Configure VMware vCenter API

This credential supports versions containing SOAP and REST APIs. Tenable automatically chooses which API to use based on the vCenter/ESXi version detected. The SOAP API is used for versions less than 7.0.3 and the REST API is used for version 7.0.3 or later.

Note: Tenable does not support the use of mixed version environments where the REST API is not available on some hosts. For example, vCenter 7.0.3 managing ESXi server versions less than 7.0.3. is not supported, but vCenter 8 managing ESXi server version 7.0.3 is supported.

Required Permissions

A scan configured with the vCenter credential uses the REST API for vulnerability checks against versions 7.0.3+ and the SOAP API for versions less than 7.0.3.

Note: In a compliance scan, regardless of version, the scan uses the SOAP API to collect configuration information at the level of detail required for compliance auditing.

When using the vCenter credential for vulnerability scanning, the scanner makes the following REST API requests to the vCenter server:

  • POST /api/session (log in)

  • GET /api/vcenter/host

  • GET /api/ESX/hosts/<host>/software/installed-components

The following steps detail how to create a read-only user with the minimum privilege level required:

  1. Log into vCenter.

  2. (Optional) If necessary, create a new user account.

    1. Under Administration > Access Control, select Roles.

    2. Create a new role with any name you prefer (for example, "Nessus").

  3. Select the VMware vSphere Lifecycle Manager category.

    A new window opens.

  4. Under Lifecycle Manager: Image Privileges select Read.

  5. (Optional) If you wish to perform compliance scans, select the following additional privilege: Global -> Settings.

  6. Click Create to create the “Nessus” role.

  7. Go to the Inventory page.

  8. Right-click the root vCenter Object at the top of the left-hand tree.

    A new menu opens.

  9. Click Add Permission.

  10. Select the user account, and select the "Nessus" role.

  11. Select the propagate to children checkbox, then click OK.

  12. Run a Tenable Scan to verify permissions work.

  13. For additional troubleshooting, see the troubleshooting section.

Resources

VMware documentation on the REST API endpoints that the vCenter integration uses:

Scan Type API Type Permissions Needed

vCenter credential for vulnerability scanning

REST

Lifecycle Manager: Image Privileges = Read

ESXi hosts using ESXi credentials

SOAP

User = Read Only

Compliance Scan

SOAP

Global -> Settings

Scan Configuration

For more information on configuring the VMWare vCenter SOAP API, see Configure vSphere Scanning.

Tenable for VMware can access vCenter through the native VMware vCenter SOAP API. If available, Tenable Nessus uses the vCenter REST API to collect data on versions 7.0.3+ and uses the SOAP API on versions less than 7.0.3.

Credential: VMware vCenter SOAP API

Option Description

vCenter Host

(Required) The name of the vCenter host.

vCenter Port

(Required) The TCP port that vCenter listens on for communications from Tenable.

Username

(Required) The username for the vCenter server account with admin read/write access that Tenable uses to perform checks on the target system.

Password

(Required) The password for the vCenter server user.

HTTPS

When enabled, Tenable connects using secure communication (HTTPS). When disabled, Tenable connects using standard HTTP.

Verify SSL Certificate

When enabled, Tenable verifies that the SSL certificate on the server is signed by a trusted CA.

If you are using a self-signed certificate, disable this setting.

Auto Discover Managed VMware ESXi Hosts

This option adds any discovered VMware ESXi hypervisor hosts to the scan targets you include in your scan.

Auto Discover Managed VMware ESXi Virtual Machines

This option adds any discovered VMware ESXi hypervisor virtual machines to the scan targets you include in your scan.

Credential: VMware vCenter API

Option Description

vCenter Host

(Required) The name of the vCenter host.

vCenter Port

(Required) The TCP port that vCenter listens on for communications from Tenable.

HTTPS

When enabled, Tenable connects using secure communication (HTTPS). When disabled, Tenable connects using standard HTTP.

Verify SSL Certificate

When enabled, Tenable verifies that the SSL certificate on the server is signed by a trusted CA.

If you are using a self-signed certificate, disable this setting.

VMware vCenter API Authentication Method

(Required) The user can choose from a list of authentication methods:

  • Username and Password (manual entry)

  • PAM Integration (use a specific PAM to gather vCenter API Authentication Credentials from the available list)

Auto Discover Managed VMware ESXi Hosts

This option adds any discovered VMware ESXi hypervisor hosts to the scan targets you include in your scan.

Auto Discover Managed VMware ESXi Virtual Machines

This option adds any discovered VMware ESXi hypervisor virtual machines to the scan targets you include in your scan.