The various parameters used to define vault settings as part of vault records are below. Settings differ per vault type.
View our latest Vault Support Matrix
Parameter |
Required/Optional |
Data Type |
Description |
---|---|---|---|
Arcon PAM |
|||
url={value} |
Required to create and optional to update vault | String |
The HTTP or HTTPS URL to access the ARCON PAM Vault API. The HTTPS URL is required if the ssl_verify parameter is set 1. |
ssl_verify={0|1} |
Required to create and optional to update vault | Integer |
When set to 1 (the default), our service will verify the SSL certificate of the web server to make sure the certificate is valid and trusted. When set to 0, our service will not verify the certificate of the web server. |
username={value} |
Required to create and optional to update vault | String |
A username required to access the vault. |
password={value} |
Required to create and optional to update vault | Alphanumeric |
A password required to access the vault. |
Azure Key |
|||
url={value} |
Required to create and optional to update vault | String |
The HTTP or HTTPS URL to access the Azure key Vault HTTP API. The HTTPS URL is required if the ssl_verify parameter is set 1. |
app_id={value} |
Required to create and optional to update vault | Integer |
The application ID associated with the application created in the Azure Key Vault. |
ssl_verify={0|1} |
Required to create and optional to update vault | Integer |
When set to 1 (the default), our service will verify the SSL certificate of the web server to make sure the certificate is valid and trusted. When set to 0, our service will not verify the certificate of the web server. |
cert={value} |
Required to create and optional to update vault | Certificate |
The client certificate for authentication. Enter the certificate block after the key block and be sure to include the first and last line (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----). For a create/update request, if the cert parameter is specified, then the private_key parameter must also be specified. |
private_key={value} |
Required to create and optional to update vault | Integer |
The private key for authentication. Copy the contents of private key file (id_rsa) and be sure to include the first and last line (-----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----). |
passphrase={value} |
Optional | Integer |
The private key passphrase is required if the private key is encrypted. |
BeyondTrust PBPS |
|||
appkey={value} |
Required for new vault | Integer |
The application key (alpha-numeric string) for the BeyondTrust PBPS web services API. The maximum length is 128 bytes. A leading and/or trailing space or periods in the input value will be removed. |
url={value} |
Required for new vault | String |
The HTTP or HTTPS URL to access the BeyondTrust PBPS web services API. |
ssl_verify={1|0} |
Optional | Integer |
When set to 1, our service will verify the SSL certificate of the web server to make sure the certificate is valid and trusted. When set to 0, our service will not verify the certificate of the web server. |
username={value} |
Required for new vault | String |
The user account that can call the BeyondTrust PBPS web services API. The maximum length is 64 characters. This special character cannot be included: @ |
password={value} |
Optional | Alphanumeric |
Specify a user password when required by the Application API Key configuration in BeyondTrust. |
cert={value} |
Optional | Certificate |
Provide an X.509 client certificate with your private key when required by the Application API Key configuration in BeyondTrust. The certificate must be trusted by the PBPS web server. Enter the certificate block after the key block and be sure to include the first and last line (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----). For a create/update request, if the cert parameter is specified, then the private_key parameter must also be specified. |
private_key={value} |
Optional | Integer |
Specify the private key for authentication. Copy the contents of private key file (id_rsa) and be sure to include the first and last line (-----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----). For a create/update request, if the private_key parameter is specified, then the cert parameter must also be specified. |
private_key_pwd={value} |
Optional | Alphanumeric |
Specify a password for your private key if it’s encrypted. |
CA PAM |
|
||
vault_app_name={value} | Required | String | Application name as defined in the vault configuration for accessing a specific device. |
vault_device_name={value} | Optional | String |
