HashiCorp Vault

Click here and we'll walk you thru the steps. Add IP addresses to scan, configure scanner appliances, configure vaults and authentication records, set up option profiles and start scanning!

These credentials may be defined for your HashiCorp Vault.

URL  The HTTP or HTTPS URL to access the HashiCorp Vault.

SSL Verify  This option is available when the URL uses HTTPS. Qualys scanners will verify the SSL certificate of the web server to make sure the certificate is valid and trusted, unless you clear (un-check) the SSL Verify option. You may want to clear this option to skip SSL verification if the certificate was not issued by a well-known certification authority (CA) or if the certificate is self-signed.

 If you clear (un-check) the SSL verify option, the scanner skips the server certificate validation with CA, but the connection still goes through SSL only.

API Version  The HashiCorp Vault HTTP API version. This is v1 by default, which is the only supported version.

Auth Type  First choose the authentication method you want to use (Username/Password, Cert or App Role) and then provide login credentials for authenticating to the vault server via the HashiCorp Vault HTTP API.

Choose the Username/Password authentication method to authenticate to the vault server with a username and password combination.  

Path  The path for the Username/Password authentication method. The default path is /auth/userpass but you can specify a custom path like auth/my-path.

The namespace prefix is not required if the user has access to the entire vault; however, it is required if the user has access only to that namespace.

Username  The user account that can access the vault server.  

Password  The password for the user account.

Choose the Cert authentication method to authenticate to the vault server using SSL/TLS client certificates which are either signed by a CA (Certificate Authority) or self-signed. CA certificates are associated with a role name.

Path  The path for the Cert authentication method. The default path is auth/cert but you can specify a custom path like auth/my-path.

Role Name  The role associated with the CA certificate.  

Certificate / Private Key The certificate and private key are required if your server requires a certificate for authentication. Both must be defined together or skipped. Learn more

Passphrase  The private key passphrase, if the private key is encrypted with password.

Choose the App Role authentication method to authenticate to the vault server with a vault-defined role.

Path  The path for the App Role authentication method. The default path is auth/approle, but you can specify a custom path like auth/my-path.

Role ID  The role ID of the App Role you want to use for authentication.

Secret ID  The secret ID of the App Role you want to use for authentication.

Choose the HashiCorp vault in your authentication record and provide details about the KV (Key-Value) secrets engine where your login credentials (secrets) are stored. Note that we only support Key-Value Secret Engine version 2 to retrieve secrets from the HashiCorp Vault.

Path  The path of the secret engine. The default is “secret/data”. For a custom path, provide path in the format "path/to/secret/data".

The namespace prefix in the secret path is not required if the user has access to the entire vault; however, it is required if the user has access only to that namespace.

Name  The secret name which stores the key-value pairs.

Key  The key name for identifying a specific key-value pair.

Note: This field does not appear when you are using Database Secrets Engine or Active Directory (AD) Secrets Engine while creating or updating HashiCorp authentication records (Oracle, Windows, HTTP, MS SQL, Network SSH, Unix record, PostgreSQL, MongoDB, Cisco, Cisco_APIC,Infoblox). 

Use Database Secrets Engine:  A toggle switch to manage the utilization of Database Secrets Engine while creating/updating HashiCorp authentication records. Switch it to YES or NO, depending upon your business requirements. Switch it to YES to use Database Secrets Engine. Else, switch it to NO.

Use Active Directory (AD) Secrets Engine:  An option to manage utilization of Active Directory (AD) while creating/updating HashiCorp authentication records. Select YES or NO, depending upon your business requirements. Select YES to use Active Directory (AD). Else, select NO.

A Manager user has permission to configure a HashiCorp Vault. A Unit Manager can be granted this permission.