Database Credentials

The following topic describes the available Database credentials.

Note: Aspects of credential options are based on Nessus plugin options. Therefore, specific credential options may differ from the descriptions documented here.

Configure the following options for all database credentials:

Options Description

Name (Required)

A name for the credential.
Description A description for the credential.

Label

A label for the credential. For more information, see Labels.

Akeyless PAM

Option Description Required
Akeyless Host The hostname or IP address of your Akeyless instance. For the Akeyless SaaS platform, use api.akeyless.io. Yes
Akeyless Port The port on which the Akeyless API communicates. By default, Tenable uses 443. Yes
Akeyless API URL An optional base URL path appended to the host when constructing API requests. Leave blank for the default Akeyless SaaS or gateway API. No
Access ID The Access ID associated with your Akeyless authentication method. This value begins with p- for SaaS auth methods. Yes
Authentication Method The method used to authenticate to Akeyless. Select Access Key, Universal Identity, or Certificate. Yes
Access Key The Access Key secret corresponding to the Access ID. Displayed when the Authentication Method is set to Access Key. Yes (if using Access Key authentication)
UID Token Source Whether to supply the Universal Identity token directly or read it from a file on the scanner. Possible options are Manual and File. Displayed when the Authentication Method is set to Universal Identity. Yes (if using Universal ID authentication)
Universal Identity Token The UID token used for Universal Identity authentication. Displayed when UID Token Source is set to Manual. Yes (if using manual Universal ID entry)
Universal Identity Token File The absolute path to a file on the Tenable Nessus scanner host that contains the UID token. Displayed when UID Token Source is set to File. Yes (if using file-based Universal Identity)
Client Certificate The PEM-format client certificate file used for certificate-based (mTLS) authentication. Displayed when the Authentication Method is set to Certificate. Yes (if using Certificate Authentication)
Private Key The PEM-format private key file corresponding to the client certificate. Displayed when the Authentication Method is set to Certificate. Yes (if using Certificate Authentication)
Passphrase For Private Key The passphrase protecting the private key, if the key is encrypted. Displayed when the Authentication Method is set to Certificate. No
Credential ID The full path of the Akeyless secret that contains the target login credentials, for example /scan/linux/webserver. Yes
Secret Type The type of Akeyless secret to retrieve. Select Static for static secrets or Rotated for rotated secrets. Static by default. Yes
Use SSL Whether to use SSL/TLS when communicating with the Akeyless host. Enabled by default. Yes
Verify SSL Certificate Whether to verify the Akeyless host SSL certificate. Disable only in test environments. Yes
Use Kerberos KDC If enabled, Kerberos authentication is used to log in to the Windows target. Requires KDC host, port, transport, and domain. Applies to SSH and Windows credentials only. No
Elevate privileges with The privilege escalation method to use after login (for example, sudo). Applies to SSH credentials only. No
Escalation Credential ID The Akeyless secret path for the escalation account credentials. If not specified, the primary Credential ID is used for both login and escalation. Applies to SSH credentials only. No

Apache Cassandra

Option

Description

Authentication Method

The authentication method for providing the required credentials.

  • BeyondTrust

  • CyberArk

  • CyberArk (Legacy)

  • CyberArk Database Auto-Discovery

  • Delinea Secret Server Auto-Discovery

  • HashiCorp Vault

  • Lieberman

  • Password

  • Senhasegura

  • WALLIX Bastion

For descriptions of the options for your selected authentication type, see Database Credentials Authentication.

Database Port

The port the database listens on. The default is port 9042.

IBM DB2

The following table describes the additional options to configure for IBM DB2 credentials.

Options Description

Source

The method for providing the required credential details: Entry or Import.

  • Entry — Specifies you want to use a single SID value or SERVICE_NAME value for the credential. You must also configure the remaining options on the Add Credential page, as described in Add Credentials.

  • Import — Specifies you want to use multiple SID values for the credential, uploaded as a .csv file. For more information about the required .csv file format, see Database Credentials Authentication.

Authentication Method

The authentication method for providing the required credentials.

  • Arcon

  • BeyondTrust

  • CyberArk

  • CyberArk (Legacy)

  • CyberArk Database Auto-Discovery

  • Delinea Secret Server Auto-Discovery

  • HashiCorp Vault

  • Lieberman

  • Password

  • QiAnXin

  • Senhasegura

  • WALLIX Bastion

For descriptions of the options for your selected authentication type, see Database Credentials Authentication.

Port The TCP port that the IBM DB2 database instance listens on for communications from Tenable Security Center. The default is port 50000.
Database Name The name for your database (not the name of your instance).

Informix/DRDA

The following table describes the additional options to configure for Informix/DRDA credentials.

Options

Description

Username

The username for a user on the database.

Password

The password associated with the username you provided.

Port

The TCP port that the Informix/DRDA database instance listens on for communications from Tenable Security Center. The default is port 1526.

MongoDB

Option

Description

Username

The username for the database.

Password

The password for the supplied username.

Database

The name of the database to authenticate to.

Tip: To authenticate via LDAP or saslauthd, type $external.

Port

(Required) The TCP port that the MongoDB database instance listens on for communications from Tenable Security Center.

MySQL

The following table describes the additional options to configure for MySQL credentials.

Options Description

Source

The method for providing the required credential details: Entry or Import.

  • Entry — Specifies you want to use a single SID value or SERVICE_NAME value for the credential. You must also configure the remaining options on the Add Credential page, as described in Add Credentials.