Specify the target device name defined in the vault configuration for which you want to retrieve the credentials. You can use one or more variables when defining the device name in order to match several targets that use the same naming convention. ${ip} // The IP address of the target, i.e. 10.20.30.40. ${ip_dash} // The IP address of the target with dashes instead of dots, i.e. 10-20-30-40. ${dnshost} // The DNS host name of the target, i.e. host.domain. ${host} // The host name of the target, i.e. host before .domain. ${nbhost} // (Windows only) The NetBIOS host name of the target in upper-case, i.e.HOST_ABC. Example, device-unix-${ip} will match these 3 devices: device-unix-10.50.60.70, device-unix-10.50.60.88 and device-unix-10.30.10.12. Note: You must specify “vault_device_name” or “vault_device_host”, but not both. |
vault_device_host={value} | Optional | Integer |
Specify the target device address defined in the vault configuration for which you want to retrieve the credentials. You can use one or more variables when defining the device host in order to match several targets that use the same naming convention. ${ip} - The IP address of the target, i.e. 10.20.30.40. ${ip_dash} - The IP with dashes, i.e. 10-20-30-40. ${dnshost} - DNS hostname of the target, i.e. host.domain. ${host} - Hostname of the target, i.e. host before .domain. ${nbhost} - (Windows only) The NetBIOS name of the target in upper-case, i.e. HOST_ABC. For example, ${host}-${ip_dash} will match these 3 devices: host40-10-20-30-40, host80-10-50-60-70 and host12-10-30-10-12. Note: You must specify “vault_device_name” or “vault_device_host”, but not both. |
CyberArk AIM |
|
||
folder={value} | Required if vault type is CyberArk AIM | Integer |
Specify the name of the folder in the secure digital safe where the password to be used for authentication should be stored. The folder name can contain a maximum of 169 characters. Entering a trailing /, as in folder/, is optional (when specified, the service removes the trailing / and does not save it in the folder name). The maximum length of a folder name with a file name is 170 characters (the leading and/or trailing space in the input value will be removed). These special characters cannot be included in a folder name: / : * ? " < > | You can use one or more variables when defining the folder name in order to match several targets that use the same naming convention. ${ip} - The IP address of the target, i.e. 10.20.30.40. ${ip_dash} - The IP with dashes, i.e. 10-20-30-40. ${dnshost} - DNS hostname of the target, i.e. host.domain. ${host} - Hostname of the target, i.e. host before .domain. ${nbhost} - (Windows only) The NetBIOS name of the target in upper-case, i.e. HOST_ABC. For example, ${host}-${ip_dash} will match these 3 targets: host40-10-20-30-40, host80-10-50-60-70 and host12-10-30- 10-12. |
file={value} | Required if vault type is CyberArk AIM | String |
Specify the name of the file in the secure digital safe where the password to be used for authentication should be stored. The file name can contain a maximum of 165 characters. The maximum length of a folder name plus a file name is 170 characters (the leading and/or trailing space in the input value will be removed). These special characters cannot be included in a file name: \ / : * ? " < > | You can use one or more variables when defining the file name in order to match several targets that use the same naming convention. ${ip} - The IP address of the target, i.e. 10.20.30.40. ${ip_dash} - The IP with dashes, i.e. 10-20-30-40. ${dnshost} - DNS hostname of the target, i.e. host.domain. ${host} - Hostname of the target, i.e. host before .domain. ${nbhost} - (Windows only) The NetBIOS name of the target in upper-case, i.e. HOST_ABC. For example, ${host}-${ip_dash} will match these 3 targets: host40-10-20-30-40, host80-10-50-60-70 and host12-10-30- 10-12. |
CyberArk PIM Suite |
|
||
folder={value} | Required if vault type is CyberArk PIM Suite | String | Specify the name of the folder in the secure digital safe where the password to be used for authentication should be stored. The folder name can contain a maximum of 169 characters. Entering a trailing /, as in folder/, is optional (when specified, the service removes the trailing / and does not save it in the folder name). The maximum length of a folder name with a file name is 170 characters (the leading and/or trailing space in the input value will be removed). These special characterrs cannot be included in a folder name: / : * ? " < > | |
