Database Credentials Authentication Types
Depending on the authentication type you select for your database credentials, you must configure the options described in this topic.
Client Certificate
The Client Certificate authentication type is supported for PostgreSQL databases only.
Option |
Description |
Required |
---|---|---|
Username | The username for the database. | yes |
Client Certificate | The file that contains the PEM certificate for the database. | yes |
Client CA Certificate | The file that contains the PEM certificate for the database. | yes |
Client Certificate Private Key | The file that contains the PEM private key for the client certificate. | yes |
Client Certificate Private Key Passphrase | The passphrase for the private key, if required in your authentication implementation. | no |
Database Port |
The port on which Tenable Vulnerability Management communicates with the database. | yes |
Database Name | The name of the database. | no |
Password
Option |
Database Types |
Description |
Required |
---|---|---|---|
Username |
All |
The username for a user on the database. |
yes |
Password |
All |
The password for the supplied username. |
no |
Database Port |
All | The port on which Tenable Vulnerability Management communicates with the database. | yes |
Database Name |
DB2 PostgreSQL |
The name of the database. |
no |
Auth type |
Oracle SQL Server Sybase ASE |
SQL Server values include:
Oracle values include:
Sybase ASE values include:
|
yes |
Instance name | SQL Server | The name for your database instance. | no |
Service type | Oracle |
Valid values include:
|
yes |
Service | Oracle | The SID value for your database instance or a SERVICE_NAME value. The Service value you enter must match your parameter selection for the Service Type option. | no |
Import
Upload a .csv file with the credentials entered in the specified format. For descriptions of valid values to use for each item, see
You must configure either CyberArk or HashiCorp credentials for a database credential in the same scan so that Tenable Vulnerability Management can retrieve the credentials.
Database Credential |
CSV Format |
---|---|
DB2 | target, port, database_name, username, cred_manager, accountname_or_secretname |
MySQL | target, port, database_name, username, cred_manager, accountname_or_secretname |
Oracle | target, port, service_type, service_ID, username, auth_type, cred_manager, accountname_or_secretname |
SQL Server | target, port, instance_name, username, auth_type, cred_manager, accountname_or_secretname |
Note: Include the required data in the specified order, with commas between each value, without spaces. For example, for Oracle with CyberArk: 192.0.2.255,1521,SID,service_id,username,SYSDBA,CyberArk,Database-Oracle-SYS.
Note: The value for cred_manager must be either CyberArk or HashiCorp.
BeyondTrust
Option | Description |
Required |
---|---|---|
Username |
The username to log in to the host you want to scan. |
yes |
Domain | The domain of the username, which is recommended if using domain-linked accounts (managed accounts of a domain that are linked to a managed system). | no |
BeyondTrust host | The BeyondTrust IP address or DNS address. | yes |
BeyondTrust port | The port on which BeyondTrust listens. | yes |
BeyondTrust API user |
The API user provided by BeyondTrust. |
yes |
BeyondTrust API key |
The API key provided by BeyondTrust. |
yes |
Checkout duration |
The length of time, in minutes, that you want to keep credentials checked out in BeyondTrust. Configure the checkout duration to exceed the typical duration of your scans. If a password from a previous scan is still checked out when a new scan begins, the new scan fails. Note: Configure the password change interval in BeyondTrust so that password changes do not disrupt your scans. If BeyondTrust changes a password during a scan, the scan fails. |
yes |
Use SSL | When enabled, the integration uses SSL through IIS for secure communications. Configure SSL through IIS in BeyondTrust before enabling this option. | no |
Verify SSL certificate | When enabled, the intergation validates the SSL certificate. Configure SSL through IIS in BeyondTrust before enabling this option. | no |
CyberArk
CyberArk is a popular enterprise password vault that helps you manage privileged credentials. Tenable Vulnerability Management can get credentials from CyberArk to use in a scan.
