Database Credentials Authentication Method Settings
Depending on the authentication type you select for your database credentials, you must configure the following options. For more information about database credential settings, see Database Credentials.
Import Credentials
Upload a .csv file with the credentials entered in the specified format. For descriptions of valid values to use for each item, see Database Credentials.
You must configure either CyberArk or Hashicorp credentials for a database credential in the same scan so that Tenable Security Center can retrieve the credentials.
|
Database Credential |
CSV Format |
|---|---|
| IBM DB2 | target, port, database_name, username, cred_manager, accountname_or_secretname |
| MySQL | target, port, database_name, username, cred_manager, accountname_or_secretname |
| Oracle | target, port, service_type, service_ID, username, auth_type, cred_manager, accountname_or_secretname |
| SQL Server | target, port, instance_name, username, auth_type, cred_manager, accountname_or_secretname |
Note: Include the required data in the specified order, with commas between each value, without spaces. For example, for Oracle with CyberArk: 192.0.2.255,1521,SID,service_id,username,SYSDBA,CyberArk,Database-Oracle-SYS.
Note: The value for cred_manager must be either CyberArk or Hashicorp.
Arcon Options
The following table describes the additional options to configure when using Arcon as the Authentication Method for IBM DB2, SQL Server, MySQL, Oracle Database, PostgreSQL, or Sybase ASE database credentials.
| Option | Description |
|---|---|
| Arcon Host |
(Required) The Arcon IP address or DNS address. Note: If your Arcon installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path. |
| Arcon Port | (Required) The port on which Arcon listens. By default, Tenable Security Center uses port 444. |
| API User | (Required) The API user provided by Arcon. |
| API Key | (Required) The API key provided by Arcon. |
| Authentication URL | (Required) The URL Tenable Security Center uses to access Arcon. |
| Password Engine URL |
(Required) The URL Tenable Security Center uses to access the passwords in Arcon. |
| Username | (Required) The username to log in to the hosts you want to scan. |
| Checkout Duration |
(Required) The length of time, in hours, that you want to keep credentials checked out in Arcon. Configure the Checkout Duration to exceed the typical duration of your Tenable Security Center scans. If a password from a previous scan is still checked out when a new scan begins, the new scan fails. Tip: Configure the password change interval in Arcon so that password changes do not disrupt your Tenable Security Center scans. If Arcon changes a password during a scan, the scan fails. |
| Use SSL | When enabled, Tenable Security Center uses SSL through IIS for secure communications. You must configure SSL through IIS in Arcon before enabling this option. |
| Verify SSL Certificate | When enabled, Tenable Security Center validates the SSL certificate. You must configure SSL through IIS in Arcon before enabling this option. |
CyberArk Options
The following table describes the additional options to configure when using CyberArk as the Authentication Method for Apache Cassandra, IBM DB2, MySQL, Oracle Database, PostgreSQL, SQL Server, or Sybase ASE database credentials.
Note: You must be running Tenable Nessus 7.0.0 or later to configure CyberArk credentials.
| Option | Description | Required |
|---|---|---|
|
CyberArk Host |
The IP address or FQDN name for the CyberArk AIM Web Service. This can be the host, or the host with a custom URL added on in a single string. |
yes |
|
Port |
The port on which the CyberArk API communicates. By default, Tenable uses 443. |
yes |
|
AppID |
The Application ID associated with the CyberArk API connection. |
yes |
| Client Certificate |
The file that contains the PEM certificate used to communicate with the CyberArk host. Note: Customers self-hosting CyberArk CCP on a Windows Server 2022 and above should follow the guidance found in Tenable’s Community post about CyberArk Client Certification Authentication Issue. |
no |
| Client Certificate Private Key | The file that contains the PEM private key for the client certificate. |
yes, if private key is applied |
| Client Certificate Private Key Passphrase | The passphrase for the private key, if required. |
yes, if private key is applied |
| Get credential by |
The method with which your CyberArk API credentials are retrieved. Can be Username, Identifier, or Address. Note: The frequency of queries for Username is one query per target. The frequency of queries for Identifier is one query per chunk. This feature requires all targets have the same identifier. |
yes |
| Account Name | (If Get credential by is Identifier) The unique account name or identifier assigned to the CyberArk API credential. | no |
| Address |
(If Get credential by is Address) The address unique to the CyberArk API credential. |
no |
| Username |
(If Get credential by is Username) The username of the CyberArk user to request a password from. |
no |
| Safe |
The CyberArk safe the credential should be retrieved from. |
no |
|
Use SSL |
If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS. |
no |
|
Verify SSL Certificate |
If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate. |
no |
CyberArk (Legacy) Options
The following table describes the additional options to configure when using CyberArk (Legacy) as the Authentication Method for Apache Cassandra, IBM DB2, MySQL, Oracle Database, PostgreSQL, SQL Server, or Sybase ASE database credentials.
