Database Credentials Authentication Types

Depending on the authentication type you select for your database credentials, you must configure the options described in this topic.

Client Certificate

The Client Certificate authentication type is supported for PostgreSQL databases only.

Option

Description

Required
Username The username for the database. yes
Client Certificate The file that contains the PEM certificate for the database. yes
Client CA Certificate The file that contains the PEM certificate for the database.  yes
Client Certificate Private Key The file that contains the PEM private key for the client certificate. yes
Client Certificate Private Key Passphrase The passphrase for the private key, if required in your authentication implementation. no

Database Port

The port on which Tenable Vulnerability Management communicates with the database. yes
Database Name The name of the database. no

Password

Option

Database Types

Description

Required

Username

All

The username for a user on the database.

yes

Password

All

The password for the supplied username.

no

Database Port

All The port on which Tenable Vulnerability Management communicates with the database. yes
Database Name

DB2

PostgreSQL

The name of the database.

no
Auth type

Oracle

SQL Server

Sybase ASE

SQL Server values include:

  • Windows
  • SQL

Oracle values include:

  • SYSDBA
  • SYSOPER
  • NORMAL

Sybase ASE values include:

  • RSA
  • Plain Text
yes
Instance name SQL Server The name for your database instance. no
Service type Oracle

Valid values include:

  • SID
  • SERVICE_NAME
yes
Service Oracle The SID value for your database instance or a SERVICE_NAME value. The Service value you enter must match your parameter selection for the Service Type option. no

Import

Upload a .csv file with the credentials entered in the specified format. For descriptions of valid values to use for each item, see Database Credentials.

You must configure either CyberArk or HashiCorp credentials for a database credential in the same scan so that Tenable Vulnerability Management can retrieve the credentials.

Database Credential

CSV Format

DB2 target, port, database_name, username, cred_manager, accountname_or_secretname
MySQL target, port, database_name, username, cred_manager, accountname_or_secretname
Oracle target, port, service_type, service_ID, username, auth_type, cred_manager, accountname_or_secretname
SQL Server target, port, instance_name, username, auth_type, cred_manager, accountname_or_secretname

Note: Include the required data in the specified order, with commas between each value, without spaces. For example, for Oracle with CyberArk: 192.0.2.255,1521,SID,service_id,username,SYSDBA,CyberArk,Database-Oracle-SYS.

Note: The value for cred_manager must be either CyberArk or HashiCorp.

BeyondTrust

Option Description

Required

Username

The username to log in to the host you want to scan.

yes
Domain The domain of the username, which is recommended if using domain-linked accounts (managed accounts of a domain that are linked to a managed system). no
BeyondTrust host The BeyondTrust IP address or DNS address. yes
BeyondTrust port The port on which BeyondTrust listens. yes
BeyondTrust API user

The API user provided by BeyondTrust.

yes
BeyondTrust API key

The API key provided by BeyondTrust.

yes

Checkout duration

The length of time, in minutes, that you want to keep credentials checked out in BeyondTrust. Configure the checkout duration to exceed the typical duration of your scans. If a password from a previous scan is still checked out when a new scan begins, the new scan fails.

Note: Configure the password change interval in BeyondTrust so that password changes do not disrupt your scans. If BeyondTrust changes a password during a scan, the scan fails.

yes
Use SSL When enabled, the integration uses SSL through IIS for secure communications. Configure SSL through IIS in BeyondTrust before enabling this option. no
Verify SSL certificate When enabled, the intergation validates the SSL certificate. Configure SSL through IIS in BeyondTrust before enabling this option. no

CyberArk

CyberArk is a popular enterprise password vault that helps you manage privileged credentials. Tenable Vulnerability Management can get credentials from CyberArk to use in a scan.

Option Description Required

CyberArk Host

The IP address or FQDN name for the CyberArk AIM Web Service. This can be the host, or the host with a custom URL added on in a single string.

yes

Port

The port on which the CyberArk API communicates. By default, Tenable uses 443.

yes

AppID

The Application ID associated with the CyberArk API connection.

yes

Client Certificate The file that contains the PEM certificate used to communicate with the CyberArk host.

no

Client Certificate Private Key The file that contains the PEM private key for the client certificate.

yes, if private key is applied

Client Certificate Private Key Passphrase The passphrase for the private key, if required.

yes, if private key is applied

Get credential by

The method with which your CyberArk API credentials are retrieved. Can be Address, Identifier, Parameters, or Username.

