Database Credentials

Note: Some credential types may not be available for configuration, depending on the scan template you selected.

The following topic describes the available Database credentials.

Akeyless PAM

Option Description Required
Akeyless Host The hostname or IP address of your Akeyless instance. For the Akeyless SaaS platform, use api.akeyless.io. Yes
Akeyless Port The port on which the Akeyless API communicates. By default, Tenable uses 443. Yes
Akeyless API URL An optional base URL path appended to the host when constructing API requests. Leave blank for the default Akeyless SaaS or gateway API. No
Access ID The Access ID associated with your Akeyless authentication method. This value begins with p- for SaaS auth methods. Yes
Authentication Method The method used to authenticate to Akeyless. Select Access Key, Universal Identity, or Certificate. Yes
Access Key The Access Key secret corresponding to the Access ID. Displayed when the Authentication Method is set to Access Key. Yes (if using Access Key authentication)
UID Token Source Whether to supply the Universal Identity token directly or read it from a file on the scanner. Possible options are Manual and File. Displayed when the Authentication Method is set to Universal Identity. Yes (if using Universal ID authentication)
Universal Identity Token The UID token used for Universal Identity authentication. Displayed when UID Token Source is set to Manual. Yes (if using manual Universal ID entry)
Universal Identity Token File The absolute path to a file on the Tenable Nessus scanner host that contains the UID token. Displayed when UID Token Source is set to File. Yes (if using file-based Universal Identity)
Client Certificate The PEM-format client certificate file used for certificate-based (mTLS) authentication. Displayed when the Authentication Method is set to Certificate. Yes (if using Certificate Authentication)
Private Key The PEM-format private key file corresponding to the client certificate. Displayed when the Authentication Method is set to Certificate. Yes (if using Certificate Authentication)
Passphrase For Private Key The passphrase protecting the private key, if the key is encrypted. Displayed when the Authentication Method is set to Certificate. No
Credential ID The full path of the Akeyless secret that contains the target login credentials, for example /scan/linux/webserver. Yes
Secret Type The type of Akeyless secret to retrieve. Select Static for static secrets or Rotated for rotated secrets. Static by default. Yes
Use SSL Whether to use SSL/TLS when communicating with the Akeyless host. Enabled by default. Yes
Verify SSL Certificate Whether to verify the Akeyless host SSL certificate. Disable only in test environments. Yes
Use Kerberos KDC If enabled, Kerberos authentication is used to log in to the Windows target. Requires KDC host, port, transport, and domain. Applies to SSH and Windows credentials only. No
Elevate privileges with The privilege escalation method to use after login (for example, sudo). Applies to SSH credentials only. No
Escalation Credential ID The Akeyless secret path for the escalation account credentials. If not specified, the primary Credential ID is used for both login and escalation. Applies to SSH credentials only. No

Cassandra

Option

Description

Auth Type

The authentication method for providing the required credentials.

  • Password

  • CyberArk

  • Lieberman

  • HashiCorp Vault

For descriptions of the options for your selected authentication type, see Database Credentials Authentication Types.

Port

The port the database listens on. The default is port 9042.

Delinea Secret Server Auto-Discovery

Option Description Required

Delinea Host

The Delinea Secret Server host to pull the secrets from.

yes

Delinea Port

The Delinea Secret Server Port for API requests. By default, Tenable uses 443.

yes

Delinea Authentication Method

Indicates whether to use credentials or an API key for authentication. By default, credentials are selected.

  • Platform
  • Credentials
  • An API key

Note: By default, Credentials is selected.

yes
Delinea Login Name

The username to authenticate to the Delinea server.

Yes. Authentication Method: Credential
Delinea Password

The password to authenticate to the Delinea server. This is associated with the Delinea Login Name you provided.

Yes. Authentication Method: Credential

Delinea API key

The API key provided by Delinea Secret Server.

Yes. Authentication Method: An API Key
Delinea Platform Host

The Delinea Platform Host IP address or Domain name.

Yes. Authentication Method: Platform
Delinea Service Account ID

The application account Delinea platform REST API

Yes. Authentication Method: Platform
Query Mode Choose to query accounts using pre-set fields or by constructing a string of URL query parameters. By default, Simple is selected.

yes

Folder ID

Query accounts with the given folder ID. This option is only available if query mode is set to Simple.

No

Search Text

Query accounts matching the given search text. This option is only available if query mode is set to Simple.

no

Search Field

The field to search using the given search text. If not specified, the query will search the name field. This option is only available if query mode is set to Simple.

no

Exact Match Perform an exact match against the search text. By default, this is unselected. This option is only available if query mode is set to Simple.

no

Query String Provide a string of URL query parameters. This option is only available (and required) if the query mode is set to Advanced.

yes

Use Private Key Use key-based authentication for SSH connections instead of password authentication.

no

Use SSL Use SSL for secure communications.

yes

Verify SSL Certificate Verify the Delinea Secret Server SSL certificate.

no

DB2

The following table describes the additional options to configure for DB2 credentials.

