Database Credentials
The following topic describes the available Database credentials.
Akeyless PAM
| Option | Description | Required |
|---|---|---|
| Akeyless Host | The hostname or IP address of your Akeyless instance. For the Akeyless SaaS platform, use api.akeyless.io. | Yes |
| Akeyless Port | The port on which the Akeyless API communicates. By default, Tenable uses 443. | Yes |
| Akeyless API URL | An optional base URL path appended to the host when constructing API requests. Leave blank for the default Akeyless SaaS or gateway API. | No |
| Access ID | The Access ID associated with your Akeyless authentication method. This value begins with p- for SaaS auth methods. | Yes |
| Authentication Method | The method used to authenticate to Akeyless. Select Access Key, Universal Identity, or Certificate. | Yes |
| Access Key | The Access Key secret corresponding to the Access ID. Displayed when the Authentication Method is set to Access Key. | Yes (if using Access Key authentication) |
| UID Token Source | Whether to supply the Universal Identity token directly or read it from a file on the scanner. Possible options are Manual and File. Displayed when the Authentication Method is set to Universal Identity. | Yes (if using Universal ID authentication) |
| Universal Identity Token | The UID token used for Universal Identity authentication. Displayed when UID Token Source is set to Manual. | Yes (if using manual Universal ID entry) |
| Universal Identity Token File | The absolute path to a file on the Tenable Nessus scanner host that contains the UID token. Displayed when UID Token Source is set to File. | Yes (if using file-based Universal Identity) |
| Client Certificate | The PEM-format client certificate file used for certificate-based (mTLS) authentication. Displayed when the Authentication Method is set to Certificate. | Yes (if using Certificate Authentication) |
| Private Key | The PEM-format private key file corresponding to the client certificate. Displayed when the Authentication Method is set to Certificate. | Yes (if using Certificate Authentication) |
| Passphrase For Private Key | The passphrase protecting the private key, if the key is encrypted. Displayed when the Authentication Method is set to Certificate. | No |
| Credential ID | The full path of the Akeyless secret that contains the target login credentials, for example /scan/linux/webserver. | Yes |
| Secret Type | The type of Akeyless secret to retrieve. Select Static for static secrets or Rotated for rotated secrets. Static by default. | Yes |
| Use SSL | Whether to use SSL/TLS when communicating with the Akeyless host. Enabled by default. | Yes |
| Verify SSL Certificate | Whether to verify the Akeyless host SSL certificate. Disable only in test environments. | Yes |
| Use Kerberos KDC | If enabled, Kerberos authentication is used to log in to the Windows target. Requires KDC host, port, transport, and domain. Applies to SSH and Windows credentials only. | No |
| Elevate privileges with | The privilege escalation method to use after login (for example, sudo). Applies to SSH credentials only. | No |
| Escalation Credential ID | The Akeyless secret path for the escalation account credentials. If not specified, the primary Credential ID is used for both login and escalation. Applies to SSH credentials only. | No |
Cassandra
|
Option |
Description |
|---|---|
|
|
The authentication method for providing the required credentials.
For descriptions of the options for your selected authentication type, see |
|
Port |
The port the database listens on. The default is port 9042. |
Delinea Secret Server Auto-Discovery
| Option | Description | Required |
|---|---|---|
|
Delinea Host |
The Delinea Secret Server host to pull the secrets from. |
yes |
|
Delinea Port |
The Delinea Secret Server Port for API requests. By default, Tenable uses 443. |
yes |
| Delinea Authentication Method |
Indicates whether to use credentials or an API key for authentication. By default, credentials are selected.
Note: By default, Credentials is selected. |
yes |
| Delinea Login Name |
The username to authenticate to the Delinea server. |
Yes. Authentication Method: Credential |
| Delinea Password |
The password to authenticate to the Delinea server. This is associated with the Delinea Login Name you provided. |
Yes. Authentication Method: Credential |
| Delinea API key |
The API key provided by Delinea Secret Server. |
Yes. Authentication Method: An API Key |
| Delinea Platform Host |
The Delinea Platform Host IP address or Domain name. |
Yes. Authentication Method: Platform |
| Delinea Service Account ID |
The application account Delinea platform REST API |
Yes. Authentication Method: Platform |
| Query Mode | Choose to query accounts using pre-set fields or by constructing a string of URL query parameters. By default, Simple is selected. |
yes |
| Folder ID |
Query accounts with the given folder ID. This option is only available if query mode is set to Simple. |
No |
|
Search Text |
Query accounts matching the given search text. This option is only available if query mode is set to Simple. |
no |
|
Search Field |
The field to search using the given search text. If not specified, the query will search the name field. This option is only available if query mode is set to Simple. |
no |
| Exact Match | Perform an exact match against the search text. By default, this is unselected. This option is only available if query mode is set to Simple. |
no |
| Query String | Provide a string of URL query parameters. This option is only available (and required) if the query mode is set to Advanced. |
yes |
| Use Private Key | Use key-based authentication for SSH connections instead of password authentication. |
no |
| Use SSL | Use SSL for secure communications. |
yes |
| Verify SSL Certificate | Verify the Delinea Secret Server SSL certificate. |
no |
DB2
The following table describes the additional options to configure for DB2 credentials.