Note: For more information about the Parameters option, refer to the Parameters Options table.

Note: The frequency of queries for Username is one query per target. The frequency of queries for Identifier is one query per chunk. This feature requires all targets have the same identifier.

Note: The Username option also adds the Address parameter of the API query and assigns the target IP of the resolved host to the Address parameter. This may lead to failure to fetch credentials if the CyberArk Account Details Address field contains a value other than the target IP address.

yes
Username

(If Get credential by is set to Username) The username of the CyberArk user to request a password from.

no
Safe

The CyberArk safe the credential should be retrieved from.

no
Account Name (If Get credential by is Identifier) The unique account name or identifier assigned to the CyberArk API credential. no

Use SSL

If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS.

no

Verify SSL Certificate

If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate.

no

CyberArk (Legacy)

CyberArk is a popular enterprise password vault that helps you manage privileged credentials. Tenable Vulnerability Management can get credentials from CyberArk to use in a scan.

Option Database Types Description

Required

Username

All

The target system’s username.

yes

Central Credential Provider Host

All

The CyberArk Central Credential Provider IP/DNS address.

yes

Central Credential Provider Port

All

The port on which the CyberArk Central Credential Provider is listening.

yes

CyberArk AIM Service URL

All

The URL of the AIM service. By default, this field uses /AIMWebservice/v1.1/AIM.asmx.

no
Central Credential Provider Username All

If the CyberArk Central Credential Provider is configured to use basic authentication, you can fill in this field for authentication.

no
Central Credential Provider Password All

If the CyberArk Central Credential Provider is configured to use basic authentication, you can fill in this field for authentication.

no

CyberArk Safe

All

The safe on the CyberArk Central Credential Provider server that contained the authentication information you would like to retrieve.

no
CyberArk Client Certificate All The file that contains the PEM certificate used to communicate with the CyberArk host. no
CyberArk Client Certificate Private Key All The file that contains the PEM private key for the client certificate. no
CyberArk Client Certificate Private Key Passphrase All The passphrase for the private key, if your authentication implementation requires it. no

CyberArk AppId

All

The AppId that has been allocated permissions on the CyberArk Central Credential Provider to retrieve the target password.

yes

CyberArk Folder

All

The folder on the CyberArk Central Credential Provider server that contains the authentication information you would like to retrieve.

no

CyberArk Account Details Name

All

The unique name of the credential you want to retrieve from CyberArk.

yes
PolicyId All The PolicyID assigned to the credentials that you want to retrieve from the CyberArk Central Credential Provider. no

Use SSL

All

If CyberArk Central Credential Provider is configured to support SSL through IIS check for secure communication.

no

Verify SSL Certificate

All

If CyberArk Central Credential Provider is configured to support SSL through IIS and you want to validate the certificate, select this option. Refer to the custom_CA.inc documentation for how to use self-signed certificates.

no

Database Port

All

The port on which Tenable Vulnerability Management communicates with the database.

yes
Database Name

DB2

PostgreSQL

The name of the database. no
Auth type

Oracle

SQL Server

Sybase ASE

SQL Server values include:

  • Windows
  • SQL

Oracle values include:

  • SYSDBA
  • SYSOPER
  • NORMAL

Sybase ASE values include:

  • RSA
  • Plain Text
yes
Instance Name SQL Server The name for your database instance. no
Service type Oracle

Valid values include:

  • SID
  • SERVICE_NAME
yes
Service Oracle The SID value for your database instance or a SERVICE_NAME value. The Service value you enter must match your parameter selection for the Service Type option. no

Delinea

Option Description

Required

Delinea Secret Name

The value of the secret on the Delinea server. The secret is labeled Secret Name on the Delinea server.

yes
Delinea Host The Delinea Secret Server IP address or DNS address. yes
Delinea Port The port on which Delinea Secret Server listens. yes
Delinea Authentication Method Indicates whether to use credentials or an API key for authentication. By default, credentials are selected. yes
Delinea Login Name

The username to authenticate to the Delinea server.

yes
Delinea Password

The password to authenticate to the Delinea server. This is associated with the Delinea Login Name you provided.

yes

Delinea API key

The API key provided by Delinea Secret Server.

yes
Use SSL Enable if the Delinea Secret Server is configured to support SSL. no
Verify SSL certificate If enabled, verifies the SSL Certificate on the Delinea server. no

HashiCorp Vault

HashiCorp Vault is a popular enterprise password vault that helps you manage privileged credentials. Tenable Vulnerability Management can get credentials from HashiCorp Vault to use in a scan.

