes SOAP for API requests, Tenable recommends using our non-Legacy CyberArk Integration which supports REST API requests.

To configure database integration:

  1. Log in to Tenable Vulnerability Management.

  2. Click Scans.

    The My Scans page appears.

  3. Click + New Scan.

    The Scan Templates page appears.

  4. Select a Scan Template. For demonstration, the Advanced Network Scan template is used.

    The scan configuration page appears.

  5. In the Name box, type a name for the scan.
  6. In the Targets box, type an IP address, hostname, or range of IP addresses.

  7. (Optional) Add a description, folder location, scanner location, and specify target groups.

  8. Click the Credentials tab.

    The Credentials pane appears.

  9. Click the Database option.

    The Database options appear.

  10. From the Database Type drop-down, select Oracle.

  11. From the Auth Type drop-down, select CyberArk.

    The CyberArk field options appear.

  12. Configure each field for the Database authentication.

Option Database Types Description

Required

Username

All

The target system’s username.

 yes

Central Credential Provider Host

All

The CyberArk Central Credential Provider IP/DNS address.

 yes

Central Credential Provider Port

All

The port on which the CyberArk Central Credential Provider is listening.

 yes

CyberArk AIM Service URL

All

The URL of the AIM service. By default, this field uses /AIMWebservice/v1.1/AIM.asmx.

 no
Central Credential Provider Username All

If the CyberArk Central Credential Provider is configured to use basic authentication, you can fill in this field for authentication.

 no
Central Credential Provider Password All

If the CyberArk Central Credential Provider is configured to use basic authentication, you can fill in this field for authentication.

 no

CyberArk Safe

All

The safe on the CyberArk Central Credential Provider server that contained the authentication information you would like to retrieve.

 no
CyberArk Client Certificate All The file that contains the PEM certificate used to communicate with the CyberArk host. no
CyberArk Client Certificate Private Key All The file that contains the PEM private key for the client certificate. no
CyberArk Client Certificate Private Key Passphrase All The passphrase for the private key, if your authentication implementation requires it. no

CyberArk AppId

All

The AppId that has been allocated permissions on the CyberArk Central Credential Provider to retrieve the target password.

 yes

CyberArk Folder

All

The folder on the CyberArk Central Credential Provider server that contains the authentication information you would like to retrieve.

 no

CyberArk Account Details Name

All

The unique name of the credential you want to retrieve from CyberArk.

 yes
PolicyId All The PolicyID assigned to the credentials that you want to retrieve from the CyberArk Central Credential Provider. no

Use SSL

All

If CyberArk Central Credential Provider is configured to support SSL through IIS check for secure communication.

 no

Verify SSL Certificate

All

If CyberArk Central Credential Provider is configured to support SSL through IIS and you want to validate the certificate, select this option. Refer to the custom_CA.inc documentation for how to use self-signed certificates.

 no

Database Port

All

The port on which Tenable Security Center communicates with the database.

 yes
Database Name

DB2

PostgreSQL

 The name of the database. no
Auth type

Oracle

SQL Server

Sybase ASE

SQL Server values include:

  • Windows
  • SQL

Oracle values include:

Sybase ASE values include:

  • RSA
  • Plain Text
 yes
Instance Name SQL Server The name for your database instance. no
Service type Oracle

Valid values include:

  • SID
  • SERVICE_NAME
 yes
Service Oracle The SID value for your database instance or a SERVICE_NAME value. The Service value you enter must match your parameter selection for the Service Type option. no

Caution: Tenable strongly recommends encrypting communication between your on-site scanner and the CyberArk AIM gateway using HTTPS and/or client certificates. For information on securing the connection, refer to the Tenable Vulnerability Management User Guide and the Central Credential Provider Implementation Guide located at cyberark.com (login required).

  1. Click Save.