Database Credentials Authentication Method Settings

Depending on the authentication type you select for your database credentials, you must configure the following options. For more information about database credential settings, see Database Credentials.

Import

Upload a .csv file with the credentials entered in the specified format. For descriptions of valid values to use for each item, see Database Credentials.

You must configure either CyberArk or HashiCorp credentials for a database credential in the same scan so that Tenable.sc can retrieve the credentials.

Database Credential

CSV Format

IBM DB2 target, port, database_name, username, cred_manager, accountname_or_secretname
MySQL target, port, database_name, username, cred_manager, accountname_or_secretname
Oracle target, port, service_type, service_ID, username, auth_type, cred_manager, accountname_or_secretname
SQL Server target, port, instance_name, username, auth_type, cred_manager, accountname_or_secretname

Note: Include the required data in the specified order, with commas between each value, without spaces. For example, for Oracle with CyberArk: 192.0.2.255,1521,SID,service_id,username,SYSDBA,CyberArk,Database-Oracle-SYS.

Note: The value for cred_manager must be either CyberArk or HashiCorp.

CyberArk Options

The following table describes the additional options to configure when using CyberArk as the Authentication Method for IBM DB2, SQL Server, MySQL, Oracle Database, or PostgreSQL database credentials.

Note: You must be running Nessus 7.0.0 or later to configure CyberArk credentials.

Option Database Types Description

Username

All

The username for the target system.

Port All The port the database is listening on.
Service Type Oracle Database The Oracle parameter you want to use to identify the database instance: SID or Service Name.
Service Oracle Database

The SID value for your database instance or a SERVICE_NAME value.

The Service value you enter must match your parameter selection for the Service Type option.

Database Name

IBM D2

Postgre SQL

The name for your database instance.

Central Credential Provider URL Host

All

The IP/DNS address of the CyberArk Central Credential Provider.

Central Credential Provider URL Port

All

The port the CyberArk Central Credential Provider is listening on.

Vault Username

All

The username for the vault, if the CyberArk Central Credential Provider is configured for basic authentication.

Vault Password

All

The password for the vault, if the CyberArk Central Credential Provider is configured for basic authentication.

Safe

All

The safe on the CyberArk Central Credential Provider server that contains the credentials you want to retrieve.

CyberArk Client Certificate All The file that contains the PEM certificate used to communicate with the CyberArk host.
CyberArk Client Certificate Private Key All The file that contains the PEM private key for the client certificate.
CyberArk Client Certificate Private Key Passphrase All The passphrase for the private key, if required.

AppID

All

The AppID with CyberArk Central Credential Provider permissions to retrieve the target password.

Folder

All

The folder on the CyberArk Central Credential Provider server that contains the credentials you want to retrieve.

PolicyID All  

Vault Use SSL

All

When enabled, Tenable.sc uses SSL through IIS for secure communications. You must configure SSL through IIS in CyberArk Central Credential Provider before enabling this option.

Vault Verify SSL

All

When enabled, Tenable.sc validates the SSL certificate. You must configure SSL through IIS in CyberArk Central Credential Provider before enabling this option.

For more information about using self-signed certificates, see the Nessus custom_CA.inc documentation.

CyberArk AIM Service URL All

The URL for the CyberArk AIM web service. By default, Tenable.sc uses /AIMWebservice/v1.1/AIM.asmx.

Password Options

The following table describes the additional options to configure when using Password as the Authentication Method for database credentials.

Option Database Types Description
Username All The username for a user on the database.
Password All The password associated with the username you provided.
Port All The port the database is listening on.
Database Name

IBM D2

PostgreSQL

The name for your database instance.
Authentication

Oracle Database

SQL Server

The type of account you want Tenable.sc to use to access the database instance.
Service Type Oracle Database The Oracle parameter you want to use to identify the database instance: SID or Service Name.
Service Oracle Database

The SID value for your database instance or a SERVICE_NAME value.

The Service value you enter must match your parameter selection for the Service Type option.

Instance Name SQL Server The name for your database instance.

Lieberman Options

The following table describes the additional options to configure when using Lieberman as the Authentication Method for IBM DB2, SQL Server, MySQL, Oracle Database, or PostgreSQL database credentials.

