Database Integration
To configure database integration:
-
Log in to Tenable.io.
-
Click Scans.
The My Scans page appears.
-
Click + New Scan.
The Scan Templates page appears.
-
Select a Scan Template. For demonstration, the Advanced Network Scan template is used.
The scan configuration page appears.
- In the Name box, type a name for the scan.
- In the Targets box, type an IP address, hostname, or range of IP addresses.
-
(Optional) Add a description, folder location, scanner location, and specify target groups.
-
Click the Credentials tab.
The Credentials pane appears.
-
Click the Database option.
The Database options appear.
-
From the Database Type drop-down, select Oracle.
-
From the Auth Type drop-down, select CyberArk.
The CyberArk field options appear.
-
Configure each field for the Database authentication.
Option Description Required CyberArk Host
The IP address or FQDN name for the CyberArk AIM Web Service. This can be the host, or the host with a custom URL added on in a single string.
yes
Port
The port on which the CyberArk API communicates. By default, Tenable uses 443.
yes
AppID
The Application ID associated with the CyberArk API connection.
yes
Client Certificate The file that contains the PEM certificate used to communicate with the CyberArk host. no
Client Certificate Private Key The file that contains the PEM private key for the client certificate. yes, if private key is applied
Client Certificate Private Key Passphrase The passphrase for the private key, if required. yes, if private key is applied
Get credential by The method with which your CyberArk API credentials are retrieved. Can be Username, Identifier, or Address.
Note: The frequency of queries for Username is one query per target. The frequency of queries for Identifier is one query per chunk. This feature requires all targets have the same identifier.
Note: The Username option also adds the Address parameter of the API query and assigns the target IP of the resolved host to the Address parameter. This may lead to failure to fetch credentials if the CyberArk Account Details Address field contains a value other than the target IP address.
yes Username (If Get credential by is Username) The username of the CyberArk user to request a password from.
no Safe The CyberArk safe the credential should be retrieved from.
no Account Name (If Get credential by is Identifier) The unique account name or identifier assigned to the CyberArk API credential. no Use SSL
If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS.
no
Verify SSL Certificate
If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate.
no
Caution: Tenable strongly recommends encrypting communication between your on-site scanner and the CyberArk AIM gateway using HTTPS and/or client certificates. For information on securing the connection, refer to the Tenable.io User Guide and the Central Credential Provider Implementation Guide located at cyberark.com (login required).
- Click Save.