file={value} | Required if vault type is CyberArk PIM Suite | String | Specify the name of the file in the secure digital safe where the password to be used for authentication should be stored. The file name can contain a maximum of 165 characters. The maximum length of a folder name plus a file name is 170 characters (the leading and/or trailing space in the input value will be removed). These special characters cannot be included in a file name: \ / : * ? " < > | |
HashiCorp |
|||
secret_kv_path={value} | Optional if vault type is HashiCorp | Path |
The path of the secret engine. The default is “secret/data”. For a custom path, please provide path in the format "path/to/secret/data". Note that we only support Key-Value Secret Engine version 2 to retrieve secrets from the HashiCorp Vault. |
secret_kv_name={value} | Required if vault type is HashiCorp | String | The secret name which stores key-value pairs. |
secret_kv_key={value} | Required if vault type is HashiCorp | Alphanumeric |
The key name for identifying a specific key-value pair. Note: This field does not appear while using Database Secrets Engine or Active Directory (AD) Secrets Engine while creating or updating HashiCorp authentication records (Oracle, Windows, HTTP record). |
Hitachi ID PAM |
|||
resource_id | Optional | Integer | Specify resource id for a Hitachi ID PAM authentication record. |
Lieberman ERPM |
|
||
auto_discover_system_nam e={0|1} | Required if vault type is Lieberman ERPM | Integer |
Specify 1 to enable auto discovery of the system name and 0 to disable auto discovery. Each system in your ERPM environment has a system name and this is needed in order to retrieve the password for authentication. Use auto discovery to allow the service to find the system name for you at scan time. The service uses information known about each host (like the IP address and FQDN) to query ERPM for the system name. Auto discovery is the only option available when your record includes multiple IPs. |
system_name_single_host= {value} | Required if vault type is Lieberman ERPM | String |
Specify the system name that is needed to retrieve password for authentication. To specify system_name_single_host, ensure that auto discovery of system name is disabled (auto_discover_system_name=0). If auto discovery of system name is enabled (auto_discover_system_name=1), specifying system_name_single_host is invalid. |
system_type={value} | Required if vault type is Lieberman ERPM) | Boolean | A valid value is one of the following system type: auto, windows, unix, oracle, mssq, ldap, cisco, custom. |
custom_system_type={valu e} | Required if vault type is Lieberman ERPM | String | Specify the custom system type name. custom_system_type is valid only when system_type=custom. |
Quest Vault |
|
||
system_name={value} | Required if vault type is Quest Vault) | String | Specify the system name. During a scan we'll perform a search for the system name and then retrieve the password. A single exact match of the system name must be found in order for authentication to be successful. |
Thycotic Secret Server |
|
||
secret_name={value} | Required if vault type is Thycotic Secret Server) | String | Specify the secret name that contains the password to be used for authentication. The scanning engine will perform a search for the secret name and then get the password from the secret returned by the search. A single exact match of the secret name must be found in order for authentication to be successful. The secret name may contain a maximum of 256 characters, and must not contain multibyte characters. |
Wallix AdminBastion (WAB) |
|
||
authorization_name= {value} | Required if vault type is Wallix AdminBastion (WAB). | String | Specify the name of the authorization that enables secret retrieval from a group of targets. |
target_name={value} | Required if vault type is Wallix AdminBastion (WAB). | String |
Specify the name of the target device using one of these formats: user@global_WABdomain user@local_WABdomain@device where user is the user with access to the target, global_WABdomain is a domain name in a domain controller, local_WABdomain is a local domain, device is the device you want to scan. Use one or more variables in the target name to match several targets that use the same naming convention. ${ip} - The IP address of the target, i.e. 10.20.30.40. ${ip_dash} - The IP with dashes, i.e. 10-20-30-40. ${dnshost} - DNS hostname of the target, i.e. host.domain. ${host} - Hostname of the target, i.e. host before .domain. ${nbhost} - (Windows only) The NetBIOS name of the target in upper-case, i.e. HOST_ABC. For example, the target name user@local_WABdomain@${ip} will match these 3 devices: 10.50.60.70, 10.50.60.88 and 10.30.10.12. |