Note: You must meet the version requirements specified in Tenable Integrated Product Compatibility.

Option Database Types Description
Username

All

The username for a user on the database.
Port

All

The port the database is listening on.
Database Name

IBM DB2

PostgreSQL

The name for your database instance.
Authentication

Oracle Database

SQL Server

The type of account you want Tenable.sc to use to access the database instance.
Service Type Oracle Database The Oracle parameter you want to use to identify the database instance: SID or Service Name.
Service Oracle Database

The SID value for your database instance or a SERVICE_NAME value.

The Service value you enter must match your parameter selection for the Service Type option.

Instance Name

SQL Server

The name for your database instance.
Lieberman Host

All

The Lieberman IP address or DNS address.
Lieberman Port

All

The port Lieberman is listening on.
Lieberman User

All

The username for the Lieberman explicit user you want Tenable.sc to use for authentication to the Lieberman Rapid Enterprise Defense (RED) API.

Lieberman Password

All

The password for the Lieberman explicit user.

Use SSL

All

When enabled, Tenable.sc uses SSL through IIS for secure communications. You must configure SSL through IIS in Lieberman before enabling this option.

Verify SSL Certificate

All

When enabled, Tenable.sc validates the SSL certificate. You must configure SSL through IIS in Lieberman before enabling this option.

System Name

All

The name for the database credentials in Lieberman.

Hashicorp Vault Options

The following table describes the additional options to configure when using Hashicorp Vault as the Authentication Method for IBM DB2, SQL Server, MySQL, Oracle Database, or PostgreSQL database credentials.

Option Credential Description Required
Port

Oracle Database

IBM DB2

MySQL

PostgreSQL

SQL Server

The port on which Tenable.sc communicates with the database. yes
SID MySQL The security identifier used to connect to the database. yes
Database Name

IBM DB2

PostgreSQL

The name of the database. no
Instance Name SQL Server The SQL server name. yes

Hashicorp Host

All

The Hashicorp Vault IP address or DNS address.

Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path.

yes

Hashicorp Port

All

The port on which Hashicorp Vault listens.

yes
Service Type Oracle Database The unique SID or Service Name that identifies your database. yes
Service Oracle Database

The SID or Service Name value for your database instance.

Note: The Service value must match the Service Type option parameter selection.

yes

Authentication Type

All

Specifies the authentication type for connecting to the instance: App Role or Certificates.

yes
Client Cert All If Authentication Type is Certificates, the client certificate file you want to use to authenticate the connection. yes
Private Key All If Authentication Type is Certificates, the private key file associated with the client certificate you want to use to authenticate the connection. yes

Role ID

All

The GUID provided by Hashicorp Vault when you configured your App Role.

yes
Role Secret ID All

The GUID generated by Hashicorp Vault when you configured your App Role.

yes
Authentication URL All

The path/subdirectory to the authentication endpoint. This is not the full URL. For example:

/v1/auth/approle/login

yes
Namespace All The name of a specified team in a multi-team environment. no
Hashicorp Vault Type All

The type of Hashicorp Vault secrets engine: 

  • KV1 — Key/Value Secrets Engine Version 1
  • KV2 — Key/Value Secrets Engine Version 2
  • AD — Active Directory
yes
KV Engine URL All The URL Tenable.sc uses to access the Hashicorp Vault secrets engine. yes

Username Source

All

(Only displays if Hashicorp Vault Type is KV1 or KV2) Specifies if the username is input manually or pulled from Hashicorp Vault.

yes
Username key All (Only displays if Hashicorp Vault Type is KV1 or KV2) The name in Hashicorp Vault that usernames are stored under. no

Username

All

(Only displays if Username Source is Manual Entry) The name in Hashicorp Vault that usernames are stored under.

yes
Password key All (Only displays if Hashicorp Vault Type is KV1 or KV2) The key in Hashicorp Vault that passwords are stored under. no
Secret Name All The key secret you want to retrieve values for. yes
Use SSL All When enabled, Tenable.sc uses SSL for secure communications. You must configure SSL in Hashicorp Vault before enabling this option. no
Verify SSL All When enabled, Tenable.sc validates the SSL certificate. You must configure SSL in Hashicorp Vault before enabling this option. no