Static Tokens

Using the integration between Connection Manager and Vault with static field lookups

Static Tokens

Connection Manager supports configuring custom static tokens which can correspond to a specific field of a specific Keeper Vault record contained within the Shared Folder. These static tokens must be specified in either the Docker compose or directly in the guacamole configuration file, depending on the installation method of the platform. In most cases, the Dynamic Tokens are a preferable method of integration.

Auto Docker Install Method

If you installed Keeper Connection Manager using the Auto Docker Install method, you will need to modify the auto-generated Docker Compose file to define your static tokens.

As root, edit the /etc/kcm-setup/docker-compose.yml file.

Edit the "environment" section underneath the "guacamole" docker image. Insert an environmental variable called KSM_TOKEN_MAPPING that includes a multi-line definition of your custom tokens. In the example below, there are 3 custom tokens for specific fields within the Keeper vault shared folder. The token syntax is using Keeper Notation.

    guacamole:
        image: xxx
        restart: unless-stopped
        volumes:
            - common-storage:/var/lib/guacamole
        environment:
            ACCEPT_EULA: "Y"
            GUACD_HOSTNAME: "guacd"
            MYSQL_HOSTNAME: "db"
            MYSQL_DATABASE: "guacamole_db"
            MYSQL_USERNAME: "guacamole_user"
            MYSQL_PASSWORD: "xxxxxxx"
            KSM_CONFIG: "xxxxxxx"
            KSM_TOKEN_MAPPING: |
                MY_CUSTOM_SECRET: keeper://cps2OgKHpFQ8Ye30L9587w/field/password
                MY_OTHER_CUSTOM_SECRET: keeper://sS6jDVv0HoM0yGMU4OaOAw/file/linuxssoconnect.pem
                RDP_INITIAL_PROGRAM: keeper://cps2OgKHpFQ8Ye30L9587w/custom_field/program

Once the file changes have been saved, update the containers:

$ sudo ./kcm.run upgrade

Docker Compose Install Method

Edit your docker-compose.yml file. Look for the "guacamole" docker image and the "environment" section which defines environmental variables.

Insert an environmental variable called KSM_TOKEN_MAPPING that includes a multi-line definition of your custom tokens. In the example below, there are 3 custom tokens for specific fields within the Keeper vault shared folder. The token syntax is using Keeper Notation.

    guacamole:
        image: xxx
        environment:
            ACCEPT_EULA: "Y"
            GUACD_HOSTNAME: "guacd"
            MYSQL_HOSTNAME: "db"
            MYSQL_DATABASE: "guacamole_db"
            MYSQL_USERNAME: "guacamole_user"
            MYSQL_PASSWORD: "xxxxxxx"
            KSM_CONFIG: "xxx"
            KSM_TOKEN_MAPPING: |
                MY_CUSTOM_SECRET: keeper://cps2OgKHpFQ8Ye30L9587w/field/password
                MY_OTHER_CUSTOM_SECRET: keeper://sS6jDVv0HoM0yGMU4OaOAw/file/linuxssoconnect.pem
                RDP_INITIAL_PROGRAM: keeper://cps2OgKHpFQ8Ye30L9587w/custom_field/program

Once the file changes have been saved, update the containers:

sudo su
docker-compose up -d

Custom Token Usage

When using custom tokens, the records can be setup in any way. Keeper notation in the mapping file can identify any specified field.

The tokens can then be used with the ${XXX} format within the Connection Manager parameters screen. A couple of examples are seen below:

The records must be in the shared folder that your Secrets Manager Application has access to.

Last updated