| Options | Description |
|---|---|
|
|
The authentication method for providing the required credentials.
For descriptions of the options for your selected authentication type, see |
|
|
The TCP port that the IBM DB2 database instance listens on for communications from Tenable Vulnerability Management. The default is port 50000. |
| Database Name | The name for your database (not the name of your instance). |
MongoDB
|
Option |
Description |
|---|---|
|
|
The authentication method for providing the required credentials. Note: This option is only available for non-legacy versions of the MongoDB authentication method.
For descriptions of the options for your selected authentication type, see |
|
Username |
|
|
Password |
|
|
Database |
The name of the database to authenticate to. Tip: To authenticate via LDAP or saslauthd, type $external.
|
|
Port |
(Required) The TCP port that the MongoDB database instance listens on for communications from Tenable Vulnerability Management. |
MySQL
The following table describes the additional options to configure for MySQL credentials.
| Options | Description |
|---|---|
|
|
The authentication method for providing the required credentials.
For descriptions of the options for your selected authentication type, see |
| Username | The username for a user on the database. |
|
Password |
The password associated with the username you provided. |
| Client Certificate | The PEM-formatted SSL/TLS certificate used to identify the scanner or client to the MySQL database. This certificate must be signed by a Certificate Authority (CA) that the database server trusts. |
| Client CA Certificate | The PEM-formatted Certificate Authority (CA) certificate used to verify the authenticity of the database server's certificate. This ensures the scanner is connecting to the intended, secure host. |
| Client Certificate Private Key | The PEM-formatted private key that corresponds to the Client Certificate. This key is used to decrypt data and prove ownership of the certificate during the handshake process. |
| Client Certificate Private Key Passphrase | The password required to decrypt the Client Certificate Private Key, if the key was generated with encryption. |
|
|
The TCP port that the MySQL database instance listens on for communications from Tenable Vulnerability Management. The default is port 3306. |
Oracle
The following table describes the additional options to configure for Oracle credentials.
| Options | Description |
|---|---|
|
|
The authentication method for providing the required credentials.
For descriptions of the options for your selected authentication type, see |
|
|
The TCP port that the Oracle database instance listens on for communications from Tenable Vulnerability Management. The default is port 1521. |
|
|
The type of account you want Tenable Vulnerability Management to use to access the database instance:
|
| Service Type | The Oracle parameter you want to use to specify the database instance: SID or SERVICE_NAME. |
| Service |
The SID value or SERVICE_NAME value for your database instance. The Service value you enter must match your parameter selection for the Service Type option. |
PostgreSQL
The following table describes the additional options to configure for PostgreSQL credentials.
| Options | Description |
|---|---|
|
|
The authentication method for providing the required credentials.
For descriptions of the options for your selected authentication type, see |
|
|
The TCP port that the PostgreSQL database instance listens on for communications from Tenable Vulnerability Management. The default is port 5432. |
| Database Name | The name for your database instance. |
SQL Server
The following table describes the additional options to configure for SQL Server credentials.
| Options | Description |
|---|---|
|
|
The authentication method for providing the required credentials.
For descriptions of the options for your selected authentication type, see |
| Username | The username for a user on the database. |
|
Password |
The password associated with the username you provided. |
|
|
The TCP port that the SQL Server database instance listens on for communications from Tenable Vulnerability Management. The default is port 1433. |
|
AuthType |
The type of account you want Tenable Vulnerability Management to use to access the database instance: SQL or Windows. |
| Instance Name | The name for your database instance. |
Sybase ASE
The following table describes the additional options to configure for Sybase ASE credentials.
| Options | Description |
|---|---|
|
|
The authentication method for providing the required credentials.
For descriptions of the options for your selected authentication type, see |
|
|
The TCP port that the Sybase ASE database instance listens on for communications from Tenable Vulnerability Management. The default is port 3638. |
| Auth Type |
The type of authentication used by the Sybase ASE database: RSA or Plain Text. |