for defining vaults in vault records
The various parameters used to define vault settings as part of vault records are below. Settings differ per vault type.
View our latest Vault Support Matrix
Parameter |
Description |
Arcon PAM |
|
url={value} |
(Required to create and optional to update vault) The HTTP or HTTPS URL to access the ARCON PAM Vault API. The HTTPS URL is required if the ssl_verify parameter is set 1. |
ssl_verify={0|1} |
(Required to create and optional to update vault) When set to 1 (the default), our service will verify the SSL certificate of the web server to make sure the certificate is valid and trusted. When set to 0, our service will not verify the certificate of the web server. |
username={value} |
(Required to create and optional to update vault) A username required to access the vault. |
password={value} |
(Required to create and optional to update vault) A password required to access the vault. |
Azure Key |
|
url={value} |
(Required to create and optional to update vault) The HTTP or HTTPS URL to access the Azure key Vault HTTP API. The HTTPS URL is required if the ssl_verify parameter is set 1. |
app_id={value} |
(Required to create and optional to update vault) The application ID associated with the application created in the Azure Key Vault. |
ssl_verify={0|1} |
(Required to create and optional to update vault) When set to 1 (the default), our service will verify the SSL certificate of the web server to make sure the certificate is valid and trusted. When set to 0, our service will not verify the certificate of the web server. |
cert={value} |
(Required to create and optional to update vault) The client certificate for authentication. Enter the certificate block after the key block and be sure to include the first and last line (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----). For a create/update request, if the cert parameter is specified, then the private_key parameter must also be specified. |
private_key={value} |
(Required to create and optional to update vault) The private key for authentication. Copy the contents of private key file (id_rsa) and be sure to include the first and last line (-----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----). |
passphrase={value} |
(Optional) The private key passphrase is required if the private key is encrypted. |
BeyondTrust PBPS |
|
appkey={value} |
(Required for new vault) The application key (alpha-numeric string) for the BeyondTrust PBPS web services API. The maximum length is 128 bytes. A leading and/or trailing space or periods in the input value will be removed. |
url={value} |
(Required for new vault) The HTTP or HTTPS URL to access the BeyondTrust PBPS web services API. |
ssl_verify={1|0} |
(Optional) When set to 1, our service will verify the SSL certificate of the web server to make sure the certificate is valid and trusted. When set to 0, our service will not verify the certificate of the web server. |
username={value} |
(Required for new vault) The user account that can call the BeyondTrust PBPS web services API. The maximum length is 64 characters. This special character cannot be included: @ |
password={value} |
(Optional) Specify a user password when required by the Application API Key configuration in BeyondTrust. |
cert={value} |
(Optional) Provide an X.509 client certificate with your private key when required by the Application API Key configuration in BeyondTrust. The certificate must be trusted by the PBPS web server. Enter the certificate block after the key block and be sure to include the first and last line (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----). For a create/update request, if the cert parameter is specified, then the private_key parameter must also be specified. |
private_key={value} |
(Optional) Specify the private key for authentication. Copy the contents of private key file (id_rsa) and be sure to include the first and last line (-----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----). For a create/update request, if the private_key parameter is specified, then the cert parameter must also be specified. |
private_key_pwd={value} |
(Optional) Specify a password for your private key if it’s encrypted. |
CA PAM |
|
ssl_verify={0|1} |
(Required to create and optional to update vault) The user account that can call the CA PAM Vault HTTP API. |
url={value} |
(Required to create and optional to update vault) The HTTP or HTTPS URL to access the CA PAM Vault HTTP API. |
apikey_name={value} |
(Required to create and optional to update vault) The user account that can call the CA PAM Vault HTTP API. |
apikey={value} |
(Required to create and optional to update vault) The password for the user account that can call the CA PAM Vault HTTP API. |
apikey={value} |
(Required to create and optional to update vault) The password for the user account that can call the CA PAM Vault HTTP API. |
CyberArk AIM |
|
appid={value} |
