Configuring the Tenable.sc connector

As an administrator, you can configure the Tenable.sc connector to integrate Automation Console with Tenable.sc. Tenable.sc is a comprehensive vulnerability management solution that provides complete visibility of the security risks across your IT infrastructure. With this integration, Automation Console can retrieve the vulnerability scan results from multiple Tenable.sc instances and process the vulnerabilities to map the remediation content. You can then create operations to remediate vulnerabilities. 

After you configure and run this connector, the scan files containing the Tenable.sc assets and vulnerabilities are automatically imported into Automation Console.

Before you begin

Make sure that the following prerequisites are met:

• One or more configured Tenable.sc instances are running in your environment.

• The API keys are generated for your user account in Tenable.sc. The connector uses these keys to authenticate Tenable.sc APIs. For more information, see Generate API keys.

• Before running the connector, ensure that the connector is installed and run on Windows or Linux operating systems that match the following criteria:

  • AdoptOpenJDK Runtime Environment 17 is installed on the connector host.

  • Port requirements:​​​​​

    Port	Protocol	From	To	Notes
    443	HTTPS	Connector	HAC SaaS and Internet	Outbound
    443 OR <Customer configured port>	HTTPS	Connector	Tenable.sc Server	Outbound
    443	HTTPS	Tenable.sc Server	Connector	Inbound

    • Connector's Outbound port 443 should be opened for ifm url mentioned in creds.json available in <connectorDirectory>/config/ folder. e.g.

      "endpoints": {        "ifm": "https://<url>"
          }

To configure the Tenable.sc connector

1. In BMC Helix Automation Console, click Configuration and then click Connectors.
2. On the Manage Connectors page, click Add Connector.
3. On the Add Connector page, from the list of available Connector types, select Tenablesc Connector.
4. Click Add Configuration.
5. On the Add configuration page, perform the following steps:
   1. In the Connector details section, provide the following details:
      1. Specify a unique name and an optional description for the configuration.

      2. (optional) In the Admin Security Group field, specify one or more admin security groups (comma-separated list) that can access the scan results. If no security group is specified, all the admin security groups can access the scan files imported from Tenable.sc.

         Important

         If you have both TrueSight Server Automation and TrueSight Network Automation endpoints, specify the name of the appropriate security group. If you specify a non-admin security group, Automation Console does not fetch any data from Tenable.sc.

   2. In the Connector Configuration section, do the following:
      1. In the Endpoint URL field, specify the URL to connect to Tenable.sc.

      2. In the Fetch Data From field, specify the number of days for which you want to fetch the scan results.

   3. In the Authentication Details section, specify the access and secret keys to authenticate with the Tenable.sc API.

   4. In the Tenable.sc Query ID field, provide the ID that you generated in the Tenable scanner to filter data. You can also specify the Tenable queries along with the ID (comma-separated values). For example, the query Type = Vulnerability and Tool = Vulnerability List. We recommend creating a separate configuration for each query ID.
      For more information, see Queries. 

   5. (optional) If the Tenable.sc server is configured to use the SSL certificate authentication, provide the certificate name (.pfx only) and the certificate export password in the Client Certificate Authentication Details section. 
      Ensure that the certificate is present at the following location:

      <connector_directory>\certs

      The connector checks this location for the certificate while communicating with the Tenable.sc server.

   6. In the Auto-close vulnerabilities section, select the Enable Auto-close check box to enable the system to automatically close vulnerabilities that were fixed in the previous scan and are no longer present in the subsequent scan.
      Important:  If you select the Enable Auto-close check box, Tenable.sc-specific APIs are used to auto-close VATs retrieved from the scanner connector.
6. Save the changes.
   The newly added configuration is listed in the Configurations table.
7. If you have multiple Tenable scanners in your environment, repeat steps 4to 6.
8. Click Continue and download the connector zip file on a local host. 

9. On the server where the connector file is downloaded and extracted, go to the connector location, and run the following command to install and start the connector: 

   • Windows: run.bat
   • Linux: run.sh

   The connector starts running successfully. You can view the connector status on the Connectors page.

10. (Optional) To configure the Tenable.sc connector as a service, perform the following steps:
    1. Make sure the tenable-connector.xml file is available in a folder where the connector zip file is unzipped.
    2. Run the tenable-connector.exe install command. 
    3. A new service with the name BMC Tenable Connector is created on the host and can be used as any other available service.

11. On the Manage Connectors page, in the Configuration Schedule section, specify a frequency at which you want to run the connector, and save the schedule.

    Important

    The minimum duration for data collection between the consecutive schedules is 10 minutes.

Vulnerability scan files are created with the specified configuration names. Automation Console processes each configuration sequentially.

To update the connector

To make changes to the connector, do the following:

1. On the Manage Connectors page, click Action against the Tenablesc connector and then click Disable.
2. Click Action against the Tenablesc connector and then click Edit.
3. The available configurations are displayed. To quickly locate the required configuration, search or sort the configurations by the various columns, such as Status and Vendor.
4. Edit the information according to your requirements and click Update.

To enable debug mode

1. Press CTRL+C twice to stop the connector, if its already running

2. Go to <ConnectorLocation>/config, open the application.properties file, add the following parameter and set it to debug, save the file

   #
   #Logging related Properties
   logging.level.com.bmc.truesight.tenableconnector=debug
3. Restart the connector.

To enable web proxy support

After configuring the Tenable.sc connector, perform the following steps to enable web proxy support:

1. Download the connector.
2. Download the Proxy certificate der file. Make sure the der file is imported to the cacerts of the connector machine and the jks file used for Helix Single Sign-On (HSSO).
3. If the proxy is https enabled, download and import the certificate of the proxy server into the cacerts file of the connector machine.
   keytool -importcert -file "<file name>" -keystore "<path_to_java_installation_dir>\lib\security\cacerts" -alias "<name>"
4. Navigate to the application.properties file of the connector and provide the following information:
   • proxyHost= bcx-pun-xxxxx.bmc.com
   • proxyPort=3129
   • proxyProtocol=https

Troubleshooting

If you encounter any issues while fetching data from Tenable.sc, the Connector tile on the Manage Connectors page shows the name of the configuration with an error, and the related exceptions are logged in the log file. For the troubleshooting of the issues, see Troubleshooting-connectors.