Configure Tenable Security Center for HashiCorp Vault (SSH)

Required User Role: Any

In Tenable Security Center, you can integrate with HashiCorp Vault using SSH credentials.

Before you begin:

  • Ensure you have both a Tenable Security Center and HashiCorp Vault account.

Note: HashiCorp Vault provides options for both KV v1 and v2.

To integrate Tenable Security Center with HashiCorp Vault using SSH credentials:

  1. Log in to Tenable Security Center.

  2. Click Scanning > Credentials (administrator users) or Scans > Credentials (organizational users).

    The Credentials page appears.

  3. At the top of the page, click +Add.

    The Add Credential page appears.

  4. Scroll to the SSH section.
  1. In the Windows section, click HashiCorp Vault.

    The HashiCorp Vault Add Credential page appears.

  2. In the Name box, type a name for the credential.

  3. (Optional) Add a Description.

  4. (Optional) Add a Tag to the credential. For additional information about tags, see the Tags section in the Tenable Security Center documentation.

  5. In the SSH Hashicorp Vault Credential section, configure the SSH credentials.

    Option Default Value Required

    Hashicorp Host

    The Hashicorp Vault IP address or DNS address.

    Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path.

    yes

    Hashicorp Port

    The port on which Hashicorp Vault listens.

    yes

    Authentication Type

    Specifies the authentication type for connecting to the instance: App Role or Certificates.

    If you select Certificates, additional options for Hashicorp Client Certificate (Required) and Hashicorp Client Certificate Private Key (Required) appear. Select the appropriate files for the client certificate and private key.

    yes

    Role ID

    The GUID provided by Hashicorp Vault when you configured your App Role.

    yes
    Role Secret ID

    The GUID generated by Hashicorp Vault when you configured your App Role.

    yes
    Authentication URL

    The path/subdirectory to the authentication endpoint. This is not the full URL. For example:

    /v1/auth/approle/login

    yes
    Namespace The name of a specified team in a multi-team environment. no
    Hashicorp Vault Type

    The type of Hashicorp Vault secrets engine: 

    • KV1 — Key/Value Secrets Engine Version 1

    • KV2 — Key/Value Secrets Engine Version 2

    • AD — Active Directory

    • LDAP - LDAP secrets engine

    yes

    KV1 Engine URL

    KV2 Engine URL

    AD Engine URL

    LDAP Engine URL

    The URL Tenable Security Center uses to access the Hashicorp Vault secrets engine.

    Example: /v1/path_to_secret. No trailing /

    yes

    Username Source

    (Appears when Hashicorp Vault Type is KV1 or KV2) Specifies if the username is input manually or pulled from Hashicorp Vault.

    yes

    Username Key

    (Appears when Hashicorp Vault Type is KV1 or KV2) The name in Hashicorp Vault that usernames are stored under.

    yes
    Password Key (Appears when Hashicorp Vault Type is KV1 or KV2) The key in Hashicorp Vault that passwords are stored under. yes
    Secret Name The key secret you want to retrieve values for. yes

    Kerberos Target Authentication

    If enabled, Kerberos authentication is used to log in to the specified Linux or Unix target.

    no

    Key Distribution Center (KDC)

    (Required if Kerberos Target Authentication is enabled) This host supplies the session tickets for the user.

    yes

    KDC Port

    (Required if Kerberos Target Authentication is enabled) The port on which the Kerberos authentication API communicates. By default, Tenable uses 88.

    yes

    KDC Transport

    (Required if Kerberos Target Authentication is enabled) The KDC uses TCP by default in Linux implementations. For UDP, change this option. If you need to change the KDC Transport value, you may also need to change the port as the KDC UDP uses either port 88 or 750 by default, depending on the implementation.

    yes

    Realm

    (Required if Kerberos Target Authentication is enabled) The Realm is the authentication domain, usually noted as the domain name of the target (for example, example.com). By default, Tenable Security Center uses 443.

    yes

    Use SSL When enabled, Tenable Security Center uses SSL for secure communications. You must configure SSL in Hashicorp Vault before enabling this option. no
    Verify SSL When enabled, Tenable Security Center validates the SSL certificate. You must configure SSL in Hashicorp Vault before enabling this option. no
    Privilege Escalation The privilege escalation method you want to use to increase users' privileges after initial authentication. Your Privilege Escalation selection determines the specific options you must configure. For more information, see Privilege Escalation. no
  1. Click Submit.

    Tenable Security Center saves the credential.