Database Credentials Authentication Method Settings
Depending on the authentication type you select for your database credentials, you must configure the following options. For more information about database credential settings, see Database Credentials.
Upload a .csv file with the credentials entered in the specified format. For descriptions of valid values to use for each item, see
You must configure either CyberArk or HashiCorp credentials for a database credential in the same scan so that Tenable.sc can retrieve the credentials.
Database Credential |
CSV Format |
---|---|
|
target, port, database_name, username, cred_manager, accountname_or_secretname |
MySQL | target, port, database_name, username, cred_manager, accountname_or_secretname |
Oracle | target, port, service_type, service_ID, username, auth_type, cred_manager, accountname_or_secretname |
SQL Server | target, port, instance_name, username, auth_type, cred_manager, accountname_or_secretname |
Note: Include the required data in the specified order, with commas between each value, without spaces. For example, for Oracle with CyberArk: 192.0.2.255,1521,SID,service_id,username,SYSDBA,CyberArk,Database-Oracle-SYS.
Note: The value for cred_manager must be either CyberArk or HashiCorp.
The following table describes the additional options to configure when using CyberArk as the Authentication Method for IBM DB2, SQL Server, MySQL, Oracle Database, or PostgreSQL database credentials.
Note: You must be running Tenable Nessus 7.0.0 or later to configure CyberArk credentials.
Option |
Database Types |
Description |
---|---|---|
Username |
All |
The username for the target system. |
Port |
All |
The port the database is listening on. |
Service Type |
Oracle Database |
The Oracle parameter you want to use to identify the database instance: SID or Service Name. |
Service |
Oracle Database |
The SID value for your database instance or a SERVICE_NAME value. The Service value you enter must match your parameter selection for the Service Type option. |
Database Name |
IBM D2 Postgre SQL |
The name for your database instance. |
Central Credential Provider URL Host |
All |
The IP/DNS address of the CyberArk Central Credential Provider. |
Central Credential Provider URL Port |
All |
The port the CyberArk Central Credential Provider is listening on. |
Vault Username |
All |
The username for the vault, if the CyberArk Central Credential Provider is configured for basic authentication. |
Vault Password |
All |
The password for the vault, if the CyberArk Central Credential Provider is configured for basic authentication. |
Safe |
All |
The safe on the CyberArk Central Credential Provider server that contains the credentials you want to retrieve. |
CyberArk Client Certificate |
All |
The file that contains the PEM certificate used to communicate with the CyberArk host. |
CyberArk Client Certificate Private Key |
All |
The file that contains the PEM private key for the client certificate. |
CyberArk Client Certificate Private Key Passphrase |
All |
The passphrase for the private key, if required. |
AppID |
All |
The AppID with CyberArk Central Credential Provider permissions to retrieve the target password. |
Folder |
All |
The folder on the CyberArk Central Credential Provider server that contains the credentials you want to retrieve. |
PolicyID |
All |
The PolicyID assigned to the credentials you want to retrieve from the CyberArk Central Credential Provider. |
Vault Use SSL |
All |
When enabled, Tenable.sc uses SSL through IIS for secure communications. You must configure SSL through IIS in CyberArk Central Credential Provider before enabling this option. |
Vault Verify SSL |
All |
When enabled, Tenable.sc validates the SSL certificate. You must configure SSL through IIS in CyberArk Central Credential Provider before enabling this option. For more information about using self-signed certificates, see the Nessus custom_CA.inc documentation. |
CyberArk AIM Service URL |
All |
The URL for the CyberArk AIM web service. By default, Tenable.sc uses /AIMWebservice/v1.1/AIM.asmx. |
The following table describes the additional options to configure when using Password as the Authentication Method for database credentials.
Option |
Database Types | Description |
---|---|---|
Username |
All |
The username for a user on the database. |
Password |
All |
The password associated with the username you provided. |
Port |
All |
The port the database is listening on. |
Database Name |
IBM D2 PostgreSQL |
The name for your database instance. |
Authentication |
Oracle Database SQL Server |
The type of account you want Tenable.sc to use to access the database instance. |
Service Type |
Oracle Database |
The Oracle parameter you want to use to identify the database instance: SID or Service Name. |
Service |
Oracle Database |
The SID value for your database instance or a SERVICE_NAME value. The Service value you enter must match your parameter selection for the Service Type option. |
Instance Name |
SQL Server |
The name for your database instance. |
The following table describes the additional options to configure when using Lieberman as the Authentication Method for IBM DB2, SQL Server, MySQL, Oracle Database, or PostgreSQL database credentials.
Note: You must meet the version requirements specified in Tenable Integrated Product Compatibility.
