1 of 100

Keeper Connection Manager

Overview

Instantly access your infrastructure with zero-trust security.

Keeper Connection Manager

Keeper Connection Manager (KCM) is a self-hosted, agentless remote desktop gateway that provides instant and secure access to desktops, servers, databases and web applications from a web browser.

Benefits of the KCM On-Prem platform:

Self-hosted
Agentless
Lightning Fast and Responsive
Simple Access Controls
Customizable
Works in air-gapped environments

Features include:

Support for RDP, SSH, VNC, K8s remote access protocols
Support for MySQL, PostgreSQL, SQL Server database protocols
Support for web application protection through Remote Browser Isolation technology
Session Recording and playback
Privileged Session Management
Multi-User Session Sharing
Role-Based Access Controls
MFA Options: TOTP, Duo
PIV/CAC smart card authentication
SSO, OpenID Connect, Active Directory, LDAP Integration
Custom Branding

Video Overview

System Diagram

Keeper is typically deployed as a Docker container. The system architecture diagram is below.

Apache Guacamole

Keeper Connection Manager is the commercially-supported solution produced by the original creators of Apache Guacamole, the open source platform used by millions of people for accessing remote desktops. Keeper Connection Manager is built on top of the Guacamole gateway, with expanded capabilities, advanced integrations and ongoing feature development. Glyptodon was Acquired by Keeper Security in December 2021.

KeeperPAM Licensing

Keeper Connection Manager (self-hosted container) is included in your license of KeeperPAM. KeeperPAM is a modern, cloud-based privileged access management platform. Learn more about KeeperPAM at the links below:

Getting Started

Ready to get started with Keeper Connection Manager? Proceed to the .

Security Architecture

Keeper Connection Manager security and encryption model

Keeper is Fanatical About Data Protection

Keeper utilizes best-in-class security with a zero-trust framework and zero-knowledge security architecture to safeguard your infrastructure and mitigate the risk of a data breach.

Overview

Keeper Security, Inc. (KSI) is passionate about protecting its customer's information and infrastructure with Keeper desktop and mobile security software. Millions of consumers and businesses trust Keeper to secure and access remote systems, passwords and private information. Keeper's software is constantly improved and updated to provide our customers with the latest in technology and protection. This page provides an overview of Keeper's security architecture and encryption methodologies.

System Architecture

The Keeper Connection Manager Gateway is a platform that is fully hosted by the customer in any cloud, on-prem or virtual environment. Keeper provides customers with the and method of installation.

The Docker container is made up of several core components including:

Apache Guacamole web application software
Apache Guacamole "guacd" protocol service
NGINX for SSL termination and reverse proxy
Apache Tomcat services
MySQL, PostgreSQL or other supported databases

Additional packages that support Enterprise capabilities such as SAML 2.0 / SSO, OpenID Connect, TOTP, Vault Integration and components are provided as part of the package installers or as separate add-on components.

Apache Guacamole™

The engineering team at Keeper Security that built Keeper Connection Manager (formerly Glyptodon) are the inventors and primary maintainers of the open source project. Keeper Security is proud to support the open source community and millions of users who use the Apache Guacamole remote desktop software.

Least Privilege Access

The packages provided by Keeper Connection Manager have been designed to follow best practices with respect to security, particularly with respect to the . This is accomplished through careful delegation of rights through users and groups which are automatically created by the Keeper Connection Manager packages, and through strict file permissions.

Production Configuration

Once ready to deploy Keeper Connection Manager to production, it is critically important that customers configure SSL encryption. You will need to obtain an SSL certificate for your server such that all Keeper Connection Manager traffic is encrypted.

If you have have deployed Keeper Connection Manager using the or method, you may have already configured SSL.

Upgrade Methods

Customers who deploy the Auto Docker Install version can use the .
Customers who deploy the Docker Compose Install version can use the .

Compliance & Audits

Certified SOC 2 Compliant

Customer vault records are protected using stringent and tightly monitored internal control practices. Keeper is certified as SOC 2 Type 2 compliant in accordance with the AICPA Service Organization Control framework. SOC 2 certification helps ensure that your vault is kept secure through the implementation of standardized controls as defined in the AICPA Trust Service Principles framework.

ISO 27001 Certified (Information Security Management System)

Keeper Security is ISO 27001 certified, covering the Keeper Security Information Management System which supports the Keeper Enterprise Platform. Keeper's ISO 27001 certification is scoped to include the management and operation of the digital vault and cloud services, software and application development, and protection of digital assets for the digital vault and cloud services.

