Configure Tenable.io with HashiCorp Vault (Windows and SSH)

Required User Role: Standard, Scan Manager, or Administrator

In Tenable.io, you can integrate with HashiCorp Vault using Windows or SSH credentials. Complete the following steps to configure Tenable.io with HashiCorp Vault using these credentials.

Before you begin:

Ensure you have both a Tenable.io and HashiCorp Vault account.

To integrate Tenable.io with HashiCorp Vault using Windows or SSH credentials:

Log in to Tenable.io.
In the upper-left corner, click the button.

The left navigation plane appears.
In the left navigation plane, click Settings.

The Settings page appears.
Click the Credentials widget.

The Credentials page appears. The credentials table lists the managed credentials you have permission to view.
Click the button next to the Credentials title.

The credential form plane appears.
In the Host section, click SSH or Windows.

The selected credential options appear.
In the Authentication Method drop-down, select HashiCorp Vault.

The HashiCorp Vault options appear.

Configure the HashiCorp Vault credentials.

Windows and SSH Credentials
Option	Description	Required
Hashicorp Vault host	The Hashicorp Vault IP address or DNS address. Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname / subdirectory path.	yes
Hashicorp Vault port	The port on which Hashicorp Vault listens.	yes
Authentication Type	Specifies the authentication type for connecting to the instance: App Role or Certificates. If you select Certificates, additional options for Hashicorp Client Certificate( Required) and Hashicorp Client Certificate Private Key (Required) appear. Select the appropriate files for the client certificate and private key.	yes
Role ID	The GUID provided by Hashicorp Vault when you configured your App Role.	yes
Role Secret ID	The GUID generated by Hashicorp Vault when you configured your App Role.	yes
Authentication URL	The URL Tenable.io uses to access Hashicorp Vault.	yes
Namespace	The name of a specified team in a multi-team environment.	no
Vault Type	The HashiCorp Vault version: KV1, KV2, or AD. For additional information about HashiCorp Vault versions, see the HashiCorp Vault documentation.	yes
KV1 Engine URL	(KV1) The URL HashiCorp Vault uses to access the KV1 engine.	yes, if you select the KV1 Vault Type
KV2 Engine URL	(KV2) The URL HashiCorp Vault uses to access the KV2 engine.	yes, if you select the KV2 Vault Type
AD Engine URL	(AD) The URL HashiCorp Vault uses to access the active directory engine.	yes, if you select the AD Vault Type
Username Source	(KV1 and KV2) A drop-down box to specify if the username is input manually or pulled from Hashicorp Vault.	yes
Username Key	(KV1 and KV2) The name in Hashicorp Vault that usernames are stored under.	yes
Password Key	(KV1 and KV2) The key in Hashicorp Vault that passwords are stored under.	yes
Secret Name	(KV1, KV2, and AD) The key secret you want to retrieve values for.	yes
Use SSL	If enabled, Tenable.io uses SSL through IIS for secure communications. You must configure SSL through IIS in Hashicorp Vault before enabling this option.	no
Verify SSL Certificate	If enabled, Tenable.io validates the SSL certificate. You must configure SSL through IIS in Hashicorp Vault before enabling this option.	no
Enable for HashiCorp Vault	Enables/disables IBM DataPower Gateway use with HashiCorp Vault.	yes

Click Save.

Tenable.io saves the credential.

What to do next:

Verify the integration is working.

On the My Scans page, click the Launch button to initiate an on-demand scan.
Once the scan completes, click the completed scan.

The scan details appear.

Look for a message similar to the following:
- For Windows: Microsoft Windows SMB Log In Possible: 10394. This results validates that authentication was successful.
- For SSH: Plugin ID 97993 and the corresponding message - It was possible to log into the remote host via SSH using 'password' authentication. This result validates that authentication was successful.