Note: You must be running Tenable Nessus 7.0.0 or later to configure CyberArk credentials.
| Option | Database Types | Description |
Required |
|---|---|---|---|
|
Username |
All |
The target system’s username. |
yes |
|
Central Credential Provider Host |
All |
The CyberArk Central Credential Provider IP/DNS address. |
yes |
|
Central Credential Provider Port |
All |
The port on which the CyberArk Central Credential Provider is listening. |
yes |
|
CyberArk AIM Service URL |
All |
The URL of the AIM service. By default, this field uses |
no |
| Central Credential Provider Username | All |
If the CyberArk Central Credential Provider is configured to use basic authentication, you can fill in this field for authentication. |
no |
| Central Credential Provider Password | All |
If the CyberArk Central Credential Provider is configured to use basic authentication, you can fill in this field for authentication. |
no |
|
CyberArk Safe |
All |
The safe on the CyberArk Central Credential Provider server that contained the authentication information you would like to retrieve. |
no |
| CyberArk Client Certificate | All | The file that contains the PEM certificate used to communicate with the CyberArk host. | no |
| CyberArk Client Certificate Private Key | All | The file that contains the PEM private key for the client certificate. | no |
| CyberArk Client Certificate Private Key Passphrase | All | The passphrase for the private key, if your authentication implementation requires it. | no |
|
CyberArk AppId |
All |
The AppId that has been allocated permissions on the CyberArk Central Credential Provider to retrieve the target password. |
yes |
|
CyberArk Folder |
All |
The folder on the CyberArk Central Credential Provider server that contains the authentication information you would like to retrieve. |
no |
|
CyberArk Account Details Name |
All |
The unique name of the credential you want to retrieve from CyberArk. |
yes |
| PolicyId | All | The PolicyID assigned to the credentials that you want to retrieve from the CyberArk Central Credential Provider. | no |
|
Use SSL |
All |
If CyberArk Central Credential Provider is configured to support SSL through IIS check for secure communication. |
no |
|
Verify SSL Certificate |
All |
If CyberArk Central Credential Provider is configured to support SSL through IIS and you want to validate the certificate, select this option. Refer to the custom_CA.inc documentation for how to use self-signed certificates. |
no |
|
Database Port |
All |
The port on which Tenable Security Center communicates with the database. |
yes |
| Database Name |
DB2 PostgreSQL |
The name of the database. | no |
| Auth type |
Oracle SQL Server Sybase ASE |
SQL Server values include:
Oracle values include:
Sybase ASE values include:
|
yes |
| Instance Name | SQL Server | The name for your database instance. | no |
| Service type | Oracle |
Valid values include:
|
yes |
| Service | Oracle | The SID value for your database instance or a SERVICE_NAME value. The Service value you enter must match your parameter selection for the Service Type option. | no |
CyberArk Database Auto-Discovery Options
The following table describes the additional options to configure when using CyberArk Database Auto-Discovery as the Authentication Method for Apache Cassandra, IBM DB2, MySQL, Oracle Database, PostgreSQL, SQL Server, or Sybase ASE database credentials.
Note: You must be running Tenable Nessus 7.0.0 or later to configure CyberArk credentials.