Option Description

Required

Hashicorp Vault host

The Hashicorp Vault IP address or DNS address.

Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname / subdirectory path.

yes
Hashicorp Vault port The port on which Hashicorp Vault listens. yes
Authentication Type

Specifies the authentication type for connecting to the instance: App Role or Certificates.

If you select Certificates, additional options for Hashicorp Client Certificate and Hashicorp Client Certificate Private Key appear. Select the appropriate files for the client certificate and private key.

yes
Role ID The GUID provided by Hashicorp Vault when you configured your App Role. yes
Role Secret ID

The GUID generated by Hashicorp Vault when you configured your App Role.

yes
Authentication URL

The path/subdirectory to the authentication endpoint. This is not the full URL. For example:

/v1/auth/approle/login

yes

Namespace The name of a specified team in a multi-team environment. no
Vault Type

The Tenable Vulnerability Management version: KV1, KV2, AD, or LDAP. For additional information about Tenable Vulnerability Management versions, see the Tenable Vulnerability Management documentation.

yes
KV1 Engine URL

(KV1) The URL Tenable Vulnerability Management uses to access the KV1 engine.

Example: /v1/path_to_secret. No trailing /

yes, if you select the KV1 Vault Type
KV2 Engine URL

(KV2) The URL Tenable Vulnerability Management uses to access the KV2 engine.

Example: /v1/path_to_secret. No trailing /

yes, if you select the KV2 Vault Type
AD Engine URL

(AD) The URL Tenable Vulnerability Management uses to access the active directory engine.

Example: /v1/path_to_secret. No trailing /

yes, if you select the AD Vault Type
LDAP Engine URL

(LDAP) The URL Tenable Vulnerability Management uses to access the LDAP engine.

Example: /v1/path_to_secret. No trailing /

yes, if you select the LDAP Vault Type
Username Source (KV1 and KV2) A drop-down box to specify whether the username is input manually or pulled from Hashicorp Vault. yes
Username Key (KV1 and KV2) The name in Hashicorp Vault that usernames are stored under. yes
Password Key (KV1 and KV2) The key in Hashicorp Vault that passwords are stored under. yes
Secret Name (KV1, KV2, and AD) The key secret you want to retrieve values for. yes
Use SSL If enabled, Tenable Nessus Manager uses SSL for secure communications. Configure SSL in Hashicorp Vault before enabling this option. no
Verify SSL Certificate If enabled, validates the SSL certificate. You must configure SSL in Hashicorp Vault before enabling this option. no
Database Port The port on which communicates with the database. yes
Auth Type The authentication method for the database credentials.

Oracle values include:

  • SYSDBA
  • SYSOPER
  • NORMAL
yes
Service Type (Oracle databases only) Valid values include: SID and SERVICE_NAME. yes
Service (Oracle database only) A specific field for the configuration for the database. yes

Lieberman

Lieberman is a popular enterprise password vault that helps you manage privileged credentials. Tenable Vulnerability Management can get credentials from Lieberman to use in a scan.

Option Database Type Description

Required

Username All The target system’s username. yes
Lieberman host All

The Lieberman IP/DNS address.

Note: If your Lieberman installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname / subdirectory path.

yes
Lieberman port All The port on which Lieberman listens. yes
Lieberman API URL All The URL Tenable Vulnerability Management uses to access Lieberman. no
Lieberman user All The Lieberman explicit user for authenticating to the Lieberman API. yes
Lieberman password All The password for the Lieberman explicit user. yes
Lieberman Authenticator All

The alias used for the authenticator in Lieberman. The name should match the name used in Lieberman.

Note: If you use this option, append a domain to the Lieberman user option, i.e., domain\user.

no
Lieberman Client Certificate All

The file that contains the PEM certificate used to communicate with the Lieberman host.

