Miscellaneous Credentials Authentication Method Settings
Depending on the authentication type you select for your miscellaneous credentials, you must configure the following options. For more information about miscellaneous credential settings, see Miscellaneous Credentials.
Arcon Options
The following table describes the additional options to configure when using Arcon as the Authentication Method for VMware vCenter API credentials.
| Option | Description |
|---|---|
| Arcon Host |
(Required) The Arcon IP address or DNS address. Note: If your Arcon installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path. |
| Arcon Port | (Required) The port on which Arcon listens. By default, Tenable Security Center uses port 444. |
| API User | (Required) The API user provided by Arcon. |
| API Key | (Required) The API key provided by Arcon. |
| Authentication URL | (Required) The URL Tenable Security Center uses to access Arcon. |
| Password Engine URL |
(Required) The URL Tenable Security Center uses to access the passwords in Arcon. |
| Username | (Required) The username to log in to the hosts you want to scan. |
| Checkout Duration |
(Required) The length of time, in hours, that you want to keep credentials checked out in Arcon. Configure the Checkout Duration to exceed the typical duration of your Tenable Security Center scans. If a password from a previous scan is still checked out when a new scan begins, the new scan fails. Tip: Configure the password change interval in Arcon so that password changes do not disrupt your Tenable Security Center scans. If Arcon changes a password during a scan, the scan fails. |
| Use SSL | When enabled, Tenable Security Center uses SSL through IIS for secure communications. You must configure SSL through IIS in Arcon before enabling this option. |
| Verify SSL Certificate | When enabled, Tenable Security Center validates the SSL certificate. You must configure SSL through IIS in Arcon before enabling this option. |
BeyondTrust Options
The following table describes the additional options to configure when using BeyondTrust as the Authentication Method for VMware vCenter API credentials.
| Option | Description | Required |
|---|---|---|
|
BeyondTrust Host |
The IP or domain name of the BeyondTrust Web Server. |
yes |
|
BeyondTrust Port |
The port for the BeyondTrust Web Server. For example, 443. |
yes |
|
BeyondTrust API User |
The API user name associated with the API Key used for API authentication. |
yes |
| BeyondTrust API Key |
The API Key associated with the API user name used for API authentication. |
yes |
| Checkout Duration (minutes) |
The length of time, in minutes, that you want to keep credentials checked out in BeyondTrust. Configure the checkout duration to exceed the typical duration of your Tenable Security Center scans. If a password from a previous scan is still checked out when a new scan begins, the new scan fails. Tip: Configure the password change interval in BeyondTrust so that password changes do not disrupt your Tenable Security Center scans. If BeyondTrust changes a password during a scan, the scan fails. |
yes |
| Use SSL | Enable if BeyondTrust is configured to support SSL. |
No |
| Verify SSL Certificate | If enabled, verifies the SSL Certificate on the BeyondTrust server. |
No |
CyberArk Options
The following table describes the additional options to configure when using CyberArk as the Authentication Method for VMware vCenter API credentials.
Note: You must be running Tenable Nessus 7.0.0 or later to configure CyberArk credentials.
| Option | Description | Required |
|---|---|---|
|
CyberArk Host |
The IP address or FQDN name for the CyberArk AIM Web Service. This can be the host, or the host with a custom URL added on in a single string. |
yes |
|
Port |
The port on which the CyberArk API communicates. By default, Tenable uses 443. |
yes |
|
AppID |
The Application ID associated with the CyberArk API connection. |
yes |
| Client Certificate |
The file that contains the PEM certificate used to communicate with the CyberArk host. Note: Customers self-hosting CyberArk CCP on a Windows Server 2022 and above should follow the guidance found in Tenable’s Community post about CyberArk Client Certification Authentication Issue. |
no |
| Client Certificate Private Key | The file that contains the PEM private key for the client certificate. |
yes, if private key is applied |
| Client Certificate Private Key Passphrase | The passphrase for the private key, if required. |
yes, if private key is applied |
| Get credential by |
The method with which your CyberArk API credentials are retrieved. Can be Username, Identifier, or Address. Note: The frequency of queries for Username is one query per target. The frequency of queries for Identifier is one query per chunk. This feature requires all targets have the same identifier. |
yes |
| Username |
(If Get credential by is Username) The username of the CyberArk user to request a password from. |
no |
| Account Name | (If Get credential by is Identifier) The unique account name or identifier assigned to the CyberArk API credential. | no |
| Address | (If Get credential by is Address) The address unique to the CyberArk API credential. | no |
| Safe |
The CyberArk safe the credential should be retrieved from. |
no |
|
Use SSL |
If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS. |
no |
|
Verify SSL Certificate |
If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate. |
no |
CyberArk (Legacy) Options
The following table describes the additional options to configure when using CyberArk (Legacy) as the Authentication Method for VMware vCenter API credentials.