| Option | Description | Required |
|---|---|---|
|
CyberArk Host |
The IP address or FQDN name for the user’s CyberArk Instance. |
yes |
|
Port |
The port on which the CyberArk API communicates. By default, Tenable uses 443. |
yes |
|
AppID |
The Application ID associated with the CyberArk API connection. |
yes |
| Safe |
Users may optionally specify a Safe to gather account information and request passwords. |
no |
| AIM WebService Authentication Type | There are two authentication methods established in the feature. IIS Basic Authentication and Certificate Authentication. Certificate Authentication can be either encrypted or unencrypted. |
yes |
| Client Certificate | The file that contains the PEM-formatted certificate used to communicate with the host. | no |
| Client Certificate Private Key | The file that contains the PEM-formatted private key for the client certificate. | no |
| Client Certificate Private Key Passphrase | The passphrase for the private key, if required. | no |
| CyberArk PVWA Web UI Login Name | Username to log in to CyberArk web console. This is used to authenticate to the PVWA REST API and gather bulk account information. |
yes |
| CyberArk PVWA Web UI Login Password | Password for the username to log in to CyberArk web console. This is used to authenticate to the PVWA REST API and gather bulk account information. |
yes |
| CyberArk Platform Search String |
String used in the PVWA REST API query parameters to gather bulk account information. For example, the user can enter Oracle Admin TestSafe, to gather all Oracle platform accounts containing a username Admin in a Safe called TestSafe. Note: This is a non-exact keyword search. A best practice would be to create a custom platform name in CyberArk and enter that value in this field to improve accuracy. |
yes |
|
Use SSL |
If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS. |
yes |
|
Verify SSL Certificate |
If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate. |
no |
Hashicorp Vault Options
The following table describes the additional options to configure when using Hashicorp Vault as the Authentication Method for Apache Cassandra, IBM DB2, SQL Server, MySQL, Oracle Database, PostgreSQL, or Sybase ASE database credentials.
| Option | Credential | Description | Required |
|---|---|---|---|
| Port |
Oracle Database IBM DB2 MySQL PostgreSQL SQL Server |
The port on which Tenable Security Center communicates with the database. | yes |
| SID | MySQL | The security identifier used to connect to the database. | yes |
| Database Name |
IBM DB2 PostgreSQL |
The name of the database. | no |
| Instance Name | SQL Server | The SQL server name. | yes |
|
Hashicorp Host |
All |
The Hashicorp Vault IP address or DNS address. Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path. |
yes |
|
Hashicorp Port |
All |
The port on which Hashicorp Vault listens. |
yes |
| Service Type | Oracle Database | The unique SID or Service Name that identifies your database. | yes |
| Service | Oracle Database |
The SID or Service Name value for your database instance. Note: The Service value must match the Service Type option parameter selection. |
yes |
|
Authentication Type |
All |
Specifies the authentication type for connecting to the instance: App Role or Certificates. |
yes |
| Client Cert | All | If Authentication Type is Certificates, the client certificate file you want to use to authenticate the connection. | yes |
| Private Key | All | If Authentication Type is Certificates, the private key file associated with the client certificate you want to use to authenticate the connection. | yes |
|
Role ID |
All |
The GUID provided by Hashicorp Vault when you configured your App Role. |
yes |
| Role Secret ID | All |
The GUID generated by Hashicorp Vault when you configured your App Role. |
yes |
| Authentication URL | All |
The path/subdirectory to the authentication endpoint. This is not the full URL. For example: /v1/auth/approle/login |
yes |
| Namespace | All | The name of a specified team in a multi-team environment. | no |
| Hashicorp Vault Type | All |
The type of Hashicorp Vault secrets engine:
|
yes |
|
KV1 Engine URL KV2 Engine URL AD Engine URL LDAP Engine URL |
All |
The engine URL combines with the secret name to form the API request URL. For example, a secret name of creds and a KV v1 engine url of /v1/secret would result in a GET request to /v1/secret/creds (for KV v2, /v1/secret/data/creds). |
yes |
|
Username Source |
All |
(Appears when Hashicorp Vault Type is KV1 or KV2) Specifies if the username is input manually or pulled from Hashicorp Vault. |
yes |
| Username key | All | (Appears when Hashicorp Vault Type is KV1 or KV2) The name in Hashicorp Vault that usernames are stored under. | no |
|
Username |
All |
(Appears when Username Source is Manual Entry) The name in Hashicorp Vault that usernames are stored under. |
yes |
| Password key | All | (Appears when Hashicorp Vault Type is KV1 or KV2) The key in Hashicorp Vault that passwords are stored under. | no |
| Secret Name | All | The key secret you want to retrieve values for. | yes |
| Use SSL | All | When enabled, Tenable Security Center uses SSL for secure communications. You must configure SSL in Hashicorp Vault before enabling this option. | no |
| Verify SSL | All | When enabled, Tenable Security Center validates the SSL certificate. You must configure SSL in Hashicorp Vault before enabling this option. | no |
Lieberman Options
The following table describes the additional options to configure when using Lieberman as the Authentication Method for Apache Cassandra, IBM DB2, SQL Server, MySQL, Oracle Database, PostgreSQL, or Sybase ASE database credentials.
