Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Example guide for setting up WinRM on target machines
Customers are responsible for the configuration of their servers and environments. For reference and testing, the below PowerShell script can be run on a target machine to enable WinRM with a self-signed certificate. We recommend creating a certificate with a public CA in your production environment.
Below is a breakdown of what this script performs to configure WinRM on a Windows machine:
Set the network connection profile to Private:
Configure and enable WinRM:
Allow non-SSL (unencrypted) traffic on port 5985:
Create a self-signed SSL certificate for encrypted traffic on port 5986:
Create Windows Firewall rules to allow inbound traffic on ports 5985 (non-SSL) and 5986 (SSL):
After running this script, WinRM will be configured to allow both unencrypted (port 5985) and encrypted (port 5986) remote connections. Additionally, Windows Firewall rules will be created to allow inbound traffic on these ports.
From a Windows server, you can test the connectivity to the target machine through PowerShell:
Complete list of the devices and accounts Keeper can access and rotate
After enabling Rotation, you will have access to new PAM record types:
PAM User Contains a login / password, private key, or both.
PAM Directory Information about your on-prem or cloud-based directory
PAM Database Self-hosted or managed cloud-based databases such as MySQL, SQL Server, etc
PAM Machine Windows, Linux, macOS machines on-prem or in the cloud
PAM Configuration Information on your network
On the Keeper Vault, these record types contain the relevant credential and/or configuration information for the Provider, Resource, or User
When Rotation is triggered, the credentials defined on the PAM User and/or PAM Directory, Database, Machine will be changed to new credentials. After rotation is complete, the updated credentials will be reflected on the remote Resource and on the Vault Record.
For detailed information on the how each of the PAM record types can be configured, visit the following:
Example guide for setting up SSH on target machines
Customers are responsible for the configuration of their servers and environments.
Secure Shell (SSH) allows confidential and authenticated remote access to a computer. SSH traffic is fully encrypted and, by default, runs on port 22
. For reference and testing, see below for instructions and guidance on enabling SSH for your target operating system.
Linux requires the SSH daemon to be running in order to accept SSH connections. Most Linux distributions will have the OpenSSH server installed, but may not have the service enabled. The service needs to be enabled, started, and added to the list of services to be started upon reboot.
To verify that ssh is running on your Linux system, invoke the following command:
If ssh is not running, you may need to install OpenSSH or/and enable ssh. The following commands demonstrate this in Ubuntu:
Note:
you may need sudo permissions to install and enable ssh
The installation command may be different based on your linux distribution
SSH is normally not installed on Windows. However, SSH can easily be installed via Windows capability packages which are maintained by Microsoft. The following PowerShell script will 1) install SSH, 2) start the SSH service and makes sure it starts with each reboot, and 3) make sure the firewall allows SSH connections:
Windows SSH can either default to PowerShell or CMD. Keeper Rotation uses PowerShell commands. If the default shell is CMD, Keeper Rotation will invoke rotation commands via PowerShell Invoke-Command -ScriptBlock { COMMANDS }
. To change the default shell to PowerShell, invoke the following PowerShell command:
SSH is installed on macOS and usually not turned on for the user.
To enable it via the UI, enable Remote Login on the General->Sharing panel.
To enable it via the command line, invoke the following command:
Note:
you will require Full Disk Access privileges for this command line method.
Defining alternative ports in PAM Configurations
Rotation relies on the port field in resource records to determine its connection method.
For example, in a PAM Machine record, port 22 tells the gateway to use SSH, port 5985 for WinRM (http) and port 5986 for WinRM (https).
The expected standard ports are listed in the following table.
To use a non-standard port, specify the alternative port in two places:
In the PAM Configuration port mapping field, enter {port}=
{connection}
, for example, 32636=ldaps.
For {connection}
: refer to the labels under Standard Port in the standard ports table.
In the PAM Machine/Directory/Database record, enter the chosen port in the port field
For example, to connect to a MySQL database using port 3307, your PAM Configuration should have 3307=mysql
under port mapping, and your PAM Database record should reference port 3307.
Multiple port mappings are comma-separated in the PAM Configuration.
