Configure Tenable Security Center with HashiCorp Vault (Windows)

Required Tenable Security Center User Role: Any

In Tenable Security Center, you can integrate with HashiCorp Vault using Windows credentials. Complete the following steps to configure Tenable Security Center with HashiCorp Vault using Windows.

To integrate Tenable Security Center with HashiCorp Vault using Windows credentials:

  1. Log in to Tenable Security Center.

  2. Click Scanning > Credentials (administrator users) or Scans > Credentials (organizational users).

    The Credentials page appears.

  3. At the top of the page, click +Add.

    The Add Credential page appears.

  4. In the Windows section, click HashiCorp Vault.

    The HashiCorp Vault Add Credential page appears.

  1. In the Name box, type a name for the credential.

  2. (Optional) Add a Description.

  3. (Optional) Add a Tag to the credential. For additional information about tags, see the Tags section in the Tenable Security Center documentation.

  4. In the Windows Hashicorp Vault Credential section, configure the Windows credentials.

    Option Default Value Required

    Hashicorp Host

    The Hashicorp Vault IP address or DNS address.

    Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path.

    		 yes

    Hashicorp Port

    The port on which Hashicorp Vault listens.

    		 yes
    Authenticaton Type

    Specifies the authentication type for connecting to the instance: App Role or Certificates.

    If you select Certificates, additional options for Hashicorp Client Certificate (Required) and Hashicorp Client Certificate Private Key (Required) appear. Select the appropriate files for the client certificate and private key.

    		 yes
    Role ID

    The GUID provided by Hashicorp Vault when you configured your App Role.

    		 yes
    Role Secret ID The GUID generated by Hashicorp Vault when you configured your App Role. yes
    Authentication URL The path/subdirectory to the authentication endpoint. This is not the full URL. For example:

    /v1/auth/approle/login

    		 yes

    Namespace

    The name of a specified team in a multi-team environment.

    		 no
    Hashicorp Vault Type

    The type of Hashicorp Vault secrets engine:

    • KV1 — Key/Value Secrets Engine Version 1

    • KV2 — Key/Value Secrets Engine Version 2

    • AD — Active Directory

    • LDAP - LDAP secrets engine

    		 yes

    KV1 Engine URL

    KV2 Engine URL

    AD Engine URL

    LDAP Engine URL

    The engine URL combines with the secret name to form the API request URL. For example, a secret name of creds and a KV v1 engine url of /v1/secret would result in a GET request to /v1/secret/creds (for KV v2, /v1/secret/data/creds).

    		 yes
    Username Source (Only displays if Hashicorp Vault Type is KV1 or KV2) Specifies if the username is input manually or pulled from Hashicorp Vault. yes
    Username Key (Only displays if Hashicorp Vault Type is KV1 or KV2) The name in Hashicorp Vault that usernames are stored under. yes
    Password Key (Only displays if Hashicorp Vault Type is KV1 or KV2) The key in Hashicorp Vault that passwords are stored under. yes
    Secret Name The key secret you want to retrieve values for. yes

    Kerberos Target Authentication

    If enabled, Kerberos authentication is used to log in to the specified Linux or Unix target.

    no

    Key Distribution Center (KDC)

    (Required if Kerberos Target Authentication is enabled) This host supplies the session tickets for the user.

    yes

    KDC Port

    (Required if Kerberos Target Authentication is enabled) The port on which the Kerberos authentication API communicates. By default, Tenable uses 88.

    yes

    KDC Transport

    (Required if Kerberos Target Authentication is enabled) The KDC uses TCP by default in Linux implementations. For UDP, change this option. If you need to change the KDC Transport value, you may also need to change the port as the KDC UDP uses either port 88 or 750 by default, depending on the implementation.

    yes

    Domain

    (Required if Kerberos Target Authentication is enabled) The domain to which Kerberos Target Authentication belongs, if applicable.

    yes
    Use SSL When enabled, Tenable Security Center uses SSL for secure communications. You must configure SSL in Hashicorp Vault before enabling this option. no
    Verify SSL When enabled, Tenable Security Center validates the SSL certificate. You must configure SSL in Hashicorp Vault before enabling this option. no

  1. Click Submit.

    Tenable Security Center saves the credential.