Configure Tenable Security Center for HashiCorp Vault (Database)

Required User Role: Any

In Tenable Security Center, you can integrate with HashiCorp Vault using database credentials. Complete the following steps to configure Tenable Security Center with HashiCorp Vault using database.

Before you begin:

  • Ensure you have both a Tenable Security Center and HashiCorp Vault account.

To integrate Tenable Security Center with HashiCorp Vault using database credentials:

  1. Log in to Tenable Security Center.

  2. Click Scanning > Credentials (administrator users) or Scans > Credentials (organizational users).

    The Credentials page appears.

  3. At the top of the page, click +Add.

    The Add Credential page appears.

  4. Go to the Database section.
  1. Click the database type that you want to use. (IBM DB2, MySQL, Oracle Database, PostgreSQL, or SQL Server)

  2. In the Name box, type a name for the credential.

  3. (Optional) Add a Description.

  4. (Optional) Add a Tag to the credential. For additional information about tags, see the Tags section in the Tenable Security Center documentation.

  5. (For Oracle only) Click the Source drop-down to select a source type.
  6. In the database credential section, click the Authentication Method drop-down.
  7. Select HashiCorp Vault.

  8. In the Database Credential section, configure the database credentials.

    Option Credential Description Required
    Port

    Oracle Database

    IBM DB2

    MySQL

    PostgreSQL

    SQL Server

    		 The port on which Tenable Security Center communicates with the database. yes
    SID MySQL The security identifier used to connect to the database. yes
    Database Name

    IBM DB2

    PostgreSQL

    		 The name of the database. no
    Instance Name SQL Server The SQL server name. yes

    Hashicorp Host

    		 All

    The Hashicorp Vault IP address or DNS address.

    Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path.

    		 yes

    Hashicorp Port

    		 All

    The port on which Hashicorp Vault listens.

    		 yes
    Service Type Oracle Database The unique SID or Service Name that identifies your database. yes
    Service Oracle Database

    The SID or Service Name value for your database instance.

    Note: The Service value must match the Service Type option parameter selection.

    		 yes

    Authentication Type

    		 All

    Specifies the authentication type for connecting to the instance: App Role or Certificates.

    		yes
    Client Cert All If Authentication Type is Certificates, the client certificate file you want to use to authenticate the connection. yes
    Private Key All If Authentication Type is Certificates, the private key file associated with the client certificate you want to use to authenticate the connection. yes

    Role ID

    		 All

    The GUID provided by Hashicorp Vault when you configured your App Role.

    		 yes
    Role Secret ID All

    The GUID generated by Hashicorp Vault when you configured your App Role.

    		 yes
    Authentication URL All

    The path/subdirectory to the authentication endpoint. This is not the full URL. For example:

    /v1/auth/approle/login

    		 yes
    Namespace All The name of a specified team in a multi-team environment. no
    Hashicorp Vault Type All

    The type of Hashicorp Vault secrets engine: 

    • KV1 — Key/Value Secrets Engine Version 1

    • KV2 — Key/Value Secrets Engine Version 2

    • AD — Active Directory

    • LDAP - LDAP secrets engine

    		 yes

    KV1 Engine URL

    KV2 Engine URL

    AD Engine URL

    LDAP Engine URL

    		 All

    The URL Tenable Security Center uses to access the Hashicorp Vault secrets engine.

    Example: /v1/path_to_secret. No trailing /

    		 yes

    Username Source

    		 All

    (Appears when Hashicorp Vault Type is KV1 or KV2) Specifies if the username is input manually or pulled from Hashicorp Vault.

    		 yes
    Username key All (Appears when Hashicorp Vault Type is KV1 or KV2) The name in Hashicorp Vault that usernames are stored under. no

    Username

    		 All

    (Appears when Username Source is Manual Entry) The name in Hashicorp Vault that usernames are stored under.

    		 yes
    Password key All (Appears when Hashicorp Vault Type is KV1 or KV2) The key in Hashicorp Vault that passwords are stored under. no
    Secret Name All The key secret you want to retrieve values for. yes
    Use SSL All When enabled, Tenable Security Center uses SSL for secure communications. You must configure SSL in Hashicorp Vault before enabling this option. no
    Verify SSL All When enabled, Tenable Security Center validates the SSL certificate. You must configure SSL in Hashicorp Vault before enabling this option. no

  1. Click Submit.

    Tenable Security Center saves the credential.