Database Credentials Authentication Types
Depending on the authentication type you select for your database credentials, you must configure the options described in this topic.
Client Certificate
The Client Certificate authentication type is supported for PostgreSQL databases only.
|
Option |
Description |
Required |
|---|---|---|
| Username | The username for the database. | yes |
| Client Certificate | The file that contains the PEM certificate for the database. | yes |
| Client CA Certificate | The file that contains the PEM certificate for the database. | yes |
| Client Certificate Private Key | The file that contains the PEM private key for the client certificate. | yes |
| Client Certificate Private Key Passphrase | The passphrase for the private key, if required in your authentication implementation. | no |
|
Database Port |
The port on which Tenable Vulnerability Management communicates with the database. | yes |
| Database Name | The name of the database. | no |
Password
|
Option |
Database Types |
Description |
Required |
|---|---|---|---|
|
Username |
All |
The username for a user on the database. |
yes |
|
Password |
All |
The password for the supplied username. |
no |
|
Database Port |
All | The port on which Tenable Vulnerability Management communicates with the database. | yes |
| Database Name |
DB2 PostgreSQL |
The name of the database. |
no |
| Auth type |
Oracle SQL Server Sybase ASE |
SQL Server values include:
Oracle values include:
Sybase ASE values include:
|
yes |
| Instance name | SQL Server | The name for your database instance. | no |
| Service type | Oracle |
Valid values include:
|
yes |
| Service | Oracle | The SID value for your database instance or a SERVICE_NAME value. The Service value you enter must match your parameter selection for the Service Type option. | no |
Import
Upload a .csv file with the credentials entered in the specified format. For descriptions of valid values to use for each item, see Database Credentials.
You must configure either CyberArk or HashiCorp credentials for a database credential in the same scan so that
|
Database Credential |
CSV Format |
|---|---|
| DB2 | target, port, database_name, username, cred_manager, accountname_or_secretname |
| MySQL | target, port, database_name, username, cred_manager, accountname_or_secretname |
| Oracle | target, port, service_type, service_ID, username, auth_type, cred_manager, accountname_or_secretname |
| SQL Server | target, port, instance_name, username, auth_type, cred_manager, accountname_or_secretname |
Note: Include the required data in the specified order, with commas between each value, without spaces. For example, for Oracle with CyberArk: 192.0.2.255,1521,SID,service_id,username,SYSDBA,CyberArk,Database-Oracle-SYS.
Note: The value for cred_manager must be either CyberArk or HashiCorp.
CyberArk
CyberArk is a popular enterprise password vault that helps you manage privileged credentials. Tenable Vulnerability Management can get credentials from CyberArk to use in a scan.
| Option | Description | Required |
|---|---|---|
|
CyberArk Host |
The IP address or FQDN name for the CyberArk AIM Web Service. This can be the host, or the host with a custom URL added on in a single string. |
yes |
|
Port |
The port on which the CyberArk API communicates. By default, Tenable uses 443. |
yes |
|
AppID |
The Application ID associated with the CyberArk API connection. |
yes |
| Client Certificate | The file that contains the PEM certificate used to communicate with the CyberArk host. |
no |
| Client Certificate Private Key | The file that contains the PEM private key for the client certificate. |
yes, if private key is applied |
| Client Certificate Private Key Passphrase | The passphrase for the private key, if required. |
yes, if private key is applied |
| Get credential by |
The method with which your CyberArk API credentials are retrieved. Can be Username, Identifier, or Address. Note: The frequency of queries for Username is one query per target. The frequency of queries for Identifier is one query per chunk. This feature requires all targets have the same identifier. Note: The Username option also adds the Address parameter of the API query and assigns the target IP of the resolved host to the Address parameter. This may lead to failure to fetch credentials if the CyberArk Account Details Address field contains a value other than the target IP address. |
yes |
| Username |
(If Get credential by is Username) The username of the CyberArk user to request a password from. |
no |
| Safe |
The CyberArk safe the credential should be retrieved from. |
no |
| Account Name | (If Get credential by is Identifier) The unique account name or identifier assigned to the CyberArk API credential. | no |
|
Use SSL |
If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS. |
no |
|
Verify SSL Certificate |
If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate. |
no |
CyberArk (Legacy)
CyberArk is a popular enterprise password vault that helps you manage privileged credentials. Tenable Vulnerability Management can get credentials from CyberArk to use in a scan.