Option |
Database Types |
Description |
---|---|---|
Username |
All |
The username for a user on the database. |
Port |
All |
The port the database is listening on. |
Database Name |
IBM DB2 PostgreSQL |
The name for your database instance. |
Authentication |
Oracle Database SQL Server |
The type of account you want Tenable.sc to use to access the database instance. |
Service Type |
Oracle Database |
The Oracle parameter you want to use to identify the database instance: SID or Service Name. |
Service |
Oracle Database |
The SID value for your database instance or a SERVICE_NAME value. The Service value you enter must match your parameter selection for the Service Type option. |
Instance Name |
SQL Server |
The name for your database instance. |
Lieberman Host |
All |
The Lieberman IP address or DNS address. |
Lieberman Port |
All |
The port Lieberman is listening on. |
Lieberman User |
All |
The username for the Lieberman explicit user you want Tenable.sc to use for authentication to the Lieberman Rapid Enterprise Defense (RED) API. |
Lieberman Password |
All |
The password for the Lieberman explicit user. |
Use SSL |
All |
When enabled, Tenable.sc uses SSL through IIS for secure communications. You must configure SSL through IIS in Lieberman before enabling this option. |
Verify SSL Certificate |
All |
When enabled, Tenable.sc validates the SSL certificate. You must configure SSL through IIS in Lieberman before enabling this option. |
System Name |
All |
The name for the database credentials in Lieberman. |
The following table describes the additional options to configure when using Hashicorp Vault as the Authentication Method for IBM DB2, SQL Server, MySQL, Oracle Database, or PostgreSQL database credentials.
Option | Credential | Description | Required |
---|---|---|---|
Port |
Oracle Database IBM DB2 MySQL PostgreSQL SQL Server |
The port on which Tenable.sc communicates with the database. | yes |
SID | MySQL | The security identifier used to connect to the database. | yes |
Database Name |
IBM DB2 PostgreSQL |
The name of the database. | no |
Instance Name | SQL Server | The SQL server name. | yes |
Hashicorp Host |
All |
The Hashicorp Vault IP address or DNS address. Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path. |
yes |
Hashicorp Port |
All |
The port on which Hashicorp Vault listens. |
yes |
Service Type | Oracle Database | The unique SID or Service Name that identifies your database. | yes |
Service | Oracle Database |
The SID or Service Name value for your database instance. Note: The Service value must match the Service Type option parameter selection. |
yes |
Authentication Type |
All |
Specifies the authentication type for connecting to the instance: App Role or Certificates. |
yes |
Client Cert | All | If Authentication Type is Certificates, the client certificate file you want to use to authenticate the connection. | yes |
Private Key | All | If Authentication Type is Certificates, the private key file associated with the client certificate you want to use to authenticate the connection. | yes |
Role ID |
All |
The GUID provided by Hashicorp Vault when you configured your App Role. |
yes |
Role Secret ID | All |
The GUID generated by Hashicorp Vault when you configured your App Role. |
yes |
Authentication URL | All |
The path/subdirectory to the authentication endpoint. This is not the full URL. For example: /v1/auth/approle/login |
yes |
Namespace | All | The name of a specified team in a multi-team environment. | no |
Hashicorp Vault Type | All |
The type of Hashicorp Vault secrets engine:
|
yes |
KV Engine URL | All |
The URL Tenable.sc uses to access the Hashicorp Vault secrets engine. Example: /v1/path_to_secret. No trailing / |
yes |
Username Source |
All |
(Only displays if Hashicorp Vault Type is KV1 or KV2) Specifies if the username is input manually or pulled from Hashicorp Vault. |
yes |
Username key | All | (Only displays if Hashicorp Vault Type is KV1 or KV2) The name in Hashicorp Vault that usernames are stored under. | no |
Username |
All |
(Only displays if Username Source is Manual Entry) The name in Hashicorp Vault that usernames are stored under. |
yes |
Password key | All | (Only displays if Hashicorp Vault Type is KV1 or KV2) The key in Hashicorp Vault that passwords are stored under. | no |
Secret Name | All | The key secret you want to retrieve values for. | yes |
Use SSL | All | When enabled, Tenable.sc uses SSL for secure communications. You must configure SSL in Hashicorp Vault before enabling this option. | no |
Verify SSL | All | When enabled, Tenable.sc validates the SSL certificate. You must configure SSL in Hashicorp Vault before enabling this option. | no |
The following table describes the additional options to configure when using Wallix Bastion as the Authentication Method for Apache Cassandra, IBM DB2, MySQL, Oracle Database, SQL Server, or Sybase ASE database credentials.
Option | Description | Required |
---|---|---|
Port |
The port the database is listening on. |
no |
WALLIX Host |
The IP address for the WALLIX Bastion host. |
yes |
WALLIX Port |
The port on which the WALLIX Bastion API communicates. By default, Tenable uses 443. |
yes |
Authentication Type |
Basic authentication (with WALLIX Bastion user interface username and Password requirements) or API Key authentication (with username and WALLIX Bastion-generated API key requirements). |
no |
WALLIX User |
Your WALLIX Bastion user interface login username. |
yes |
WALLIX Password | Your WALLIX Bastion user interface login password. Used for Basic authentication to the API. | yes |
WALLIX API Key | The API key generated in the WALLIX Bastion user interface. Used for API Key authentication to the API. | yes |
Get Credential by Device Account Name |
The account name associated with a Device you want to log in to the target systems with. Note: If your device has more than one account you must enter the specific device name for the account you want to retrieve credentials for. Failure to do this may result in credentials for the wrong account returned by the system. |
Required only if you have a target and/or device with multiple accounts. |
HTTPS |
This is enabled by default. Caution: The integration fails if you disable HTTPS. |
yes |
Verify SSL Certificate |
This is disabled by default and is not supported in WALLIX Bastion PAM integrations. |
no |