Configure Tenable.sc with HashiCorp Vault (Windows)

Required User Role: Any

In Tenable.sc, you can integrate with HashiCorp Vault using Windows credentials. Complete the following steps to configure Tenable.sc with HashiCorp Vault using Windows.

Before you begin:

  • Ensure you have both a Tenable.sc and HashiCorp Vault account.

Note: HashiCorp Vault provides options for both KV v1 and v2. However, Tenable.sc only supports integration with KV v1.

To integrate Tenable.sc with HashiCorp Vault using Windows credentials:

  1. Log in to Tenable.sc.
  2. Click Scanning > Credentials (administrator users) or Scans > Credentials (organizational users).

    The Credentials page appears.

  3. At the top of the page, click +Add.

    The Add Credential page appears.

  4. In the Windows section, click HashiCorp Vault.

    The HashiCorp Vault Add Credential page appears.

  1. In the Name box, type a name for the credential.

  2. (Optional) Add a Description.

  3. (Optional) Add a Tag to the credential. For additional information about tags, see the Tags section in the Tenable.sc documentation.

  4. In the Windows Hashicorp Vault Credential section, configure the Windows credentials.

    Option Default Value Required

    Hashicorp Host

    The Hashicorp Vault IP address or DNS address.

    Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path.

    yes

    Hashicorp Port

    The port on which Hashicorp Vault listens.

    yes
    Authenticaton Type

    Specifies the authentication type for connecting to the instance: App Role or Certificates.

    If you select Certificates, additional options for Hashicorp Client Certificate (Required) and Hashicorp Client Certificate Private Key (Required) appear. Select the appropriate files for the client certificate and private key.

    yes
    Role ID

    The GUID provided by Hashicorp Vault when you configured your App Role.

    yes
    Role Secret ID The GUID generated by Hashicorp Vault when you configured your App Role. yes
    Authentication URL The path/subdirectory to the authentication endpoint. This is not the full URL. For example:

    /v1/auth/approle/login

    yes

    Namespace

    The name of a specified team in a multi-team environment.

    no
    Hashicorp Vault Type

    The type of Hashicorp Vault secrets engine: 

    • KV1 — Key/Value Secrets Engine Version 1
    • KV2 — Key/Value Secrets Engine Version 2
    • AD — Active Directory
    yes

    KV Engine URL

    The URL Tenable.sc uses to access the Hashicorp Vault secrets engine.

    yes
    Username Source (Only displays if Hashicorp Vault Type is KV1 or KV2) Specifies if the username is input manually or pulled from Hashicorp Vault. yes
    Username key (Only displays if Hashicorp Vault Type is KV1 or KV2) The name in Hashicorp Vault that usernames are stored under. yes
    Password key (Only displays if Hashicorp Vault Type is KV1 or KV2) The key in Hashicorp Vault that passwords are stored under. yes
    Secret Name The key secret you want to retrieve values for. yes
    Use SSL When enabled, Tenable.sc uses SSL for secure communications. You must configure SSL in Hashicorp Vault before enabling this option. no
    Verify SSL When enabled, Tenable.sc validates the SSL certificate. You must configure SSL in Hashicorp Vault before enabling this option. no
  1. Click Submit.

    Tenable.sc saves the credential.