Database Credentials
The following topic describes the available Database credentials.
Note: Aspects of credential options are based on Nessus plugin options. Therefore, specific credential options may differ from the descriptions documented here.
Configure the following options for all database credentials:
| Options | Description |
|---|---|
|
Name (Required) |
A name for the credential. |
| Description | A description for the credential. |
|
|
A |
Akeyless PAM
| Option | Description | Required |
|---|---|---|
| Akeyless Host | The hostname or IP address of your Akeyless instance. For the Akeyless SaaS platform, use api.akeyless.io. | Yes |
| Akeyless Port | The port on which the Akeyless API communicates. By default, Tenable uses 443. | Yes |
| Akeyless API URL | An optional base URL path appended to the host when constructing API requests. Leave blank for the default Akeyless SaaS or gateway API. | No |
| Access ID | The Access ID associated with your Akeyless authentication method. This value begins with p- for SaaS auth methods. | Yes |
| Authentication Method | The method used to authenticate to Akeyless. Select Access Key, Universal Identity, or Certificate. | Yes |
| Access Key | The Access Key secret corresponding to the Access ID. Displayed when the Authentication Method is set to Access Key. | Yes (if using Access Key authentication) |
| UID Token Source | Whether to supply the Universal Identity token directly or read it from a file on the scanner. Possible options are Manual and File. Displayed when the Authentication Method is set to Universal Identity. | Yes (if using Universal ID authentication) |
| Universal Identity Token | The UID token used for Universal Identity authentication. Displayed when UID Token Source is set to Manual. | Yes (if using manual Universal ID entry) |
| Universal Identity Token File | The absolute path to a file on the Tenable Nessus scanner host that contains the UID token. Displayed when UID Token Source is set to File. | Yes (if using file-based Universal Identity) |
| Client Certificate | The PEM-format client certificate file used for certificate-based (mTLS) authentication. Displayed when the Authentication Method is set to Certificate. | Yes (if using Certificate Authentication) |
| Private Key | The PEM-format private key file corresponding to the client certificate. Displayed when the Authentication Method is set to Certificate. | Yes (if using Certificate Authentication) |
| Passphrase For Private Key | The passphrase protecting the private key, if the key is encrypted. Displayed when the Authentication Method is set to Certificate. | No |
| Credential ID | The full path of the Akeyless secret that contains the target login credentials, for example /scan/linux/webserver. | Yes |
| Secret Type | The type of Akeyless secret to retrieve. Select Static for static secrets or Rotated for rotated secrets. Static by default. | Yes |
| Use SSL | Whether to use SSL/TLS when communicating with the Akeyless host. Enabled by default. | Yes |
| Verify SSL Certificate | Whether to verify the Akeyless host SSL certificate. Disable only in test environments. | Yes |
| Use Kerberos KDC | If enabled, Kerberos authentication is used to log in to the Windows target. Requires KDC host, port, transport, and domain. Applies to SSH and Windows credentials only. | No |
| Elevate privileges with | The privilege escalation method to use after login (for example, sudo). Applies to SSH credentials only. | No |
| Escalation Credential ID | The Akeyless secret path for the escalation account credentials. If not specified, the primary Credential ID is used for both login and escalation. Applies to SSH credentials only. | No |
Apache Cassandra
|
Option |
Description |
|---|---|
|
|
The authentication method for providing the required credentials.
For descriptions of the options for your selected authentication type, see |
|
|
The port the database listens on. The default is port 9042. |
IBM DB2
The following table describes the additional options to configure for
| Options | Description |
|---|---|
|
Source |
The method for providing the required credential details: Entry or Import.
|
|
|
The authentication method for providing the required credentials.
