Database Credentials Authentication Types

Depending on the authentication type you select for your database credentials, you must configure the options described in this topic.

Client Certificate

The Client Certificate authentication type is supported for PostgreSQL databases only.

Option

Description

Required
Username The username for the database. yes
Client Certificate The file that contains the PEM certificate for the database. yes
Client CA Certificate The file that contains the PEM certificate for the database.  yes
Client Certificate Private Key The file that contains the PEM private key for the client certificate. yes
Client Certificate Private Key Passphrase The passphrase for the private key, if required in your authentication implementation. no

Database Port

The port on which Tenable Vulnerability Management communicates with the database. yes
Database Name The name of the database. no

Password

Option

Database Types

Description

Required

Username

All

The username for a user on the database.

yes

Password

All

The password for the supplied username.

no

Database Port

All The port on which Tenable Vulnerability Management communicates with the database. yes
Database Name

DB2

PostgreSQL

The name of the database.

no
Auth type

Oracle

SQL Server

Sybase ASE

SQL Server values include:

  • Windows
  • SQL

Oracle values include:

  • SYSDBA
  • SYSOPER
  • NORMAL

Sybase ASE values include:

  • RSA
  • Plain Text
yes
Instance name SQL Server The name for your database instance. no
Service type Oracle

Valid values include:

  • SID
  • SERVICE_NAME
yes
Service Oracle The SID value for your database instance or a SERVICE_NAME value. The Service value you enter must match your parameter selection for the Service Type option. no

Import

Upload a .csv file with the credentials entered in the specified format. For descriptions of valid values to use for each item, see Database Credentials.

You must configure either CyberArk or HashiCorp credentials for a database credential in the same scan so that Tenable Nessus can retrieve the credentials.

Database Credential

CSV Format

DB2 target, port, database_name, username, cred_manager, accountname_or_secretname
MySQL target, port, database_name, username, cred_manager, accountname_or_secretname
Oracle target, port, service_type, service_ID, username, auth_type, cred_manager, accountname_or_secretname
SQL Server target, port, instance_name, username, auth_type, cred_manager, accountname_or_secretname

Note: Include the required data in the specified order, with commas between each value, without spaces. For example, for Oracle with CyberArk: 192.0.2.255,1521,SID,service_id,username,SYSDBA,CyberArk,Database-Oracle-SYS.

Note: The value for cred_manager must be either CyberArk or HashiCorp.

CyberArk

CyberArk is a popular enterprise password vault that helps you manage privileged credentials. Tenable Vulnerability Management can get credentials from CyberArk to use in a scan.

Option Description Required

CyberArk Host

The IP address or FQDN name for the CyberArk AIM Web Service. This can be the host, or the host with a custom URL added on in a single string.

yes

Port

The port on which the CyberArk API communicates. By default, Tenable uses 443.

yes

AppID

The Application ID associated with the CyberArk API connection.

yes

Client Certificate The file that contains the PEM certificate used to communicate with the CyberArk host.

no

Client Certificate Private Key The file that contains the PEM private key for the client certificate.

yes, if private key is applied

Client Certificate Private Key Passphrase The passphrase for the private key, if required.

yes, if private key is applied

Get credential by

The method with which your CyberArk API credentials are retrieved. Can be Username, Identifier, or Address.

Note: The frequency of queries for Username is one query per target. The frequency of queries for Identifier is one query per chunk. This feature requires all targets have the same identifier.

Note: The Username option also adds the Address parameter of the API query and assigns the target IP of the resolved host to the Address parameter. This may lead to failure to fetch credentials if the CyberArk Account Details Address field contains a value other than the target IP address.

yes
Username

(If Get credential by is Username) The username of the CyberArk user to request a password from.

no
Safe

The CyberArk safe the credential should be retrieved from.

no
Account Name (If Get credential by is Identifier) The unique account name or identifier assigned to the CyberArk API credential. no

Use SSL

If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS.

no

Verify SSL Certificate

If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate.

no

CyberArk (Legacy)

CyberArk is a popular enterprise password vault that helps you manage privileged credentials. Tenable Vulnerability Management can get credentials from CyberArk to use in a scan.

Option Database Types Description

Required

Username

All

The target system’s username.

yes

Central Credential Provider Host

All

The CyberArk Central Credential Provider IP/DNS address.

yes

Central Credential Provider Port

All

The port on which the CyberArk Central Credential Provider is listening.

yes

CyberArk AIM Service URL

All

The URL of the AIM service. By default, this field uses /AIMWebservice/v1.1/AIM.asmx.

no
Central Credential Provider Username All

If the CyberArk Central Credential Provider is configured to use basic authentication, you can fill in this field for authentication.

no
Central Credential Provider Password All

If the CyberArk Central Credential Provider is configured to use basic authentication, you can fill in this field for authentication.

no

CyberArk Safe

All

The safe on the CyberArk Central Credential Provider server that contained the authentication information you would like to retrieve.

no
CyberArk Client Certificate All The file that contains the PEM certificate used to communicate with the CyberArk host. no
CyberArk Client Certificate Private Key All The file that contains the PEM private key for the client certificate. no
CyberArk Client Certificate Private Key Passphrase All The passphrase for the private key, if your authentication implementation requires it. no

CyberArk AppId

All

The AppId that has been allocated permissions on the CyberArk Central Credential Provider to retrieve the target password.

yes

CyberArk Folder

All

The folder on the CyberArk Central Credential Provider server that contains the authentication information you would like to retrieve.

no

CyberArk Account Details Name

All

The unique name of the credential you want to retrieve from CyberArk.