Note: You must be running Tenable Nessus 7.0.0 or later to configure CyberArk credentials.
| Option | Description |
Required |
|---|---|---|
|
Central Credential Provider URL Host |
The CyberArk Central Credential Provider IP/DNS address. |
yes |
|
Central Credential Provider URL Port |
The port on which the CyberArk Central Credential Provider is listening. |
yes |
| Vault Username |
If the CyberArk Central Credential Provider is configured to use basic authentication, you can fill in this field for authentication. |
no |
| Vault Password |
If the CyberArk Central Credential Provider is configured to use basic authentication, you can fill in this field for authentication. |
no |
|
Safe |
The safe on the CyberArk Central Credential Provider server that contained the authentication information you would like to retrieve. |
yes |
| CyberArk Client Certificate | The file that contains the PEM certificate used to communicate with the CyberArk host. | no |
| CyberArk Client Certificate Private Key | The file that contains the PEM private key for the client certificate. | no |
| CyberArk Client Certificate Private Key Passphrase | The passphrase for the private key, if your authentication implementation requires it. | no |
|
AppId |
The AppId that has been allocated permissions on the CyberArk Central Credential Provider to retrieve the target password. |
yes |
|
Folder |
The folder on the CyberArk Central Credential Provider server that contains the authentication information you would like to retrieve. |
yes |
| PolicyId | The PolicyID assigned to the credentials that you want to retrieve from the CyberArk Central Credential Provider. | no |
|
CyberArk Account Details Name |
The unique name of the credential you want to retrieve from CyberArk. |
no |
|
Vault Use SSL |
If CyberArk Central Credential Provider is configured to support SSL through IIS check for secure communication. |
no |
|
Vault Verify SSL |
If CyberArk Central Credential Provider is configured to support SSL through IIS and you want to validate the certificate, select this option. Refer to the custom_CA.inc documentation for how to use self-signed certificates. |
no |
|
CyberArk AIM Service URL |
The URL of the AIM service. By default, this field uses /AIMWebservice/v1.1/AIM.asmx. |
no |
Delinea Secret Server Options
The following table describes the additional options to configure when using Delinea Secret Server as the Authentication Method for VMware vCenter API credentials.
| Option | Description | Required |
|---|---|---|
|
Delinea Secret Name |
The value of the secret on the Delinea server. The secret is labeled Secret Name on the Delinea server. |
yes |
|
Delinea Host |
The Delinea Secret Server host to pull the secrets from. |
yes |
|
Delinea Port |
The Delinea Secret Server Port for API requests. By default, Tenable uses 443. |
yes |
|
Delinea Login Name |
The username to authenticate to the Delinea server. |
yes |
|
Delinea Password |
The password to authenticate to the Delinea server. This is associated with the Delinea Login Name you provided. |
yes |
|
Checkout Duration |
The duration Tenable should check out the password from Delinea. Duration time is in hours and should be longer than the scan time. |
yes |
|
Use SSL |
Enable if the Delinea Secret Server is configured to support SSL. |
no |
|
Verify SSL Certificate |
If enabled, verifies the SSL Certificate on the Delinea server. |
no |
Hashicorp Vault Options
The following table describes the additional options to configure when using Hashicorp Vault as the Authentication Method for VMware vCenter API credentials.
| Option | Description | Required |
|---|---|---|
|
Hashicorp Host |
The Hashicorp Vault IP address or DNS address. Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path. |
yes |
|
Hashicorp Port |
The port on which Hashicorp Vault listens. |
yes |
|
Authentication Type |
Specifies the authentication type for connecting to the instance: App Role or Certificates. |
yes |
|
Role ID |
If Authentication Type is App Role, the GUID provided by Hashicorp Vault when you configured your App Role. |
yes |
| Role Secret ID |
If Authentication Type is App Role, the GUID generated by Hashicorp Vault when you configured your App Role. |
yes |
| Client Cert | If Authentication Type is Certificates, the client certificate file you want to use to authenticate the connection. | yes |
| Private Key | If Authentication Type is Certificates, the private key file associated with the client certificate you want to use to authenticate the connection. | yes |
| Authentication URL |
The path/subdirectory to the authentication endpoint. This is not the full URL. For example: /v1/auth/approle/login |
yes |
| Namespace | The name of a specified team in a multi-team environment. | no |
| Hashicorp Vault Type |
The type of Hashicorp Vault secrets engine:
|
yes |
|
KV1 Engine URL KV2 Engine URL AD Engine URL LDAP Engine URL |
The engine URL combines with the secret name to form the API request URL. For example, a secret name of creds and a KV v1 engine url of /v1/secret would result in a GET request to /v1/secret/creds (for KV v2, /v1/secret/data/creds). |
yes |
|
Username Source |
(Appears when Hashicorp Vault Type is KV1 or KV2) Specifies if the username is input manually or pulled from Hashicorp Vault. |
yes |
| Username Key or Username | (Appears when Hashicorp Vault Type is KV1 or KV2) The name in Hashicorp Vault that usernames are stored under. | no |
| Password Key | (Appears when Hashicorp Vault Type is KV1 or KV2) The key in Hashicorp Vault that passwords are stored under. | no |
| Secret Name | The key secret you want to retrieve values for. | yes |
| Use SSL | When enabled, Tenable Security Center uses SSL for secure communications. You must configure SSL in Hashicorp Vault before enabling this option. | no |
| Verify SSL | When enabled, Tenable Security Center validates the SSL certificate. You must configure SSL in Hashicorp Vault before enabling this option. | no |
Password Options
The following table describes the additional options to configure when using Password as the Authentication Method for VMware vCenter API credentials.