Note: You must meet the version requirements specified in Tenable Integrated Product Compatibility.
|
Option |
Database Types |
Description |
|---|---|---|
|
Username |
All |
The username for a user on the database. |
|
Port |
All |
The port the database is listening on. |
|
Database Name |
IBM DB2 PostgreSQL |
The name for your database instance. |
|
Authentication |
Oracle Database SQL Server |
The type of account you want Tenable Security Center to use to access the database instance. |
|
Service Type |
Oracle Database |
The Oracle parameter you want to use to identify the database instance: SID or Service Name. |
|
Service |
Oracle Database |
The SID value for your database instance or a SERVICE_NAME value. The Service value you enter must match your parameter selection for the Service Type option. |
|
Instance Name |
SQL Server |
The name for your database instance. |
|
Lieberman Host |
All |
The Lieberman IP address or DNS address. |
|
Lieberman Port |
All |
The port Lieberman is listening on. |
|
Lieberman User |
All |
The username for the Lieberman explicit user you want Tenable Security Center to use for authentication to the Lieberman Rapid Enterprise Defense (RED) API. |
|
Lieberman Password |
All |
The password for the Lieberman explicit user. |
|
Use SSL |
All |
When enabled, Tenable Security Center uses SSL through IIS for secure communications. You must configure SSL through IIS in Lieberman before enabling this option. |
|
Verify SSL Certificate |
All |
When enabled, Tenable Security Center validates the SSL certificate. You must configure SSL through IIS in Lieberman before enabling this option. |
|
System Name |
All |
The name for the database credentials in Lieberman. |
Password Options
The following table describes the additional options to configure when using Password as the Authentication Method for Apache Cassandra, IBM DB2, SQL Server, MySQL, Oracle Database, PostgreSQL, or Sybase ASE database credentials.
|
Option |
Database Types | Description |
|---|---|---|
|
Username |
All |
The username for a user on the database. |
|
Password |
All |
The password associated with the username you provided. |
|
Port |
All |
The port the database is listening on. |
|
Database Name |
IBM D2 PostgreSQL |
The name for your database instance. |
|
Authentication |
Oracle Database SQL Server |
The type of account you want Tenable Security Center to use to access the database instance. |
|
Service Type |
Oracle Database |
The Oracle parameter you want to use to identify the database instance: SID or Service Name. |
|
Service |
Oracle Database |
The SID value for your database instance or a SERVICE_NAME value. The Service value you enter must match your parameter selection for the Service Type option. |
|
Instance Name |
SQL Server |
The name for your database instance. |
WALLIX Bastion Options
The following table describes the additional options to configure when using WALLIX Bastion as the Authentication Method for Apache Cassandra, IBM DB2, MySQL, Oracle Database, SQL Server, or Sybase ASE database credentials.
| Option | Description | Required |
|---|---|---|
| Port |
The port the database is listening on. |
no |
|
WALLIX Host |
The IP address for the WALLIX Bastion host. |
yes |
|
WALLIX Port |
The port on which the WALLIX Bastion API communicates. By default, Tenable uses 443. |
yes |
|
Authentication Type |
Basic authentication (with WALLIX Bastion user interface username and Password requirements) or API Key authentication (with username and WALLIX Bastion-generated API key requirements). |
no |
| WALLIX User |
Your WALLIX Bastion user interface login username. |
yes |
| WALLIX Password | Your WALLIX Bastion user interface login password. Used for Basic authentication to the API. | yes |
| WALLIX API Key | The API key generated in the WALLIX Bastion user interface. Used for API Key authentication to the API. | yes |
| Get Credential by Device Account Name |
The account name associated with a Device you want to log in to the target systems with. Note: If your device has more than one account you must enter the specific device name for the account you want to retrieve credentials for. Failure to do this may result in credentials for the wrong account returned by the system. |
Required only if you have a target and/or device with multiple accounts. |
|
HTTPS |
This is enabled by default. Caution: The integration fails if you disable HTTPS. |
yes |
|
Verify SSL Certificate |
This is disabled by default and is not supported in WALLIX Bastion PAM integrations. |
no |