For descriptions of the options for your selected authentication type, see |
| Port | The TCP port that the IBM DB2 database instance listens on for communications from Tenable Security Center. The default is port 50000. |
| Database Name | The name for your database (not the name of your instance). |
Informix/DRDA
The following table describes the additional options to configure for Informix/DRDA credentials.
|
Options |
Description |
|---|---|
|
Username |
The username for a user on the database. |
|
Password |
The password associated with the username you provided. |
|
Port |
The TCP port that the Informix/DRDA database instance listens on for communications from Tenable Security Center. The default is port 1526. |
MongoDB
|
Option |
Description |
|---|---|
|
Username |
The username for the database. |
|
Password |
The password for the supplied username. |
|
Database |
The name of the database to authenticate to. Tip: To authenticate via LDAP or saslauthd, type $external.
|
|
Port |
(Required) The TCP port that the MongoDB database instance listens on for communications from Tenable Security Center. |
MySQL
The following table describes the additional options to configure for MySQL credentials.
| Options | Description |
|---|---|
|
Source |
The method for providing the required credential details: Entry or Import.
|
|
|
The authentication method for providing the required credentials.
For descriptions of the options for your selected authentication type, see |
| Username | The username for a user on the database. |
|
Password |
The password associated with the username you provided. |
| Client Certificate | The PEM-formatted SSL/TLS certificate used to identify the scanner or client to the MySQL database. This certificate must be signed by a Certificate Authority (CA) that the database server trusts. |
| Client CA Certificate | The PEM-formatted Certificate Authority (CA) certificate used to verify the authenticity of the database server's certificate. This ensures the scanner is connecting to the intended, secure host. |
| Client Certificate Private Key | The PEM-formatted private key that corresponds to the Client Certificate. This key is used to decrypt data and prove ownership of the certificate during the handshake process. |
| Client Certificate Private Key Passphrase | The password required to decrypt the Client Certificate Private Key, if the key was generated with encryption. |
| Port | The TCP port that the MySQL database instance listens on for communications from Tenable Security Center. The default is port 3306. |
Oracle Database
The following table describes the additional options to configure for Oracle
| Options | Description |
|---|---|
|
Source |
The method for providing the required credential details: Entry or Import.
|
|
|
The authentication method for providing the required credentials.
For descriptions of the options for your selected authentication type, see |
| Port | The TCP port that the Oracle database instance listens on for communications from Tenable Security Center. The default is port 1521. |
|
|
The type of account you want Tenable Security Center to use to access the database instance:
|
| Service Type | The Oracle parameter you want to use to specify the database instance: SID or |
| Service |
The SID value or SERVICE_NAME value for your database instance. The Service value you enter must match your parameter selection for the Service Type option. |
PostgreSQL
The following table describes the additional options to configure for PostgreSQL credentials.
| Options | Description |
|---|---|
|
|
The authentication method for providing the required credentials.
For descriptions of the options for your selected authentication type, see |
| Port | The TCP port that the PostgreSQL database instance listens on for communications from Tenable Security Center. The default is port 5432. |
| Database Name | The name for your database instance. |
SQL Server
The following table describes the additional options to configure for SQL Server credentials.
| Options | Description |
|---|---|
|
Source |
The method for providing the required credential details: Entry or Import.
|
|
|
The authentication method for providing the required credentials.
For descriptions of the options for your selected authentication type, see |
| Username | The username for a user on the database. |
|
Password |
The password associated with the username you provided. |
| Port | The TCP port that the SQL Server database instance listens on for communications from Tenable Security Center. The default is port 1433. |
|
Authentication |
The type of account you want Tenable Security Center to use to access the database instance: SQL or Windows. |
| Instance Name | The name for your database instance. |
Sybase ASE
The following table describes the additional options to configure for Sybase ASE credentials.
| Options | Description |
|---|---|
|
|
The authentication method for providing the required credentials.
For descriptions of the options for your selected authentication type, see |
| Port | The TCP port that the Sybase ASE database instance listens on for communications from Tenable Security Center. The default is port 3638. |
|
|
The type of authentication used by the Sybase ASE database: RSA or Plain Text. |