| Option | Database Types | Description |
Required |
|---|---|---|---|
|
Username |
All |
The target system’s username. |
yes |
|
Central Credential Provider Host |
All |
The CyberArk Central Credential Provider IP/DNS address. |
yes |
|
Central Credential Provider Port |
All |
The port on which the CyberArk Central Credential Provider is listening. |
yes |
|
CyberArk AIM Service URL |
All |
The URL of the AIM service. By default, this field uses |
no |
| Central Credential Provider Username | All |
If the CyberArk Central Credential Provider is configured to use basic authentication, you can fill in this field for authentication. |
no |
| Central Credential Provider Password | All |
If the CyberArk Central Credential Provider is configured to use basic authentication, you can fill in this field for authentication. |
no |
|
CyberArk Safe |
All |
The safe on the CyberArk Central Credential Provider server that contained the authentication information you would like to retrieve. |
no |
| CyberArk Client Certificate | All | The file that contains the PEM certificate used to communicate with the CyberArk host. | no |
| CyberArk Client Certificate Private Key | All | The file that contains the PEM private key for the client certificate. | no |
| CyberArk Client Certificate Private Key Passphrase | All | The passphrase for the private key, if your authentication implementation requires it. | no |
|
CyberArk AppId |
All |
The AppId that has been allocated permissions on the CyberArk Central Credential Provider to retrieve the target password. |
yes |
|
CyberArk Folder |
All |
The folder on the CyberArk Central Credential Provider server that contains the authentication information you would like to retrieve. |
no |
|
CyberArk Account Details Name |
All |
The unique name of the credential you want to retrieve from CyberArk. |
yes |
| PolicyId | All | The PolicyID assigned to the credentials that you want to retrieve from the CyberArk Central Credential Provider. | no |
|
Use SSL |
All |
If CyberArk Central Credential Provider is configured to support SSL through IIS check for secure communication. |
no |
|
Verify SSL Certificate |
All |
If CyberArk Central Credential Provider is configured to support SSL through IIS and you want to validate the certificate, select this option. Refer to the custom_CA.inc documentation for how to use self-signed certificates. |
no |
|
Database Port |
All |
The port on which |
yes |
| Database Name |
DB2 PostgreSQL |
The name of the database. | no |
| Auth type |
Oracle SQL Server Sybase ASE |
SQL Server values include:
Oracle values include:
Sybase ASE values include:
|
yes |
| Instance Name | SQL Server | The name for your database instance. | no |
| Service type | Oracle |
Valid values include:
|
yes |
| Service | Oracle | The SID value for your database instance or a SERVICE_NAME value. The Service value you enter must match your parameter selection for the Service Type option. | no |
HashiCorp Vault
HashiCorp Vault is a popular enterprise password vault that helps you manage privileged credentials.