|
Option |
Database Types | Description |
|---|---|---|
|
Username |
All |
The username for a user on the database. |
|
Password |
All |
The password associated with the username you provided. |
QiAnXin Options
The following table describes the additional options to configure when using QiAnXin as the Authentication Method for VMware vCenter API credentials.
| Option | Description | Required |
|---|---|---|
|
QiAnXin Host |
The IP address or URL for the QiAnXin host. |
yes |
|
QiAnXin Port |
The port on which the QiAnXin API communicates. By default, Tenable uses 443. |
yes |
|
QiAnXin API Client ID |
The Client ID for the embedded account application created in QiAnXin PAM. |
yes |
|
QiAnXin API Client Secret |
The Secret ID for the embedded account application created in QiAnXin PAM. |
yes |
|
QiAnXin Username |
The username to log in to the hosts you want to scan. | yes |
|
QiAnXin Asset Address |
Specify the host IP of the asset containing the account to use. If not specified, the scan target IP is used. | no |
|
QiAnXin Asset Platform |
Specify the platform (based on asset type) of the asset containing the account to use. If not specified, a default target is used based on credential type (for example, for Windows credentials, the default is WINDOWS). Possible values:
|
no |
|
QiAnXin Region ID |
Specify the region ID of the asset containing the account to use. | Only if using multiple regions |
| Use SSL | When enabled, Tenable uses SSL for secure communication. This is enabled by default. |
no |
|
Verify SSL Certificate |
When enabled, Tenable verifies that the SSL Certificate on the server is signed by a trusted CA. |
no |
Senhasegura Options
The following table describes the additional options to configure when using Senhasegura as the Authentication Method for VMware vCenter API credentials.
| Option | Description | Required |
|---|---|---|
|
Senhasegura Host |
The IP address or url for the Senhasegura host. |
yes |
|
Senhasegura Port |
The port on which the Senhasegura API communicates. By default, Tenable uses 443. |
yes |
|
Senhasegura API Client ID |
The Client ID for the applicable Senhasegura A2A Application for Oauth 2.0 API authentication. |
yes |
| Senhasegura API Client Secret | The Secret ID for the applicable Senhasegura A2A Application for Oauth 2.0 API authentication. |
yes |
| Senhasegura Credential ID or Identifier | The credential ID or identifier for the credential that you are requesting to retrieve. |
yes |
|
Private Key File |
The Private Key used to decrypt encrypted sensitive data from A2A. Note: You can enable encryption of sensitive data in the A2A Application Authorizations. If enabled, you must provide a private key file in the scan credentials. This can be downloaded from the applicable A2A application in Senhasegura. |
Required if you have enabled encryption of sensitive data in A2A Application Authorizations. |
| Use SSL | When enabled, Tenable Security Center uses SSL for secure communications. This setting is enabled by default. | no |
|
Verify SSL Certificate |
When enabled, Tenable Security Center validates the SSL certificate. This setting is disabled by default. |
no |
WALLIX Bastion Options
The following table describes the additional options to configure when using WALLIX Bastion as the Authentication Method for VMware vCenter API credentials.
| Option | Description | Required |
|---|---|---|
|
WALLIX Host |
The IP address for the WALLIX Bastion host. |
yes |
|
WALLIX Port |
The port on which the WALLIX Bastion API communicates. By default, Tenable uses 443. |
yes |
|
Authentication Type |
The authentication type:
|
yes |
| WALLIX User |
Your WALLIX Bastion user interface login username. |
yes |
| WALLIX Password | If Authentication Type is Basic, your WALLIX Bastion user interface login password. Used for Basic authentication to the API. | yes |
| WALLIX API Key | If Authentication Type is API Key, the API key generated in the WALLIX Bastion user interface. Used for API Key authentication to the API. | yes |
| Get Credential by Device Account Name |
The account name associated with a Device you want to log in to the target systems with. Note: If the device has more than one account, you must enter the specific device name for the account you want to retrieve credentials for. Failure to do this may result in credentials for the wrong account returned by the system. |
Required only if you have a target and/or device with multiple accounts. |
|
HTTPS |
This is enabled by default. Caution: The integration fails if you disable HTTPS. |
yes |
|
Verify SSL Certificate |
This is disabled by default and unsupported in WALLIX Bastion PAM integrations. |
no |