Configure Tenable Nessus with HashiCorp Vault (IBM DataPower Gateway)

Required User Role: Standard, Scan Manager, or Administrator

To support HashiCorp Vault deployments secured behind IBM DataPower Gateway, configure an IBM DataPower Gateway credential alongside your HashiCorp Vault credential within the same scan.. Both credentials work together: the DataPower Gateway credential enables Tenable Nessus to authenticate through the gateway, while the Vault credential handles authentication to the vault itself. The DataPower Gateway credential requires a client certificate and private key to establish a secure connection with the gateway. This dual-credential configuration is typically used in specialized enterprise environments where DataPower Gateway is deployed as a security proxy in front of HashiCorp Vault.

Complete the following steps to configure Tenable Nessus with IBM DataPower Gateway credentials.

  1. Log in to your Tenable Nessus user interface.

  2. In the left navigation pane, click Scans.

    The Scans page appears.

  3. In the upper-right corner of the page, click the Create a Scan button.

    The Select a Scan Template page appears.

  4. Select a scan template.

    The scan configuration page appears.

  5. In the Name box, type a name for the scan.

  6. In the Targets box, type an IP address, hostname, or range of IP addresses.

  7. (Optional) Add a description, folder location, scanner location, and specify target groups.

  8. Click the Credentials tab.

    The Credentials pane appears.

  9. Under API Gateway, click IBM DataPower Gateway.

    The IBM DataPower Gateway options appear.

  10. Configure each option for Database authentication.

Option Description Required
Client Certificate The PEM-format client certificate file used for certificate-based authentication to HashiCorp Vault. Yes
Client Certificate Private Key The PEM-format private key file corresponding to the Client Certificate. Yes
Client Certificate Private Key Passphrase The passphrase protecting the private key, if the Client Certificate Private Key is encrypted. Yes
Custom Header Key The optional custom header key that is added to the API request. No
Custom Header Value The value of the custom header key. No
Enable for HashiCorp Vault Enables/disables IBM DataPower Gateway use with HashiCorp Vault. Yes
  1. Do one of the following:

    • If you want to save without launching the scan, click Save.

    • If you want to save and launch the scan immediately, click Save & Launch.

    Note: If you scheduled the scan to run at a later time, the Save & Launch option is not available.