Option | Description | Required |
---|---|---|
CyberArk Host |
The IP address or FQDN name for the CyberArk AIM Web Service. This can be the host, or the host with a custom URL added on in a single string. |
yes |
Port |
The port on which the CyberArk API communicates. By default, Tenable uses 443. |
yes |
AppID |
The Application ID associated with the CyberArk API connection. |
yes |
Client Certificate | The file that contains the PEM certificate used to communicate with the CyberArk host. |
no |
Client Certificate Private Key | The file that contains the PEM private key for the client certificate. |
yes, if private key is applied |
Client Certificate Private Key Passphrase | The passphrase for the private key, if required. |
yes, if private key is applied |
Get credential by |
The method with which your CyberArk API credentials are retrieved. Can be Address, Identifier, Parameters, or Username. Note: For more information about the Parameters option, refer to the Parameters Options table. Note: The frequency of queries for Username is one query per target. The frequency of queries for Identifier is one query per chunk. This feature requires all targets have the same identifier. Note: The Username option also adds the Address parameter of the API query and assigns the target IP of the resolved host to the Address parameter. This may lead to failure to fetch credentials if the CyberArk Account Details Address field contains a value other than the target IP address. |
yes |
Username |
(If Get credential by is set to Username) The username of the CyberArk user to request a password from. |
no |
Safe |
The CyberArk safe the credential should be retrieved from. |
no |
Account Name | (If Get credential by is Identifier) The unique account name or identifier assigned to the CyberArk API credential. | no |
Use SSL |
If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS. |
no |
Verify SSL Certificate |
If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate. |
no |
CyberArk (Legacy)
CyberArk is a popular enterprise password vault that helps you manage privileged credentials. Tenable Vulnerability Management can get credentials from CyberArk to use in a scan.
Option | Database Types | Description |
Required |
---|---|---|---|
Username |
All |
The target system’s username. |
yes |
Central Credential Provider Host |
All |
The CyberArk Central Credential Provider IP/DNS address. |
yes |
Central Credential Provider Port |
All |
The port on which the CyberArk Central Credential Provider is listening. |
yes |
CyberArk AIM Service URL |
All |
The URL of the AIM service. By default, this field uses |
no |
Central Credential Provider Username | All |
If the CyberArk Central Credential Provider is configured to use basic authentication, you can fill in this field for authentication. |
no |
Central Credential Provider Password | All |
If the CyberArk Central Credential Provider is configured to use basic authentication, you can fill in this field for authentication. |
no |
CyberArk Safe |
All |
The safe on the CyberArk Central Credential Provider server that contained the authentication information you would like to retrieve. |
no |
CyberArk Client Certificate | All | The file that contains the PEM certificate used to communicate with the CyberArk host. | no |
CyberArk Client Certificate Private Key | All | The file that contains the PEM private key for the client certificate. | no |
CyberArk Client Certificate Private Key Passphrase | All | The passphrase for the private key, if your authentication implementation requires it. | no |
CyberArk AppId |
All |
The AppId that has been allocated permissions on the CyberArk Central Credential Provider to retrieve the target password. |
yes |
CyberArk Folder |
All |
The folder on the CyberArk Central Credential Provider server that contains the authentication information you would like to retrieve. |
no |
CyberArk Account Details Name |
All |
The unique name of the credential you want to retrieve from CyberArk. |
yes |
PolicyId | All | The PolicyID assigned to the credentials that you want to retrieve from the CyberArk Central Credential Provider. | no |
Use SSL |
All |
If CyberArk Central Credential Provider is configured to support SSL through IIS check for secure communication. |
no |
Verify SSL Certificate |
All |
If CyberArk Central Credential Provider is configured to support SSL through IIS and you want to validate the certificate, select this option. Refer to the custom_CA.inc documentation for how to use self-signed certificates. |
no |
Database Port |
All |
The port on which Tenable Vulnerability Management communicates with the database. |
yes |
Database Name |
DB2 PostgreSQL |
The name of the database. | no |
Auth type |
Oracle SQL Server Sybase ASE |
SQL Server values include:
Oracle values include:
Sybase ASE values include:
|
yes |
Instance Name | SQL Server | The name for your database instance. | no |
Service type | Oracle |
Valid values include:
|
yes |
Service | Oracle | The SID value for your database instance or a SERVICE_NAME value. The Service value you enter must match your parameter selection for the Service Type option. | no |
Delinea
Option | Description |
Required |
---|---|---|
Delinea Secret Name |
The value of the secret on the Delinea server. The secret is labeled Secret Name on the Delinea server. |
yes |
Delinea Host | The Delinea Secret Server IP address or DNS address. | yes |
Delinea Port | The port on which Delinea Secret Server listens. | yes |
Delinea Authentication Method | Indicates whether to use credentials or an API key for authentication. By default, credentials are selected. | yes |
Delinea Login Name |
The username to authenticate to the Delinea server. |
yes |
Delinea Password |
The password to authenticate to the Delinea server. This is associated with the Delinea Login Name you provided. |
yes |
Delinea API key |
The API key provided by Delinea Secret Server. |
yes |
Use SSL | Enable if the Delinea Secret Server is configured to support SSL. | no |
Verify SSL certificate | If enabled, verifies the SSL Certificate on the Delinea server. | no |
HashiCorp Vault
HashiCorp Vault is a popular enterprise password vault that helps you manage privileged credentials. Tenable Vulnerability Management can get credentials from HashiCorp Vault to use in a scan.
