Use this vault type to retrieve authentication credentials from a HashiCorp vault.
How to Use Vaults |
Click here and we'll walk you thru the steps. Add IP addresses to scan, configure scanner appliances, configure vaults and authentication records, set up option profiles and start scanning! |
Vault Credentials |
These credentials may be defined for your HashiCorp Vault. |
URL The HTTP or HTTPS URL to access the HashiCorp Vault. |
SSL Verify This option is available when the URL uses HTTPS. Qualys scanners will verify the SSL certificate of the web server to make sure the certificate is valid and trusted, unless you clear (un-check) the SSL Verify option. You may want to clear this option to skip SSL verification if the certificate was not issued by a well-known certification authority (CA) or if the certificate is self-signed. |
API Version The HashiCorp Vault HTTP API version. This is v1 by default, which is the only supported version. |
Auth Type First choose the authentication method you want to use (Username/Password, Cert or App Role) and then provide login credentials for authenticating to the vault server via the HashiCorp Vault HTTP API. |
Auth Type: Username/Password |
Choose the Username/Password authentication method to authenticate to the vault server with a username and password combination. |
Path The path for the Username/Password authentication method. The default path is /auth/userpass but you can specify a custom path like auth/my-path.
The namespace prefix is not required if the user has access to the entire vault; however, it is required if the user has access only to that namespace. |
Username The user account that can access the vault server. |
Password The password for the user account. |
Auth Type: Cert |
Choose the Cert authentication method to authenticate to the vault server using SSL/TLS client certificates which are either signed by a CA (Certificate Authority) or self-signed. CA certificates are associated with a role name. |
Path The path for the Cert authentication method. The default path is auth/cert but you can specify a custom path like auth/my-path. |
Role Name The role associated with the CA certificate. |
Certificate / Private Key The certificate and private key are required if your server requires a certificate for authentication. Both must be defined together or skipped. Learn moreLearn more The certificate stores the base64-encoded client X.509 certificate in PEM format. The private key stores base64-encoded client private key that corresponds to the public key stored in the certificate. |
Passphrase The private key passphrase, if the private key is encrypted. |
Auth Type: App Role |
Choose the App Role authentication method to authenticate to the vault server with a vault-defined role. |
Path The path for the App Role authentication method. The default path is auth/approle, but you can specify a custom path like auth/my-path. |
Role ID The role ID of the App Role you want to use for authentication. |
Secret ID The secret ID of the App Role you want to use for authentication. |
Authentication Record |
Choose the HashiCorp vault in your authentication record and provide details about the KV (Key-Value) secrets engine where your login credentials (secrets) are stored. Note that we only support Key-Value Secret Engine version 2 to retrieve secrets from the HashiCorp Vault. |
Path The path of the secret engine. The default is “secret/data”. For a custom path, provide path in the format "path/to/secret/data". The namespace prefix in the secret path is not required if the user has access to the entire vault; however, it is required if the user has access only to that namespace. |
Name The secret name which stores the key-value pairs. |
Key The key name for identifying a specific key-value pair. Note: This field does not appear when you are using Database Secrets Engine or Active Directory (AD) Secrets Engine while creating or updating HashiCorp authentication records (Oracle, Windows, HTTP, MS SQL, Network SSH, Unix record, PostgreSQL, MongoDB, Cisco, Cisco_APIC,Infoblox). |
Use Database Secrets Engine: A toggle switch to manage the utilization of Database Secrets Engine while creating/updating HashiCorp authentication records. Switch it to YES or NO, depending upon your business requirements. Switch it to YES to use Database Secrets Engine. Else, switch it to NO. |
Use Active Directory (AD) Secrets Engine: An option to manage utilization of Active Directory (AD) while creating/updating HashiCorp authentication records. Select YES or NO, depending upon your business requirements. Select YES to use Active Directory (AD). Else, select NO. |
User Permissions |
A Manager user has permission to configure a HashiCorp Vault. A Unit Manager can be granted this permission. |