Frequently Asked Questions (FAQ)

How many API requests does the integration make?

The number of requests depends on the value of Get Credential By, and also by how the scan is “chunked.” For example, getting a credential by username gets a separate credential for each target, but getting a credential by identifier just gets a single credential for all targets. However, in this latter case, the requests are repeated for each scan chunk.

Do you support Privilege Cloud or ISPSS?

Privilege Cloud is supported in the current integration as long as the customer has deployed the Central Credential Provider (CCP). The CCP is required for the current integration. Tenable plans to release support for ISPSS through an integration with CyberArk Secrets Manager (formerly known as “Conjur”).

The API call said “server did not respond to request.”

This may be caused by several issues.

  • The scanner may be unable to connect to the CyberArk server. Try checking connectivity with ping or curl commands.

  • Windows Server 2022 and newer do not support TLS 1.3 with Client Certificates. Try disabling TLS 1.3.

  • The scanner may be unable to verify the CyberArk server’s SSL certificate. Try importing the signing certificate authority (CA) as a custom CA, or disable “verify SSL” in the credential.

  • There may be a problem with the file format of the client certificate. Make sure that certificate and private key are separate files and in .pem format, not pfx format.

The error “Password object matching query [...] was not found” appears in the debug log.

This error means that the supplied query parameters did not match an account in CyberArk. It can be caused by many different things, but it usually means that the supplied query parameters were incorrect. To resolve this issue:

  • Review the exact query parameters that were entered in the credential. Review the debug log to see the exact API call that the integration used.

  • Determine if Safe needs to be specified, or if it can be omitted.

  • Check if the Application has appropriate permissions.

The error “Too many password objects matching query [...] were found” appears in the debug log.

The CCP GetPassword endpoint can only return a single object, but the supplied parameters were not specific enough to specify a single object. Try refining

The query is not specific enough as CCP GetPassword endpoint can only return a single entity. Try refining query parameters, or using “Get Credential By”: Identifier.

A generic HTTP 404 error appears in the logs with HTML in the response body.

This is likely due to an incorrect base URL. In the credential, enter the full URL in the CyberArk Host field including the trailing “/subdirectory/AIMWebService/api” part.

Does the integration use FQDN or IP?

It depends on what was entered as the scan target. If the scan target is an IP, then the integration looks for CyberArk accounts matching the IP. If it was an FQDN, then the integration looks for accounts matching the FQDN. If using “Get Credential By”: Identifier, then the integration disregards FQDN and IP and uses the account with the specified Account Name.

The scan successfully connected to CyberArk but the authentication is still failing.

Review Integration Status to check the success of the integration itself (i.e., did it get a password?). If authentication is failing, this is usually due to:

  • Retrieved password/key is incorrect.

  • Retrieved password/key in wrong format (CyberArk does not support encrypted SSH keys).

  • Password rotation occurring before the scan is done using it.

  • Issue in target operating system environment (review ssh_get_info2.log).

Do you support Windows domain accounts?

Tenable recommends configuring Windows domain accounts with a template that supports the “LogonDomain” or “Log on to” field, so that the domain can be retrieved from CyberArk.

What goes in the host field?

Users can enter either the host IP/FQDN or also the full base URL (e.g., https://cyberark.corp.customer.com/AIMWebService/api).

When does the integration collect credentials?

The integration collects credentials at the start of a scan, as a part of one of the authentication type’s respective “settings” plugin. When using auto-discovery, target hosts are also collected at the start of a scan. Review the “Plugin Families and Plugins” for more detail.

Where are the logs?

Refer to the Debug Log Reporting section in the Scan Results Review page.

How does privilege escalation work?

Privilege escalation over SSH allows users to optionally specify a second account that contains the escalation password. In some cases (for example, sudo), the scan would use the same password for escalation as it would for login, in which case the escalation account does not need to be specified. In other cases (for example, su) the scan would need a different escalation password from the login password. In this case, users may specify the account containing this separate password. When necessary, users may also specify the account (username) to escalate to.

Note that sudo is the only supported privilege escalation method with Auto-Discovery.

How does passwordless SSH work?

The CyberArk integration can use either a password or SSH private key to authenticate. In the case of SSH private keys, the integration automatically detects if the received object is an SSH key. The integration does not support passphrase-encrypted private keys, because these are not currently supported by CyberArk. If using passwordless SSH in combination with privilege escalation, a separate escalation account may be specified, which contains the escalation password if necessary. Otherwise, the scan uses passwordless escalation.

How does the “Import” type credential work?

This option is only available with the CyberArk (Legacy) integration, which uses the CyberArk SOAP API and is currently deprecated by CyberArk. Tenable recommends using Auto-Discovery instead.

The Import/Entry options are an alternative way of specifying different target hosts and their respective credentials.

A user must specify parameters such as CyberArk Host, Port, and Client Certificate in a “Type: Entry” credential. Second, a user must create a “Type: Import” credential, and upload a comma-separated value (CSV) file containing extra parameters such as Target Host and CyberArk Object ID. This allows each row in the CSV file to function as its own, target-specific credential.

In Tenable Security Center, the “Import” type credential must be created after the “Entry” type credential.

What IP(s) do I need to whitelist on the CyberArk side?

All communication occurs between the PAM and the scanner. Therefore, focus on allowing scanner IP addresses.