Keeper is GDPR compliant and we are committed to ensuring our business processes and products continue to maintain compliance for our customers in the European Union. to learn more about Keeper's GDPR compliance and download data processing agreements.

Protection of Patient Medical Data

Keeper software is compliant with global, medical data protection standards covering, without limitation, HIPAA (Health Insurance Portability and Accountability Act) and DPA (Data Protection Act).

HIPAA Compliance and Business Associate Agreements

Keeper is a SOC2-certified and ISO 27001-certified zero-knowledge security platform that is HIPAA compliant. Strict adherence and controls covering privacy, confidentiality, integrity and availability are maintained. With this security architecture, Keeper cannot decrypt, view or access any information, including ePHI, stored in a user’s Keeper Vault. For the foregoing reasons, Keeper is not a Business Associate as defined in the Health Insurance Portability and Accountability Act (HIPAA), and therefore, is not subject to a Business Associate Agreement.

To learn more about the additional benefits for healthcare providers and health insurance companies, please read our and visit our .

Penetration Testing

Keeper performs quarterly pen testing with 3rd party experts including and . In addition, Keeper works with independent security researchers who test against all of our products and systems through our .

Third-Party Security Scanning & Penetration Tests

Keeper Security environments are tested daily by TrustedSite to ensure that the Keeper web application and KSI's Cloud Security Vault are secure from known remote exploits, vulnerabilities and denial-of-service attacks. A comprehensive external security scan is conducted monthly on the Keeper websites, Keeper web application, and Keeper Cloud Security Vault by TrustedSite. Keeper staff periodically initiate on-demand external scans.

Payment Processing and PCI Compliance

Keeper Security uses PayPal and Stripe for securely processing credit and debit card payments through the KSI payment website. PayPal and Stripe are PCI-DSS compliant transaction processing solutions. Keeper Security is certified PCI-DSS compliant.

EU-US Privacy Shield

The Keeper web client, Android App, Windows Phone App, iPhone/iPad App and browser extensions have been certified Privacy Shield compliant with the U.S. Department of Commerce's EU-U.S. Privacy Shield program, meeting the European Commission's Directive on Data Protection. For more information about the U.S. Department of Commerce U.S. Privacy Shield program, see

FIPS 140-2 Validated

Keeper utilizes FIPS 140-2 validated encryption modules to address rigorous government and public sector security requirements. Keeper’s encryption has been certified by the NIST CMVP and validated to the FIPS 140 standard by accredited third party laboratories. Keeper has been issued under the NIST CMVP. For the best FIPS experience use KCM version 2.9.6+ for improvements including:

Improved FIPS compliance support for SSH and RDP connections
Better log messaging when a compliant connection cannot be made

U.S. Department of Commerce Export Licensed Under EAR

Keeper is certified by the U.S. Department of Commerce Bureau of Industry and Security under Export Commodity Classification Control Number 5D992, in compliance with Export Administration Regulations (EAR). For more information about EAR:

24x7 Remote Monitoring

Keeper is monitored 24x7x365 by a global third-party monitoring network to ensure that our website and Cloud Security Vault are available worldwide. If you have any questions regarding this security disclosure, please .

Phishing or Spoofed Emails

If you receive an email purporting to be sent from KSI and you are unsure if it is legitimate, it may be a “phishing email” where the sender's email address is forged or “spoofed”. In that case, an email may contain links to a website that looks like KeeperSecurity.com but is not our site. The website may ask you for your Keeper Security master password or try to install unwanted software on your computer in an attempt to steal your personal information or access your computer. Other emails contain links that may redirect you to other potentially dangerous web sites. The message may also include attachments, which typically contain unwanted software called "malware." If you are unsure about an email received in your inbox, you should delete it without clicking any links or opening any attachments. If you wish to report an email purporting to be from KSI that you believe is a forgery or you have other security concerns involving other matters with KSI, please .

