BeyondTrust Password Safe Vault
Qualys supports BeyondTrust Password Safe vault authentication for compliance scans using Qualys app PC and SCA. Use this vault type to retrieve authentication credentials from a BeyondTrust Password Safe.
User Permissions: A Manager user has permission to configure a BeyondTrust Password Safe Vault. A Unit Manager can be granted this permission.
Prerequiste
To integrate Qualys with BeyondTrust Password Safe, ensure to perform the API Registration to generate API Key Policy in BeyondTrust Password Safe.
How to use the vault
You can use the vault by performing the following steps.
- Add IP addresses to scan
- Configure scanner appliances
- Configure vaults and authentication records
- Enable authentication for VM Scans
- Start scanning
To know more, refer How to use Vault.
What are the steps?
Follow these steps to save the details of BeyondTrust Password Safe Vault:
- Go to Scans > Authentication > New > Authentication Vaults.
The Authentication Vaults window is displayed. - Take one of the actions.
2a. Go to New > BeyondTrust.
A New BeyondTrust Vault window is displayed.
2b. To make changes to an existing BeyondTrust vault, select a record in the list and choose Edit from the Quick Actions menu. - Enter the information required in the New BeyondTrust Vault page
See BeyondTrust Vault Information below for help with the fields that appear in the BeyondTrust vault.
BeyondTrust Vault Information
See the following help for the fields that appear on the BeyondTrust Vault page, and click Save.
- Vault Title: Enter the title for saving the BeyondTrust Vault authentication record.
- Vault Credentials: These credentials may be defined for your BeyondTrust Password Safe Vault.
- Application API Key: Paste in the application key (alpha-numeric string) for the BeyondTrust Password Safe web services API. How to find the key
- URL: The HTTP or HTTPS URL to access the BeyondTrust Password Safe web services API.
- SSL Verify: This option is available when the URL uses HTTPS. Qualys scanners will verify the web server's SSL certificate to ensure it is valid and trusted unless you clear (un-check) the SSL Verify option. You may want to clear this option to skip SSL verification if the certificate was not issued by a well-known certification authority (CA) or if the certificate is self-signed.
- User Name: The user account that can call the BeyondTrust Password Safe web services API. The maximum length is 64 characters. This special character cannot be included: @
- Password / Confirm Password: Specify a user password when required by the Application API Key configuration in BeyondTrust Password Safe. The maximum length is 64 characters. How to know if a password is required
- Certificate / Private Key: The certificate and private key are required if your server requires a certificate for authentication. Both must be defined together or skipped. The certificate you enter must be trusted by the Password Safe web server. How to know if a certificate is required
- Passphrase: The private key passphrase, if applicable.
- Comments: Enter the comments.
Authentication Record
Choose the BeyondTrust Password Safe vault in your authentication record and provide these details. Both fields are optional.
- System Name: Enter the managed system name (also known as asset name). When not provided, we attempt to auto-discover the system name for you at scan time. The service uses information known about each host (like the IP address and FQDN) to query your BeyondTrust Password Safe for the system name. Auto discovery is the only option available when your record includes multiple IPs.
Using Palo Alto Networks Firewall authentication? You must directly enter the system name in the Palo Alto Networks Firewall record because auto-discovery of the system name is not supported for this authentication type. Also, if the vault account name for which we need to query a password is different from the username defined in the Palo Alto Networks Firewall record, then it needs to be directly entered in the Account Name field. - Account Name: When an account name is not provided, we try the username entered in the authentication record.