Option | Description |
Required |
---|---|---|
Hashicorp Vault host |
The Hashicorp Vault IP address or DNS address. Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname / subdirectory path. |
yes |
Hashicorp Vault port | The port on which Hashicorp Vault listens. | yes |
Authentication Type |
Specifies the authentication type for connecting to the instance: App Role or Certificates. If you select Certificates, additional options for Hashicorp Client Certificate and Hashicorp Client Certificate Private Key appear. Select the appropriate files for the client certificate and private key. |
yes |
Role ID | The GUID provided by Hashicorp Vault when you configured your App Role. | yes |
Role Secret ID |
The GUID generated by Hashicorp Vault when you configured your App Role. |
yes |
Authentication URL |
The path/subdirectory to the authentication endpoint. This is not the full URL. For example: /v1/auth/approle/login |
yes |
Namespace | The name of a specified team in a multi-team environment. | no |
Vault Type |
The Tenable Vulnerability Management version: KV1, KV2, AD, or LDAP. For additional information about Tenable Vulnerability Management versions, see the Tenable Vulnerability Management documentation. |
yes |
KV1 Engine URL |
(KV1) The URL Tenable Vulnerability Management uses to access the KV1 engine. Example: /v1/path_to_secret. No trailing / |
yes, if you select the KV1 Vault Type |
KV2 Engine URL |
(KV2) The URL Tenable Vulnerability Management uses to access the KV2 engine. Example: /v1/path_to_secret. No trailing / |
yes, if you select the KV2 Vault Type |
AD Engine URL |
(AD) The URL Tenable Vulnerability Management uses to access the active directory engine. Example: /v1/path_to_secret. No trailing / |
yes, if you select the AD Vault Type |
LDAP Engine URL |
(LDAP) The URL Tenable Vulnerability Management uses to access the LDAP engine. Example: /v1/path_to_secret. No trailing / |
yes, if you select the LDAP Vault Type |
Username Source | (KV1 and KV2) A drop-down box to specify whether the username is input manually or pulled from Hashicorp Vault. | yes |
Username Key | (KV1 and KV2) The name in Hashicorp Vault that usernames are stored under. | yes |
Password Key | (KV1 and KV2) The key in Hashicorp Vault that passwords are stored under. | yes |
Secret Name | (KV1, KV2, and AD) The key secret you want to retrieve values for. | yes |
Use SSL | If enabled, Tenable Nessus Manager uses SSL for secure communications. Configure SSL in Hashicorp Vault before enabling this option. | no |
Verify SSL Certificate | If enabled, validates the SSL certificate. You must configure SSL in Hashicorp Vault before enabling this option. | no |
Database Port | The port on which communicates with the database. | yes |
Auth Type | The authentication method for the database credentials. Oracle values include:
|
yes |
Service Type | (Oracle databases only) Valid values include: SID and SERVICE_NAME. | yes |
Service | (Oracle database only) A specific field for the configuration for the database. | yes |
Lieberman
Lieberman is a popular enterprise password vault that helps you manage privileged credentials. Tenable Vulnerability Management can get credentials from Lieberman to use in a scan.