Details regarding the PAM Configuration record
When creating a PAM Configuration record, you have the option of choosing one of the following environments:
Local Network
AWS
Azure
The following tables provides more details on each configurable fields in the PAM Configuration record regardless of the environment you choose:
The following tables provides more details on each configurable fields in the PAM Network Configuration record based on the environment you chose:
Resource Type | Connection Type | Standard Port |
---|---|---|
Field | Description | Notes |
---|
Field | Description | Notes |
---|
Field | Description | Notes |
---|
Field | Description | Notes |
---|
PAM Machine
SSH
22=ssh
PAM Machine
WinRM
5986=winrm
PAM Directory
Active Directory
636=ldaps
PAM Directory
OpenLDAP
636=ldaps
PAM Database
Postgresql
5432=postgresql
PAM Database
MySQL
3306=mysql
PAM Database
MariaDB
3306=mariadb
PAM Database
Microsoft SQL
1433=mssql
PAM Database
Oracle
1521=oracle
PAM Database
MongoDB
27017=mongodb
AWS ID | A unique id for the instance of AWS | Required, This is for the user's reference
Ex: |
Access Key ID | From an IAM user account, the Access key ID from the desired Access key. | Optional |
Secret Access Key | The secret key for the access key. | Optional, Masked |
Region Names | AWS region names | Ex: |
Azure ID | A unique id for your instance of Azure | Required, This is for the user's reference
Ex: |
Client ID | The application/client id (UUID) of the Azure application | Required |
Client Secret | The client credentials secret for the Azure application | Required |
Subscription ID | The UUID of the subscription (i.e. Pay-As-You-GO). | Required |
Tenant ID | The UUID of the Azure Active Directory | Required |
Resource Groups | A list of resource groups to be checked. If left blank, all resource groups will be checked |
Title | Name of PAM configuration record | Ex: |
Gateway | The configured gateway |
Application Folder | The shared folder that contains the PAM records |
Administrative Credential Record | The administrative credential record with sufficient permissions to rotate credentials | This is your PAM Machine, PAM Database or PAM Directory record |
Default Rotation Schedule | Specify frequency of Rotation | Ex: |
Port Mapping | Type of Connection method |
Network ID | Unique ID for the network | This is for the user's reference Ex: |
Network CIDR | Subnet of the IP address |
Record Type Details for PAM Machine, Database, and Directory
When Keeper Rotation is activated on a Keeper account, Rotation record types are added to the account. Records created using these types facilitate record rotation.
The following are supported configurations for record type associated to each Device or Account type:
The following tables provides more details on each configurable field in PAM Machine, PAM Database, and PAM Directory records:
See for more info
Ex: 3307=mysql
See for more info
Ex: 192.168.0.15/24
Refer to for more info
Resource Type | Sub-type | Record Type |
---|---|---|
Field | Description | Notes |
---|---|---|
Field | Description | Notes |
---|---|---|
Field | Descrpiton | Notes |
---|---|---|
Database
MySQL, MySQL Flexible
PAM Database
Database
PostgreSQL, PostgresSQL Flexible
PAM Database
Database
SQL Server
PAM Database
Database
Mongo
PAM Database
Database
MariaDB
PAM Database
Machine
Windows, macOS, Linux
PAM Machine
Machine
EC2 Instance
PAM Database
Machine
Azure VM
PAM Database
Directory
Active Directory
PAM Directory
Directory
OpenLDAP
PAM Directory
Hostname or IP Address
Address of the machine resource
Required
Port
Port to connect on. The Gateway uses this to determine connection method.
Must be a port for SSH or WinRM
Keeper expects 22, 5985, 5986, or an alternative port for SSH or WinRM specified in the PAM Configuration port mapping
Login
Admin account username
Password
Password for admin account
If Port is 22, or an alternative port mapped to ssh: Private PEM key can used instead
Private PEM Key
PEM Key for ssh connection (optional)
The key take precedence if both a key and password are provided
OS
Operating System
For human reference only. Operating system is detected during rotation
SSL Verification
Verify certificate of host when connecting with SSH
Instance Name
Azure or AWS Instance Name
Not used for rotation
Instance Id
Azure or AWS Instance ID
Not used for rotation
Provider Group
Provider Group for directories hosted in Azure
Not used for rotation
Provider Region
AWS region of hosted directory
Not used for rotation
Hostname or IP Address
Address of the Database Resource
Required
Port
Port to connect on. The Gateway uses this to determine connection method.
A Port must be provided. Standard ports are: postgresql: 5432 MySQL: 3306 Maria DB: 3306 Microsoft SQL: 1433 Oracle: 1521 Mongo DB: 27017
Use SSL
Use SSL when connecting
Login
Admin account username
Password
Admin account password
Connect Database
Database to connect to (Postgres only)
Required for connecting to Postgres, MongoDB, and MS SQL Server
Database Id
Azure or AWS Resource ID
Required for AWS and Azure rotations
Database Type
Appropriate database type from supported databases.
If a non-standard port is provided, the Database Type will be used to determine connection method.
