Prerequisites for Linking Sensor Proxy to Tenable Security Center

To successfully link standalone or Tenable Core instances of Sensor Proxy to Tenable Security Center, your Tenable Security Center SSL/TLS certificate must meet certain requirements.

To determine if the current Tenable Security Center certificates meet those requirements, use the following procedure:

  1. Log in to the Sensor Proxy or Tenable Security Center system via SSH.

  2. Run one of the following commands, depending on which system you are logged into:

    • Sensor Proxy system

      openssl s_client -connect <securitycenter_hostname_or_ip>:443 < /dev/null 2> /dev/null | openssl x509 -noout -text | grep -A 1 'Subject Alternative’

    • Tenable Security Center system

      openssl x509 -noout -text -in /opt/sc/support/conf/SecurityCenter.crt | grep -A 1 'Subject Alternative Name'

  3. Depending on what command output you see, proceed in one of the following ways:

    • If no output is shown when you run the command, see Regenerate the Tenable Security Center Server Certificate in the Tenable Security Center User Guide and regenerate the server certificate. After you regenerate the server certificate, proceed to Prepare for Linking.

    • If output like the following is shown but neither the hostname nor the IP address shown match the FQDN or IP address of the Tenable Security Center system, see Regenerate the Tenable Security Center Server Certificate in the Tenable Security Center User Guide and regenerate the server certificate.

      X509v3 Subject Alternative Name:

      DNS:sc-host-name, IP Address:10.10.10.10

      After you regenerate the server certificate, proceed to Prepare for Linking.

    • If the output is shown and the hostname and IP address shown match the FQDN or IP address of the Tenable Security Center system, proceed to Prepare for Linking.

Prepare for Linking

Based on details about your organization's Tenable Security Center + Sensor Proxy setup and certificate details, you may need to perform additional checks and steps before or during the Sensor Proxy linking process.

Use the following grid to determine what linking and installation steps you need to take based on your Sensor Proxy installation type, Tenable Security Center installation type, Tenable Security Center certificates, and root CA type. If you need help finding information about your setup and certificate details, see (Optional) Gather Information.

Tenable Security Center Installation Type Tenable Security Center Certificates Root CA Type Linking and Installation Steps to Take
Any Tenable Security Center installation n/a Public

Proceed to Install Sensor Proxy (for standalone Sensor Proxy installation/linking) or Configure Tenable Core + Sensor Proxy in Tenable Core (for Tenable Core + Sensor ProxySensor Proxy installation/linking).

During either installation/linking process, you do not need to specify a CA path when prompted.
Any Tenable Security Center installation n/a Tenable Security Center-generated server certificate

Proceed to Install Sensor Proxy (for standalone Sensor Proxy installation/linking) or Configure Tenable Core + Sensor Proxy in Tenable Core (for Tenable Core + Sensor Proxy installation/linking).

During either installation/linking process, you must specify /opt/sc/data/ca/TenableCA.crt as the CA path.
Non-Tenable Core + Tenable Security Center installations n/a Internal or Custom (possibly in /opt/sc/data/ca, but with an unknown name)

Proceed to Install Sensor Proxy (for standalone Sensor Proxy installation/linking) or Configure Tenable Core + Sensor Proxy in Tenable Core (for Tenable Core + Sensor Proxy installation/linking).

During either installation/linking process, you must specify the custom path to your CA.
Tenable Core + Tenable Security Center installations n/a Internal or Custom (possibly on the Tenable Core Certificate > Security Center tab > Trusted Certificate Authorities page)

Proceed to Install Sensor Proxy (for standalone Sensor Proxy installation/linking) or Configure Tenable Core + Sensor Proxy in Tenable Core (for Tenable Core + Sensor Proxy installation/linking).

During either installation/linking process, you must specify the custom path to your CA.
Tenable Core + Tenable Security Center installations Created with Tenable Security Center packages with certificate data change Tenable Core-generated (on the Tenable Core Certificate > Security Center tab > Trusted Certificate Authorities page)

If necessary for your organization, ensure the Tenable Core server certificate matches one of the trusted certificate authorities.

Once you have matched the server certificate to a trusted certificated authority, proceed to Install Sensor Proxy (for standalone Sensor Proxy installation/linking) or Configure Tenable Core + Sensor Proxy in Tenable Core (for Tenable Core + Sensor Proxy installation/linking).

 

(Optional) Gather Information

Determine the Origin of Your Tenable Security Center Server Certificate

  1. On the Sensor Proxy system, run the following command:

    openssl s_client -connect <securitycenter_hostname_or_ip>:443 < /dev/null 2> /dev/null | openssl x509 -noout -issuer

  2. On the Tenable Security Center system, run the following command as root/tns:

    openssl x509 -noout -issuer -in /opt/sc/support/conf/SecurityCenter.crt

    If the output from either of those commands contains:

    • CN=Locally generated Tenable Core CA

      • The certificate is Tenable Core-generated.

    • OU = "INSECURE Certificate Authority for Tenable, Inc."

      • The certificate is Tenable Security Center-generated.

    • Other value or values

      • The certificate is publicly or privately generated.

Determine the Creation Date of Your Tenable Security Center Server Certificate

  1. On the Sensor Proxy system, run the following command:

    openssl s_client -connect <securitycenter_hostname_or_ip>:443 < /dev/null 2> /dev/null | openssl x509 -noout -startdate

  2. On the Tenable Security Center system, run the following command as root/tns:

    openssl x509 -noout -startdate -in /opt/sc/support/conf/SecurityCenter.crt

    The following is an example of the command output:

    notBefore=Feb 21 16:38:22 2024 GMT

Ensure Your Tenable Core Server Certificate Matches One of Your Trusted Certificate Authorities

  1. In Tenable Core, click SSL/TLS Certificates in the left-side navigation pane.

    The SSL/TLS Certificates page appears.

  2. Click Tenable.sc.

    The Tenable Security Center certificate page appears.

  3. Note the Issuer and Issuer Organizational Unit values in the Server Certificates section.

  4. Under Trusted Certificate Authorities, ensure that one of the configured authorities has:

    • A Subject that matches the Issuer of the server certificate

    • A Subject Organizational Unit that matches the Issuer Organization Unit of the server certificate.

      If one of the configured authorities meets this criteria, the server configuration is ready for Sensor Proxy linking.

  5. If one of the configured authorities does not meet this criteria, add the necessary trusted certificate to Tenable Core and repeat these steps before proceeding.