(Required) Application ID string defined by the customer. The application ID acts as an authenticator for our scanner to call CCP web services API. The maximum length of an application ID name is 128 bytes and the first 28 characters must be unique (leading and/or trailing space or periods in the input value will be removed). These restricted words cannot be included in a application ID: Users, Addresses, Areas, XUserRules, unknown, Locations, Safes, Schedule, VaultCategories, Builtin. These special characters cannot be included in a application ID: \ / : * ? " < > | \t \r \n \x1F. |
safe={value} |
(Required) The name of the digital password safe. The safe name can contain a maximum of 28 characters (leading and/or trailing space in the input value will be removed). These special characters cannot be included in a safe name: \ / : * ? " < > | \t \r \n \x1F |
url={value} |
(Required) The HTTP or HTTPS URL over SSL protocols to access CyberArk's CCP web services. |
ssl_verify={1|0} |
(Required) When set to 1, our service will verify the CCP SSL certificate of the web server to make sure the certificate is valid and trusted. When set to 0 our service will not verify the certificate of the web server. |
cert={value} |
(Optional) You must include an X.509 certificate with your private key. Enter the certificate block after the key block and be sure to include the first and last line (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----). For a create/update request, if the certificate parameter is specified, then the private_key parameter must also be specified. |
private_key={value} |
(Optional) Specify private key for authentication. Copy the contents of private key file (id_rsa) and be sure to include the first and last line (-----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----). For a create/update request, if the private_key parameter is specified, then the certificate parameter must also be specified. |
private_key_pwd={value} |
(Optional) Specify a password for the encrypted private_key. |
CyberArk PIM Suite |
|
server_address={value} |
(Optional) The port the vault server is running on. The port must be in the range 1025 to 65535. For a new vault the port is set to 1858 by default, if the port parameter is not specified. |
port={value} |
(Optional) The port the vault server is running on. The port must be in the range 1025 to 65535. For a new vault the port is set to 1858 by default, if the port parameter is not specified. |
safe={value} |
(Required for new vault) The name of the digital password safe. The safe name can contain a maximum of 28 characters (leading and/or trailing space in the input value will be removed). These special characters cannot be included in a safe name: \ / : * ? " < > . | |
username={value} |
(Required for new vault) The username for an account with access to your CyberArk PIM Suite environment. |
password={value} |
(Required for new vault) The password for an account with access to your CyberArk PIM Suite environment. |
HashiCorp |
|
url={value} |
(Required) The HTTP or HTTPS URL to access the HashiCorp Vault HTTP API. |
api_version{value} |
(Optional) The HashiCorp Vault HTTP API version. This is v1 by default, which is the only supported version. |
ssl_verify={0|1} |
(Optional) When set to 1 (the default), our service will verify the SSL certificate of the web server to make sure the certificate is valid and trusted. When set to 0, our service will not verify the certificate of the web server. |
auth_type={value} |
(Required to create vault, optional to update vault) HashiCorp Vault API supports three authentication types. First choose any one of the authentication method you want to use (Username/Password, Cert or App Role) and then provide login credentials for authenticating to the vault server via the HashiCorp Vault HTTP API. Valid authentication values for API are: userpass, cert and approle. |
auth_type={userpass} |
Choose this authentication method to authenticate to the vault server with a username and password combination. auth_type= {userpass} supports 3 parameters: path, username, password. |
path={value} |
(Optional) The path for the Username/Password authentication method. The default path is auth/userpass but you can specify a custom path like auth/my-path. |
username={value} |
(Required to create and update vault) The user account that can access the vault server. |
password={value} |
(Required to create and update vault) The password for the user account. |
auth_type={cert} |
Choose the this authentication method to authenticate to the vault server using SSL/TLS client certificates which are either signed by a CA (Certificate Authority) or self-signed. CA certificates are associated with a role name. auth_type= {cert} supports 5 parameters: path, role_name, cert, private_key, passphrase. |
path={value} |
(Optional) The path for the Cert authentication method. The default path is auth/cert but you can specify a custom path like auth/my-path. |
role_name={value} |
(Required to create and update vault) The role associated with the CA certificate. |
cert={value} |
(Required to create and update vault) The client certificate for authentication. Enter the certificate block after the key block and be sure to include the first and last line (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----). For a create/update request, if the cert parameter is specified, then the private_key parameter must also be specified. |