Provider Group
Azure or AWS Provider Group
Required for Azure rotations
Provider Region
Azure or AWS Provider Region
Required for AWS rotations
Hostname or IP Address
Address of the directory resource
Required
Port
Port to connect on
Typically 389 or 636 (LDAP/LDAPS)
Use SSL
Use SSL when connecting
Login
Username of domain account with rotation privilege
Example: "administrator"
Password
Domain account password
Password is masked
Distinguished Name
Distinguished name of the domain login provided above
Example: CN=Jeff Smith,OU=Sales,DC=demo,DC=COM If left blank, defaults are attempted depending on the provider type
Directory ID
Instance ID for AD resource in Azure and AWS hosted environments
Required for Azure Active Directory and AWS Directory Service AWS Example: "d-9a423d0d3b'
Directory Type
Directory type, used for formatting of messaging
Must be Active Directory or OpenLDAP
Domain Name
domain managed by the directory
Example: some.company.com
Provider Group
Provider Group for directories hosted in Azure
Required for directories hosted in Azure
Provider Region
AWS region of hosted directory
Required for directories hosted in AWS Example: us-east-2
Steps to create a Keeper Secrets Manager application for rotation of passwords
Prior to working with Rotation, you need to create a KSM application. For more information on KSM, visit:
In the Keeper Web Vault or Desktop App user interface, create a shared folder. This shared folder will contain the PAM records you will create as you are working through the use-case guides.
Navigate to the "Secret Managers" tab on the left and click on "Create Application" to create a KSM application
In the prompted window:
Enter the name of your KSM application
Choose the shared folder you have created in Step 1
Set the Record Permissions for Application to "Can Edit"
Click on "Generate Access Token" and then click on "OK"
You can safely ignore the first One-Time Access Token generated for the newly created KSM application. When creating a Keeper Gateway device, a different One-Time Access Token will be created.
Granting a service account the minimum permissions to rotate
When creating a PAM Directory Resource, it is recommended that you use a service account with the least required privileges to perform rotation.
The following steps show you how to enable a service account to rotate credentials using Active Directory's Delegation of Control feature.
Before starting, create a service account for password rotation whose credentials you will store in the Keeper resource record.
Launch Active Directory Users and Computers
In the directory tree, select a node for which password rotation should be allowed.
Right-click on the node, then click Delegate Control.
In the Delegation of Control Wizard, click 'Add'.
Locate your chosen service account, then click 'OK'.
Click 'Next' to advance to permission selection.
In 'Delegate the following common tasks', check the option for 'Reset user passwords and force password change at next logon', then click 'Next'.
Add the service account's login and password to the Resource Record for the AD instance.
Managing rotation with the Commander CLI / SDK interface
Keeper Commander commands have been created to automate and manage the Keeper PAM capabilities including:
Managing Gateways
Managing PAM Configurations
Managing Password Rotation and Discovery
Managing jobs
Keeper rotation event reporting in the Advanced Reporting & Alerts module
A new set of Keeper Rotation events are included in the Advanced Reporting & Alerts module within the Keeper Admin Console.
For the following events, two status codes are included in the status message: one for Rotation, and one for Post-Rotation (if applicable).
If no post-rotation script is present, the event status reflects rotation only.
If multiple-post rotation scripts are present, a success event is generated only if all scripts complete execution without errors.
To receive immediate feedback on any rotation related events, Keeper's "Alerts" capability can push these events to email, SMS, webhooks, Slack, Teams, etc.
For more information see the .
In addition, Rotation leverages existing . For example, when a Gateway is registered, the app_client_added event is generated.
Event | Description |
---|
Event | Description |
---|
To learn more about the Keeper Advanced Reporting & Alerts module .
event_record_rotation_scheduled_ok | A scheduled rotation has completed successfully |
event_record_rotation_scheduled_fail | A scheduled rotation has encountered an error in either rotation or post-rotation |
event_record_rotation_on_demand_ok | An on-demand rotation has completed successfully |
event_record_rotation_on_demand_fail | An on-demand rotation has encountered an error in either rotation or post-rotation |
event_pam_configuration_created | PAM Configuration has been created |
event_pam_configuration_updated | PAM Configuration has been modified |
event_pam_configuration_deleted | PAM Configuration has been deleted |
event_record_rotation_created | Rotation settings have been added to a record |
event_record_rotation_updated | Rotation settings have been modified on a record |
event_record_rotation_disabled | Rotation settings have been removed from a record |
Field | Description | Notes |
---|---|---|
Login
Username; exact context depends on associated resource
Required
Password
Password of the user
Can be rotated
Private PEM Key
PEM Key associated with user
Can be rotated
Distinguished Name
Distinguished name; used if associated with a directory
Required when the User is managed by a directory
Managed User
Flag for accounts that are managed by the AWS or Azure IAM systems
If this is checked, Keeper will skip rotation for this user. This is a planned feature to support account discovery and will not be automatically populated by Keeper at this time.