Option | Database Type | Description |
Required |
---|---|---|---|
Username | All | The target system’s username. | yes |
Lieberman host | All |
The Lieberman IP/DNS address. Note: If your Lieberman installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname / subdirectory path. |
yes |
Lieberman port | All | The port on which Lieberman listens. | yes |
Lieberman API URL | All | The URL Tenable Vulnerability Management uses to access Lieberman. | no |
Lieberman user | All | The Lieberman explicit user for authenticating to the Lieberman API. | yes |
Lieberman password | All | The password for the Lieberman explicit user. | yes |
Lieberman Authenticator | All |
The alias used for the authenticator in Lieberman. The name should match the name used in Lieberman. Note: If you use this option, append a domain to the Lieberman user option, i.e., domain\user. |
no |
Lieberman Client Certificate | All |
The file that contains the PEM certificate used to communicate with the Lieberman host. Note: If you use this option, you do not have to enter information in the Lieberman user, Lieberman password, and Lieberman Authenticator fields. |
no |
Lieberman Client Certificate Private Key | All | The file that contains the PEM private key for the client certificate. | no |
Lieberman Client Certificate Private Key Passphrase | All | The passphrase for the private key, if required. | no |
Use SSL | All |
If Lieberman is configured to support SSL through IIS, check for secure communication. |
no |
Verify SSL Certificate | All |
If Lieberman is configured to support SSL through IIS and you want to validate the certificate, check this option. Refer to Custom CA documentation for how to use self-signed certificates. |
no |
System Name | All | In the rare case your organization uses one default Lieberman entry for all managed systems, enter the default entry name. | no |
Database Port | All | The port on which Tenable Vulnerability Management communicates with the database. | yes |
Database Name |
DB2 PostgreSQL |
(PostgreSQL and DB2 databases only) The name of the database. | no |
Auth type |
Oracle SQL Server Sybase ASE |
(SQL Server, Oracle. and Sybase ASE databases only) SQL Server values include:
Oracle values include:
Sybase ASE values include:
|
yes |
Instance Name | SQL Server | The name for your database instance. | no |
Service type | Oracle |
Valid values include:
|
no |
Service | Oracle | The SID value for your database instance or a SERVICE_NAME value. The Service value you enter must match your parameter selection for the Service Type option. | yes |
QiAnXin
QiAnXin is a popular enterprise password vault that helps you manage privileged credentials. Tenable Vulnerability Management can get credentials from QiAnXin to use in a scan.
Option | Description | Required |
---|---|---|
QiAnXin Host |
The IP address or URL for the QiAnXin host. |
yes |
QiAnXin Port |
The port on which the QiAnXin API communicates. By default, Tenable uses 443. |
yes |
QiAnXin API Client ID |
The Client ID for the embedded account application created in QiAnXin PAM |
yes |
QiAnXin API Secret ID | The Secret ID for the embedded account application created in QiAnXin PAM |
yes |
Username | The username to log in to the hosts you want to scan. | yes |
Host IP | Specify the host IP of the asset containing the account to use. If not specified, the scan target IP is used. | no |
Platform |
Specify the platform (based on asset type) of the asset containing the account to use. If not specified, a default target is used based on credential type (for example, for Windows credentials, the default is WINDOWS). Possible values:
|
no |
Region ID | Specify the region ID of the asset containing the account to use. | Only if using multiple regions |
Use SSL | When enabled, Tenable uses SSL for secure communication. This is enabled by default. |
no |
Verify SSL Certificate |
When enabled, Tenable verifies that the SSL Certificate on the server is signed by a trusted CA. |
no |
Senhasegura
Option | Description | Required |
---|---|---|
Senhasegura Host |
The IP address or URL for the Senhasegura host. |
yes |
Senhasegura Port |
The port on which the Senhasegura API communicates. By default, Tenable uses 443. |
yes |
Senhasegura API Client ID |
The Client ID for the applicable Senhasegura A2A Application for Oauth 2.0 API authentication. |
yes |
Senhasegura API Secret ID | The Secret ID for the applicable Senhasegura A2A Application for Oauth 2.0 API authentication. |
yes |
Senhasegura Credential ID or Identifier | The credential ID or identifier for the credential you are requesting to retrieve. |
yes |
Private Key File |
The Private Key used to decrypt encrypted sensitive data from A2A. Note: You can enable encryption of sensitive data in the A2A Application Authorizations. If enabled, you must provide a private key file in the scan credentials. This can be downloaded from the applicable A2A application in Senhasegura. |
Required if you have enabled encryption of sensitive data in A2A Application Authorizations. |
HTTPS |
This is enabled by default. |
yes |
Verify SSL Certificate |
This is disabled by default. |
no |