HashiCorp Vault
Click here to view navigation pane

HashiCorp Vault

Use this vault type to retrieve authentication credentials from a HashiCorp vault.

 

How to Use Vaults

Click here and we'll walk you thru the steps. Add IP addresses to scan, configure scanner appliances, configure vaults and authentication records, set up option profiles and start scanning!

 

Vault Credentials

These credentials may be defined for your HashiCorp Vault.

URL  The HTTP or HTTPS URL to access the HashiCorp Vault.

SSL Verify  This option is available when the URL uses HTTPS. Qualys scanners will verify the SSL certificate of the web server to make sure the certificate is valid and trusted, unless you clear (un-check) the SSL Verify option. You may want to clear this option to skip SSL verification if the certificate was not issued by a well-known certification authority (CA) or if the certificate is self-signed.

API Version  The HashiCorp Vault HTTP API version. This is v1 by default, which is the only supported version.

Auth Type  First choose the authentication method you want to use (Username/Password, Cert or App Role) and then provide login credentials for authenticating to the vault server via the HashiCorp Vault HTTP API.

 

Auth Type: Username/Password

Choose the Username/Password authentication method to authenticate to the vault server with a username and password combination.  

Path  The path for the Username/Password authentication method. The default path is /auth/userpass but you can specify a custom path like auth/my-path.

Username  The user account that can access the vault server.  

Password  The password for the user account.

 

Auth Type: Cert

Choose the Cert authentication method to authenticate to the vault server using SSL/TLS client certificates which are either signed by a CA (Certificate Authority) or self-signed. CA certificates are associated with a role name.

Path  The path for the Cert authentication method. The default path is auth/cert but you can specify a custom path like auth/my-path.

Role Name  The role associated with the CA certificate.  

Certificate / Private Key The certificate and private key are required if your server requires a certificate for authentication. Both must be defined together or skipped. Learn moreLearn more

The certificate stores the base64-encoded client X.509 certificate in PEM format. The private key stores base64-encoded client private key that corresponds to the public key stored in the certificate.

Passphrase  The private key passphrase, if the private key is encrypted.

 

Auth Type: App Role

Choose the App Role authentication method to authenticate to the vault server with a vault-defined role.

Path  The path for the App Role authentication method. The default path is auth/approle, but you can specify a custom path like auth/my-path.

Role ID  The role ID of the App Role you want to use for authentication.

Secret ID  The secret ID of the App Role you want to use for authentication.

 

Authentication Record

Choose the HashiCorp vault in your authentication record and provide details about the KV (Key-Value) secrets engine where your login credentials (secrets) are stored. Note that we only support Key-Value Secret Engine version 2 to retrieve secrets from the HashiCorp Vault.

Path  The path of the secret engine. The default is “secret/data”. For a custom path, provide path in the format "path/to/secret/data".

Name  The secret name which stores the key-value pairs.

Key  The key name for identifying a specific key-value pair.

 

User Permissions

A Manager user has permission to configure a HashiCorp Vault. A Unit Manager can be granted this permission.