Note: If you use this option, you do not have to enter information in the Lieberman user, Lieberman password, and Lieberman Authenticator fields.

no
Lieberman Client Certificate Private Key All The file that contains the PEM private key for the client certificate. no
Lieberman Client Certificate Private Key Passphrase All The passphrase for the private key, if required. no
Use SSL All

If Lieberman is configured to support SSL through IIS, check for secure communication.

no
Verify SSL Certificate All

If Lieberman is configured to support SSL through IIS and you want to validate the certificate, check this option. Refer to Custom CA documentation for how to use self-signed certificates.

no

System Name All In the rare case your organization uses one default Lieberman entry for all managed systems, enter the default entry name. no
Database Port All The port on which Tenable Vulnerability Management communicates with the database. yes
Database Name

DB2

PostgreSQL

(PostgreSQL and DB2 databases only) The name of the database. no
Auth type

Oracle

SQL Server

Sybase ASE

(SQL Server, Oracle. and Sybase ASE databases only)

SQL Server values include:

  • Windows
  • SQL

Oracle values include:

  • SYSDBA
  • SYSOPER
  • NORMAL

Sybase ASE values include:

  • RSA
  • Plain Text
yes
Instance Name SQL Server The name for your database instance. no
Service type Oracle

Valid values include:

  • SID
  • SERVICE_NAME
no
Service Oracle The SID value for your database instance or a SERVICE_NAME value. The Service value you enter must match your parameter selection for the Service Type option. yes

QiAnXin

QiAnXin is a popular enterprise password vault that helps you manage privileged credentials. Tenable Vulnerability Management can get credentials from QiAnXin to use in a scan.

Option Description Required

QiAnXin Host

The IP address or URL for the QiAnXin host.

yes

QiAnXin Port

The port on which the QiAnXin API communicates. By default, Tenable uses 443.

yes

QiAnXin API Client ID

The Client ID for the embedded account application created in QiAnXin PAM

yes

QiAnXin API Secret ID The Secret ID for the embedded account application created in QiAnXin PAM

yes

Username The username to log in to the hosts you want to scan. yes
Host IP Specify the host IP of the asset containing the account to use. If not specified, the scan target IP is used. no
Platform

Specify the platform (based on asset type) of the asset containing the account to use. If not specified, a default target is used based on credential type (for example, for Windows credentials, the default is WINDOWS). Possible values:

  • ACTIVE_DIRECTORY — Windows Domain Account

  • WINDOWS — Windows Local Account

  • LINUX — Linux Account

  • SQL_SERVER — SQL Server Database

  • ORACLE — Oracle Database

  • MYSQL — MySQL Database

  • DB2 — DB2 Database

  • HP_UNIX — HP Unix

  • SOLARIS — Solaris

  • OPENLDAP — OpenLDAP

  • POSTGRESQL — PostgreSQL

no
Region ID Specify the region ID of the asset containing the account to use. Only if using multiple regions
Use SSL When enabled, Tenable uses SSL for secure communication. This is enabled by default.

no

Verify SSL Certificate

When enabled, Tenable verifies that the SSL Certificate on the server is signed by a trusted CA.

no

Senhasegura

Option Description Required

Senhasegura Host

The IP address or URL for the Senhasegura host.

yes

Senhasegura Port

The port on which the Senhasegura API communicates. By default, Tenable uses 443.

yes

Senhasegura API Client ID

The Client ID for the applicable Senhasegura A2A Application for Oauth 2.0 API authentication.

yes

Senhasegura API Secret ID The Secret ID for the applicable Senhasegura A2A Application for Oauth 2.0 API authentication.

yes

Senhasegura Credential ID or Identifier The credential ID or identifier for the credential you are requesting to retrieve.

yes

Private Key File

The Private Key used to decrypt encrypted sensitive data from A2A.

Note: You can enable encryption of sensitive data in the A2A Application Authorizations. If enabled, you must provide a private key file in the scan credentials. This can be downloaded from the applicable A2A application in Senhasegura.

Required if you have enabled encryption of sensitive data in A2A Application Authorizations.

HTTPS

This is enabled by default.

yes

Verify SSL Certificate

This is disabled by default.

no