yes
PolicyId All The PolicyID assigned to the credentials that you want to retrieve from the CyberArk Central Credential Provider. no

Use SSL

All

If CyberArk Central Credential Provider is configured to support SSL through IIS check for secure communication.

no

Verify SSL Certificate

All

If CyberArk Central Credential Provider is configured to support SSL through IIS and you want to validate the certificate, select this option. Refer to the custom_CA.inc documentation for how to use self-signed certificates.

no

Database Port

All

The port on which Tenable Nessus communicates with the database.

yes
Database Name

DB2

PostgreSQL

The name of the database. no
Auth type

Oracle

SQL Server

Sybase ASE

SQL Server values include:

  • Windows
  • SQL

Oracle values include:

  • Normal
  • System Operator
  • System Database Administrator
  • SYSDBA
  • SYSOPER
  • NORMAL

Sybase ASE values include:

  • RSA
  • Plain Text
yes
Instance Name SQL Server The name for your database instance. no
Service type Oracle

Valid values include:

  • SID
  • SERVICE_NAME
yes
Service Oracle The SID value for your database instance or a SERVICE_NAME value. The Service value you enter must match your parameter selection for the Service Type option. no

HashiCorp Vault

HashiCorp Vault is a popular enterprise password vault that helps you manage privileged credentials. Tenable Nessus can get credentials from HashiCorp Vault to use in a scan.

Option

Database Types

Description

Required

Hashicorp Vault host All

The Hashicorp Vault IP address or DNS address.

Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname / subdirectory path.

yes
Hashicorp Vault port All The port on which Hashicorp Vault listens. yes
Authentication Type All

Specifies the authentication type for connecting to the instance: App Role or Certificates.

If you select Certificates, additional options for Hashicorp Client Certificate and Hashicorp Client Certificate Private Key appear. Click Add File to select the appropriate files for the client certificate and private key.

yes
Role ID All The GUID provided by Hashicorp Vault when you configured your App Role. yes
Role Secret ID All

The GUID generated by Hashicorp Vault when you configured your App Role.

yes
Authentication URL All

The URL Tenable Nessus Manager uses to access Hashicorp Vault.

yes

Username Source All A drop-down box to specify if the username is input manually or pulled from Hashicorp Vault. yes
Username Key All The name in Hashicorp Vault that usernames are stored under. yes
Password Key All The key in Hashicorp Vault that passwords are stored under. yes
Secret Name All The key secret you want to retrieve values for. yes
Use SSL All When enabled, Tenable Nessus Manager uses SSL through IIS for secure communications. You must configure SSL through IIS in Hashicorp Vault before enabling this option. no
Verify SSL Certificate All When enabled, Tenable Nessus Manager validates the SSL certificate. You must configure SSL through IIS in Hashicorp Vault before enabling this option. no
Database Port All The port on whichTenable Nessus Manager communicates with the database. yes
Auth Type Oracle The authentication method for the database credentials.

Valid values include:

  • SYSDBA
  • SYSOPER
  • NORMAL

yes
Service Type Oracle

Valid values include:

  • SID
  • SERVICE_NAME
yes
Service Oracle The SID value for your database instance or a SERVICE_NAME value. The Service value you enter must match your parameter selection for the Service Type option. yes

Lieberman

Lieberman is a popular enterprise password vault that helps you manage privileged credentials. Tenable Vulnerability Management can get credentials from Lieberman to use in a scan.

Option Database Type Description

Required

Username All The target system’s username. yes
Lieberman host All

The Lieberman IP/DNS address.

Note: If your Lieberman installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname / subdirectory path.

yes
Lieberman port All The port on which Lieberman listens. yes
Lieberman API URL All The URL Tenable Nessus Manager uses to access Lieberman. no
Lieberman user All The Lieberman explicit user for authenticating to the Lieberman API. yes
Lieberman password All The password for the Lieberman explicit user. yes
Lieberman Authenticator All

The alias used for the authenticator in Lieberman. The name should match the name used in Lieberman.

Note: If you use this option, append a domain to the Lieberman user option, i.e., domain\user.

no
Lieberman Client Certificate All

The file that contains the PEM certificate used to communicate with the Lieberman host.

Note: If you use this option, you do not have to enter information in the Lieberman user, Lieberman password, and Lieberman Authenticator fields.

no
Lieberman Client Certificate Private Key All The file that contains the PEM private key for the client certificate. no
Lieberman Client Certificate Private Key Passphrase All The passphrase for the private key, if required. no
Use SSL All

If Lieberman is configured to support SSL through IIS, check for secure communication.

no
Verify SSL Certificate All

If Lieberman is configured to support SSL through IIS and you want to validate the certificate, check this option. Refer to Custom CA documentation for how to use self-signed certificates.

no

System Name All In the rare case your organization uses one default Lieberman entry for all managed systems, enter the default entry name. no
Database Port All The port on which Tenable Nessus Manager communicates with the database. yes
Database Name

DB2

PostgreSQL

(PostgreSQL and DB2 databases only) The name of the database. no
Auth type

Oracle

SQL Server

Sybase ASE

(SQL Server, Oracle. and Sybase ASE databases only)

SQL Server values include:

  • Windows
  • SQL

Oracle values include:

  • SYSDBA
  • SYSOPER
  • NORMAL

Sybase ASE values include:

  • RSA
  • Plain Text
yes
Instance Name SQL Server The name for your database instance. no
Service type Oracle

Valid values include:

  • SID
  • SERVICE_NAME
no
Service Oracle The SID value for your database instance or a SERVICE_NAME value. The Service value you enter must match your parameter selection for the Service Type option. yes