private_key={value} |
(Required to create and update vault) The private key for authentication. Copy the contents of private key file (id_rsa) and be sure to include the first and last line (-----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----). |
passphrase{value} |
(Optional) The private key passphrase, if the private key is encrypted. |
auth_type={approle} |
Choose the App Role authentication method to authenticate to the vault server with a vault-defined role. auth_type= {approle} supports 3 parameters: path, role_id, secret_id. |
path={value} |
(Optional) The path for the App Role authentication method. The default path is auth/approle but you can specify a custom path like auth/my-path. |
role_id={value} |
(Required to create and update vault) The role ID of the App Role you want to use for authentication. |
secret_id={value} |
(Optional) The secret ID of the App Role you want to use for authentication. |
Hitachi ID PAM |
|
url={value} |
(Required for new vault) The HTTP or HTTPS URL of the Hitachi ID PAM webservices. |
username={value} |
(Required for new vault) The username (ID) for the Hitachi ID PAM user account. To allow Qualys scanners to connect using this account, this user must have the following settings under Administrator information in the Hitachi ID Management Suite: 1) the privilege “OTP IDAPI caller” and 2) the value entered in the “IP address with CIDR bitmask” field must include the Qualys scanner IP addresses. |
password={value} |
(Required for new vault) The password for the Hitachi ID PAM user account. |
ssl_verify={1|0} |
(Required for new vault) When set to 1, our service will verify the SSL certificate of the web server to make sure the certificate is valid and trusted. When set to 0 our service will not verify the certificate of the web server. |
Lieberman ERPM |
|
url={value} |
(Required for new vault) The HTTP or HTTPS URL of the Lieberman ERPM server. |
domain={value} |
(Optional) A domain name if your Lieberman ERPM server is part of a domain. |
username={value} |
(Required for new vault) The username for the Lieberman ERPM server account. |
password={value} |
(Required) The password for the Lieberman ERPM server account. |
ssl_verify={1|0} |
(Required for new vault) When set to 1, our service will verify the SSL certificate of the web server to make sure the certificate is valid and trusted. When set to 0 our service will not verify the certificate of the web server. |
Quest Vault |
|
server_address={value} |
(Required for new vault) The IP address of the vault server, Quest One Privileged Password Manager. |
port={value} |
(Optional) The listing port of the vault server. For a new vault the port is set to 22 by default, if the port parameter is not specified. |
username={value} |
(Required for new vault) The username to be used for SSH authentication. We recommend you create a dedicated user account for Qualys scanning. Using Quest/Dell 2.4 or higher, enter the key for the API user account you've created for use with our service. We support both API and CLI keys but recommend use of an API key. |
access_key={value} |
(Required for new vault) The DSA private key in PEM format for SSH authentication. |
Thycotic Secret Server |
|
url={value} |
(Required for new vault) The HTTP or HTTPS URL of the Secret Server webservices. The URL may contain a maximum of 256 characters, and must not contain multibyte characters. |
username={value} |
(Required for new vault) The username for a Secret Server user. This user must have access to the secret names to be used for authentication. |
password={value} |
(Required for new vault) The password for a Secret Server user. |
domain={value}
|
(Optional) Specify a fully qualified domain name if Secret Server is integrated with Active Directory. The domain may contain a maximum of 128 characters, and must not contain any multibyte characters. |
Wallix AdminBastion (WAB) |
|
url={value} |
(Required) The HTTP or HTTPS URL to access the WAB web services API. |
ssl_verify={0|1} |
(Optional) When set to 1 (the default), our service will verify the SSL certificate of the web server to make sure the certificate is valid and trusted. When set to 0, our service will not verify the certificate of the web server. |
username={value} |
(Required) The user account that can call the WAB web services API. |
password={value} |
(Optional) The password for the user account that can call the WAB web services API. For a create request, you must specify password or appkey. Both parameters cannot be specified in the same request. |
appkey={value} |
(Optional) Your WAB REST API key (alpha-numeric value) for connecting to the WAB web services API. - Do not include leading or trailing periods or spaces. - These characters are not allowed: \\ / : * ? " < > | - UTF-8 multibyte characters are not allowed. For a create request, you must specify password or appkey. Both parameters cannot be specified in the same request. |