Configure Tenable.sc for HashiCorp Vault (Database)

In Tenable.sc, you can integrate with HashiCorp Vault using database credentials. Complete the following steps to configure Tenable.sc with HashiCorp Vault using database.

Requirements

Required User Role: Any

  • Tenable.sc account
  • HashiCorp Vault account

Note: (Undefined variable: Integrations.HashiCorp Vault) provides options for, both, KV v1 and v2. However, Tenable only supports integration with KV v1.

To integrate Tenable.sc with HashiCorp Vault using database credentials:

  1. Log in to Tenable.sc.

  2. Click Scanning > Credentials (administrator users) or Scans > Credentials (organizational users).

    The Credentials page appears.

  3. At the top of the page, click +Add.

    The Add Credential page appears.

  4. Go to the Database section.
  1. Click the database type that you want to use. (IBM DB2, MySQL, Oracle Database, PostgreSQL, or SQL Server)
  2. In the Name box, type a name for the credential.

  3. (Optional) Add a Description.

  4. (Optional) Add a Tag to the credential. For additional information about tags, see the Tags section in the Tenable.sc documentation.

  5. (For Oracle only) Click the Source drop-down to select a source type.
  6. In the database credential section, click the Authentication Method drop-down.
  7. Select (Undefined variable: Integrations.HashiCorp Vault).
  8. In the Database Credential section, configure the database credentials.

    Option Description Required
    Port (Oracle, IBM, MySQL, PostgreSQL, SQL Server) The port on which Tenable.sc communicates with the database. yes
    SID (MySQL) The security identifier used to connect to the database. yes
    Authentication (Oracle, SQL Server)

    (Oracle) The role type used for the database authentication. (Normal, System Operator, Sys- tem Database Administrator)

    (SQL Server) The authentication mode the data- base uses. (SQL or Windows)

    yes
    Database Name (IBM, PostgreSQL) The name of the database. no
    Instance Name (SQL Server) The SQL server name. yes

    Hashicorp Host

    (Required) The Hashicorp Vault IP address or DNS address.

    Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path.

    yes

    Hashicorp Port

    (Required) The port on which Hashicorp Vault listens.

    yes
    Authentication Type (Oracle, SQL Server)

    (Oracle) The role type used for the database authentication. (Normal, System Operator, or System Database Administrator)

    (SQL Server) The authentication mode the database uses. (SQL or Windows)

    yes
    Service Type (Oracle) The unique SID or Service Name that identifies your database. yes
    Service (Oracle)

    The SID or Service Name value for your database instance.

    Note: The Service value must match the Service Type option parameter selection.

    yes

    Authentication Type

    Specifies the authentication type for connecting to the instance: App Role or Certificates.

    If you select Certificates, additional options for Hashicorp Client Certificate( Required) and Hashicorp Client Certificate Private Key (Required) appear. Select the appropriate files for the client certificate and private key.

    yes

    Role ID

    The GUID provided by Hashicorp Vault when you configured your App Role.

    yes
    Role Secret ID

    The GUID generated by Hashicorp Vault when you configured your App Role.

    yes
    Authentication URL

    The URL Tenable.sc uses to access Hashicorp Vault.

    yes
    Namespace The name of a specified team in a multi-team environment. no
    KV Engine URL The URL Tenable.sc uses to access the Hashicorp Vault secrets engine. yes

    Username Source

    A drop-down box to specify if the username is input manually or pulled from Hashicorp Vault.

    yes

    Username

    (Only displays if Username Source is selected) The name in Hashicorp Vault that usernames are stored under.

    yes
    Password Key The key in Hashicorp Vault that passwords are stored under. yes
    Secret Name The key secret you want to retrieve values for. yes
  1. Click Submit.

    Tenable.sc saves the credential.