| Option |
Database Types |
Description |
Required |
|---|---|---|---|
| Hashicorp Vault host | All |
The Hashicorp Vault IP address or DNS address. Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname / subdirectory path. |
yes |
| Hashicorp Vault port | All | The port on which Hashicorp Vault listens. | yes |
| Authentication Type | All |
Specifies the authentication type for connecting to the instance: App Role or Certificates. If you select Certificates, additional options for Hashicorp Client Certificate and Hashicorp Client Certificate Private Key appear. Click Add File to select the appropriate files for the client certificate and private key. |
yes |
| Role ID | All | The GUID provided by Hashicorp Vault when you configured your App Role. | yes |
| Role Secret ID | All |
The GUID generated by Hashicorp Vault when you configured your App Role. |
yes |
| Authentication URL | All |
The URL Tenable Nessus Manager uses to access Hashicorp Vault. |
yes |
| Username Source | All | A drop-down box to specify if the username is input manually or pulled from Hashicorp Vault. | yes |
| Username Key | All | The name in Hashicorp Vault that usernames are stored under. | yes |
| Password Key | All | The key in Hashicorp Vault that passwords are stored under. | yes |
| Secret Name | All | The key secret you want to retrieve values for. | yes |
| Use SSL | All | When enabled, Tenable Nessus Manager uses SSL through IIS for secure communications. You must configure SSL through IIS in Hashicorp Vault before enabling this option. | no |
| Verify SSL Certificate | All | When enabled, Tenable Nessus Manager validates the SSL certificate. You must configure SSL through IIS in Hashicorp Vault before enabling this option. | no |
| Database Port | All | The port on whichTenable Nessus Manager communicates with the database. | yes |
| Auth Type | Oracle | The authentication method for the database credentials. Valid values include:
|
yes |
| Service Type | Oracle |
Valid values include:
|
yes |
| Service | Oracle | The SID value for your database instance or a SERVICE_NAME value. The Service value you enter must match your parameter selection for the Service Type option. | yes |
Lieberman
Lieberman is a popular enterprise password vault that helps you manage privileged credentials. Tenable Vulnerability Management can get credentials from Lieberman to use in a scan.
| Option | Database Type | Description |
Required |
|---|---|---|---|
| Username | All | The target system’s username. | yes |
| Lieberman host | All |
The Lieberman IP/DNS address. Note: If your Lieberman installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname / subdirectory path. |
yes |
| Lieberman port | All | The port on which Lieberman listens. | yes |
| Lieberman API URL | All | The URL Tenable Nessus Manager uses to access Lieberman. | no |
| Lieberman user | All | The Lieberman explicit user for authenticating to the Lieberman API. | yes |
| Lieberman password | All | The password for the Lieberman explicit user. | yes |
| Lieberman Authenticator | All |
The alias used for the authenticator in Lieberman. The name should match the name used in Lieberman. Note: If you use this option, append a domain to the Lieberman user option, i.e., domain\user. |
no |
| Lieberman Client Certificate | All |
The file that contains the PEM certificate used to communicate with the Lieberman host. Note: If you use this option, you do not have to enter information in the Lieberman user, Lieberman password, and Lieberman Authenticator fields. |
no |
| Lieberman Client Certificate Private Key | All | The file that contains the PEM private key for the client certificate. | no |
| Lieberman Client Certificate Private Key Passphrase | All | The passphrase for the private key, if required. | no |
| Use SSL | All |
If Lieberman is configured to support SSL through IIS, check for secure communication. |
no |
| Verify SSL Certificate | All |
If Lieberman is configured to support SSL through IIS and you want to validate the certificate, check this option. Refer to Custom CA documentation for how to use self-signed certificates. |
no |
| System Name | All | In the rare case your organization uses one default Lieberman entry for all managed systems, enter the default entry name. | no |
| Database Port | All | The port on which Tenable Nessus Manager communicates with the database. | yes |
| Database Name |
DB2 PostgreSQL |
(PostgreSQL and DB2 databases only) The name of the database. | no |
| Auth type |
Oracle SQL Server Sybase ASE |
(SQL Server, Oracle. and Sybase ASE databases only) SQL Server values include:
Oracle values include:
Sybase ASE values include:
|
yes |
| Instance Name | SQL Server | The name for your database instance. | no |
| Service type | Oracle |
Valid values include:
|
no |
| Service | Oracle | The SID value for your database instance or a SERVICE_NAME value. The Service value you enter must match your parameter selection for the Service Type option. | yes |