  • Import — Specifies you want to use multiple SID values for the credential, uploaded as a .csv file. For more information about the required .csv file format, see Database Credentials Authentication.

Authentication Method

The authentication method for providing the required credentials.

  • Client Certificate

  • Arcon

  • BeyondTrust

  • CyberArk

  • CyberArk (Legacy)

  • CyberArk Database Auto-Discovery

  • Delinea Secret Server Auto-Discovery

  • HashiCorp Vault

  • Lieberman

  • QiAnXin

  • Senhasegura

  • WALLIX Bastion

For descriptions of the options for your selected authentication type, see Database Credentials Authentication.

Username The username for a user on the database.

Password

The password associated with the username you provided.
Client Certificate The PEM-formatted SSL/TLS certificate used to identify the scanner or client to the MySQL database. This certificate must be signed by a Certificate Authority (CA) that the database server trusts.
Client CA Certificate The PEM-formatted Certificate Authority (CA) certificate used to verify the authenticity of the database server's certificate. This ensures the scanner is connecting to the intended, secure host.
Client Certificate Private Key The PEM-formatted private key that corresponds to the Client Certificate. This key is used to decrypt data and prove ownership of the certificate during the handshake process.
Client Certificate Private Key Passphrase The password required to decrypt the Client Certificate Private Key, if the key was generated with encryption.
Port The TCP port that the MySQL database instance listens on for communications from Tenable Security Center. The default is port 3306.

Oracle Database

The following table describes the additional options to configure for Oracle Database credentials.

Options Description

Source

The method for providing the required credential details: Entry or Import.

  • Entry — Specifies you want to use a single SID value or SERVICE_NAME value for the credential. You must also configure the remaining options on the Add Credential page, as described in Add Credentials.

  • Import — Specifies you want to use multiple SID values for the credential, uploaded as a .csv file. For more information about the required .csv file format, see Database Credentials Authentication.

Authentication Method

The authentication method for providing the required credentials.

  • Arcon

  • BeyondTrust

  • CyberArk

  • CyberArk (Legacy)

  • CyberArk Database Auto-Discovery

  • Delinea Secret Server Auto-Discovery

  • HashiCorp Vault

  • Lieberman

  • Password

  • QiAnXin

  • Senhasegura

  • WALLIX Bastion

For descriptions of the options for your selected authentication type, see Database Credentials Authentication.

Port The TCP port that the Oracle database instance listens on for communications from Tenable Security Center. The default is port 1521.
Authentication

The type of account you want Tenable Security Center to use to access the database instance: 

  • Normal
  • System Operator
  • System Database Administrator
Service Type The Oracle parameter you want to use to specify the database instance: SID or Service Name.
Service

The SID value or SERVICE_NAME value for your database instance.

The Service value you enter must match your parameter selection for the Service Type option.

PostgreSQL

The following table describes the additional options to configure for PostgreSQL credentials.

Options Description
Authentication Method

The authentication method for providing the required credentials.

  • Arcon

  • BeyondTrust

  • CyberArk

  • CyberArk (Legacy)

  • CyberArk Database Auto-Discovery

  • Delinea Secret Server Auto-Discovery

  • HashiCorp Vault

  • Lieberman

  • Password

  • QiAnXin

  • Senhasegura

For descriptions of the options for your selected authentication type, see Database Credentials Authentication.

Port The TCP port that the PostgreSQL database instance listens on for communications from Tenable Security Center. The default is port 5432.
Database Name The name for your database instance.

SQL Server

The following table describes the additional options to configure for SQL Server credentials.

Options Description

Source

The method for providing the required credential details: Entry or Import.

  • Entry — Specifies you want to use a single SID value or SERVICE_NAME value for the credential. You must also configure the remaining options on the Add Credential page, as described in Add Credentials.

  • Import — Specifies you want to use multiple SID values for the credential, uploaded as a .csv file. For more information about the required .csv file format, see Database Credentials Authentication.

Authentication Method

The authentication method for providing the required credentials.

  • Arcon

  • BeyondTrust

  • CyberArk

  • CyberArk (Legacy)

  • CyberArk Database Auto-Discovery

  • Delinea Secret Server Auto-Discovery

  • HashiCorp Vault

  • Lieberman

  • Password

  • QiAnXin

  • Senhasegura

  • WALLIX Bastion

For descriptions of the options for your selected authentication type, see Database Credentials Authentication.

Username The username for a user on the database.

Password

The password associated with the username you provided.
Port The TCP port that the SQL Server database instance listens on for communications from Tenable Security Center. The default is port 1433.

Authentication

The type of account you want Tenable Security Center to use to access the database instance: SQL or Windows.

Instance Name The name for your database instance.

Sybase ASE

The following table describes the additional options to configure for Sybase ASE credentials.

Options Description
Authentication Method

The authentication method for providing the required credentials.

  • Arcon

  • BeyondTrust

  • CyberArk

  • CyberArk (Legacy)

  • CyberArk Database Auto-Discovery

  • Delinea Secret Server Auto-Discovery

  • HashiCorp Vault

  • Lieberman

  • Password

  • Senhasegura

  • WALLIX Bastion

For descriptions of the options for your selected authentication type, see Database Credentials Authentication.

Port The TCP port that the Sybase ASE database instance listens on for communications from Tenable Security Center. The default is port 3638.
Sybase ASE Auth Type

The type of authentication used by the Sybase ASE database: RSA or Plain Text.