Options Description
Auth Type

The authentication method for providing the required credentials.

  • Password

  • Import

  • CyberArk

  • Lieberman

  • HashiCorp Vault

For descriptions of the options for your selected authentication type, see Database Credentials Authentication Types.

Database Port The TCP port that the IBM DB2 database instance listens on for communications from Tenable Vulnerability Management. The default is port 50000.
Database Name The name for your database (not the name of your instance).

MongoDB

Option

Description

Auth Type

The authentication method for providing the required credentials.

Note: This option is only available for non-legacy versions of the MongoDB authentication method.

  • Password

  • Client Certificate

  • CyberArk

  • Lieberman

  • HashiCorp Vault

For descriptions of the options for your selected authentication type, see Database Credentials Authentication Types.

Username

(Required) The username for the database.

Password

(Required) The password for the supplied username.

Database

The name of the database to authenticate to.

Tip: To authenticate via LDAP or saslauthd, type $external.

Port

(Required) The TCP port that the MongoDB database instance listens on for communications from Tenable Vulnerability Management.

MySQL

The following table describes the additional options to configure for MySQL credentials.

Options Description
Auth Type

The authentication method for providing the required credentials.

  • Client Certificate

  • Password

  • Import

  • CyberArk

  • Lieberman

  • HashiCorp Vault

For descriptions of the options for your selected authentication type, see Database Credentials Authentication Types.

Username The username for a user on the database.

Password

The password associated with the username you provided.
Client Certificate The PEM-formatted SSL/TLS certificate used to identify the scanner or client to the MySQL database. This certificate must be signed by a Certificate Authority (CA) that the database server trusts.
Client CA Certificate The PEM-formatted Certificate Authority (CA) certificate used to verify the authenticity of the database server's certificate. This ensures the scanner is connecting to the intended, secure host.
Client Certificate Private Key The PEM-formatted private key that corresponds to the Client Certificate. This key is used to decrypt data and prove ownership of the certificate during the handshake process.
Client Certificate Private Key Passphrase The password required to decrypt the Client Certificate Private Key, if the key was generated with encryption.
Database Port The TCP port that the MySQL database instance listens on for communications from Tenable Vulnerability Management. The default is port 3306.

Oracle

The following table describes the additional options to configure for Oracle credentials.

Options Description
Auth Type

The authentication method for providing the required credentials.

  • Password

  • Import

  • CyberArk

  • Lieberman

  • HashiCorp Vault

For descriptions of the options for your selected authentication type, see Database Credentials Authentication Types.

Database Port The TCP port that the Oracle database instance listens on for communications from Tenable Vulnerability Management. The default is port 1521.
Auth Type

The type of account you want Tenable Vulnerability Management to use to access the database instance: 

  • SYSDBA
  • SYSOPER
  • NORMAL
Service Type The Oracle parameter you want to use to specify the database instance: SID or SERVICE_NAME.
Service

The SID value or SERVICE_NAME value for your database instance.

The Service value you enter must match your parameter selection for the Service Type option.

PostgreSQL

The following table describes the additional options to configure for PostgreSQL credentials.

Options Description
Auth Type

The authentication method for providing the required credentials.

  • Password

  • Client Certificate

  • CyberArk

  • Lieberman

  • HashiCorp Vault

For descriptions of the options for your selected authentication type, see Database Credentials Authentication Types.

Database Port The TCP port that the PostgreSQL database instance listens on for communications from Tenable Vulnerability Management. The default is port 5432.
Database Name The name for your database instance.

SQL Server

The following table describes the additional options to configure for SQL Server credentials.

Options Description
Auth Type

The authentication method for providing the required credentials.

  • Password

  • Import

  • CyberArk

  • Lieberman

  • HashiCorp Vault

For descriptions of the options for your selected authentication type, see Database Credentials Authentication Types.

Username The username for a user on the database.

Password

The password associated with the username you provided.
Database Port The TCP port that the SQL Server database instance listens on for communications from Tenable Vulnerability Management. The default is port 1433.

AuthType

The type of account you want Tenable Vulnerability Management to use to access the database instance: SQL or Windows.

Instance Name The name for your database instance.

Sybase ASE

The following table describes the additional options to configure for Sybase ASE credentials.

Options Description
Auth Type

The authentication method for providing the required credentials.

  • Password

  • CyberArk

  • Lieberman

  • HashiCorp Vault

For descriptions of the options for your selected authentication type, see Database Credentials Authentication Types.

Database Port The TCP port that the Sybase ASE database instance listens on for communications from Tenable Vulnerability Management. The default is port 3638.
Auth Type

The type of authentication used by the Sybase ASE database: RSA or Plain Text.