Configure VMware ESX SOAP API

Required Permissions

The ESX SOAP API credential uses the VMware ESXi SOAP API. The ESX credential requires a user account with read-only permissions or a user account with administrator level permissions.

The following steps detail how to create a read-only user with the minimum privilege level required:

  1. Log into ESXi.
  2. (Optional) If necessary, create a new user account.

    1. Under Navigator, expand the Host category and select Manage.

    2. In the Manage window, select Users, then click Add user.

    3. Add a user with the desired username and password.

  3. Under Navigator, select Host.

    A new window opens.

  4. Click Actions.
  5. Under Actions, select Permissions.

    The Manage permissions window appears.

  6. Select the user you want to use as a read-only user, then click assign role.

  7. Select Propagate to all children.

  8. Click Assign role.

  9. Run a Tenable scan to verify the permissions worked.

You should expect to see the scan showing not only vulnerabilities, but that credentialed checks are enabled on the ESXi host.

Note: Some compliance audits, specifically those with "Bare Metal" in the name, require an SSH credential to be configured. Configuring these audits displays a notice that SSH credentials are required. When configuring an SSH credential to an ESXi server, the user must be an administrator-level user. The read-only user cannot be used. This only applies to the SSH users required by these "Bare Metal" audits.

Scan Configuration

Access to VMware servers is available through its native SOAP API. VMware ESX SOAP API allows you to access the ESX and ESXi servers via username and password. Also, you have the option of not enabling SSL certificate verification:

For more information on configuring the VMWare ESX SOAP API, see Configure vSphere Scanning.

Tenable for VMware can access VMware ESXi servers through the native VMware SOAP API.

Option Description Default


(Required) The username for the ESXi server account that Tenable uses to perform checks on the target system



(Required) The password for the ESXi user.


Do not verify SSL Certificate

Do not validate the SSL certificate for the ESXi server.