Hosting Infrastructure Certified to the Strictest Industry Standards

Keeper Connection Manager is hosted by the customer. The Keeper website and cloud storage runs on secure Amazon Web Services (AWS) cloud computing infrastructure. The AWS cloud infrastructure which hosts Keeper's system architecture has been certified to meet the following third-party attestations, reports and certifications:

SOC 1 / SSAE 16 / ISAE 3402 (SAS70)
SOC 2
SOC 3
PCI DSS Level 1
ISO 27001, 27017 and 27018
FedRamp
DIACAP
FISMA
ITAC
FIPS 140-2
CSA
MPAA

Vulnerability Reporting and Bug Bounty Program

Keeper Security is committed to the industry best practice of responsible disclosure of potential security issues. We take your security and privacy seriously and, we are committed to protecting our customers’ privacy and personal data. KSI’s mission is to build world’s most secure and innovative security apps, and we believe that bug reports from the worldwide community of security researchers is a valuable component to ensuring the security of KSI’s products and services.

Keeping our users secure is core to our values as an organization. We value the input of good-faith researchers and believe that an ongoing relationship with the cybersecurity community helps us ensure their security and privacy, and makes the Internet a more secure place. This includes encouraging responsible security testing and disclosure of security vulnerabilities.

The Keeper Connection Manager team actively monitors the upstream Apache Guacamole project for newly-disclosed security vulnerabilities, and has procedures in place for releasing security updates outside the normal release cycle. Should a vulnerability be found in Guacamole, the patch for that vulnerability will made be immediately available through the Keeper Connection Manager repository, and can be applied automatically using the upgrade process based on your installation method.

Guidelines

Keeper's Vulnerability Disclosure Policy sets out expectations when working with good-faith researchers, as well as what you can expect from us.

If security testing and reporting is done within the guidelines of this policy, we:

Consider it to be authorized in accordance with Computer Fraud and Abuse Act,
Consider it exempt from DMCA, and will not bring a claim against you for bypassing any security or technology controls,
Consider it legal, and will not pursue or support any legal action related to this program against you,
Will work with you to understand and resolve the issue quickly, and
Will recognize your contributions publicly if you are the first to report the issue and we make a code or configuration change based on the issue.

If at any time you are concerned or uncertain about testing in a way that is consistent with the Guidelines and Scope of this policy, please contact us at before proceeding.

To encourage good-faith security testing and disclosure of discovered vulnerabilities, we ask that you:

Avoid violating privacy, harming user experience, disrupting production or corporate systems, and/or destroying data,
Perform research only within the scope set out by the Bugcrowd vulnerability disclosure program linked below, and respect systems and activities which are out-of-scope,
Contact us immediately at if you encounter any user data during testing, and
You give us reasonable time to analyze, confirm and resolve the reported issue before publicly disclosing any vulnerability finding.

Submitting a Report

Keeper has partnered with Bugcrowd to manage our vulnerability disclosure program.

Please submit reports through .

Additional Information

Keeper Security utilizes best-in-class security with a Zero-Knowledge security architecture and Zero-Trust framework. Additional technical documentation about Keeper's Zero-Knowledge encryption model can be found at the links below:

Keeper is SOC 2 Type 2, ISO27001 certified, FedRAMP Authorized. Customers may request access to our certification reports, 3rd party penetration reports and technical architecture documentation with a signed mutual NDA.

Installation

Keeper Connection Manager installation instructions in the cloud or on-prem environments.

Keeper Connection Manager is installed as a gateway in your cloud, virtual or on-prem environment. There are several methods of deployment, and installation only takes a few minutes.

Install Methods

For Auto Docker Install method, we support any version of Linux.

For Docker Compose Install, Keeper Connection Manager will run on any platform that supports Docker or Docker Desktop, including all versions of Windows and Linux.

Customers who directly installed via Linux RPMs can refer to our advanced linux install docs.

The container running Keeper Connection Manager needs network access to the target desktops/systems that will be managed.

Configure DNS

In a production deployment, select a domain name to access the endpoint, e.g. kcm.company.com and create a new DNS record to map it to your server's public IP. You will be prompted to enter the domain name during the installation.

Ensure that the DNS record maps to your server's public IP address, or an IP that is internally available to your end-users over HTTPS port 443.

Decide on Let's Encrypt or Existing Cert

Keeper Connection Manager requires an SSL certificate for installation. Decide before starting installation if you want to use Let'sEncrypt, or if you have your own certificate file and private key.

LetsEncrypt is a certificate authority that is free, automated, open, and is also the world's largest CA. During installation using the Auto Docker Install method, Keeper Connection Manager will provide an option to utilize LetsEncrypt (option 1), which will generate a 3-month trusted certificate for your domain.

If you plan to use Let's Encrypt as your CA, you should open port 80 and 443. LetsEncrypt uses port 80 to perform automated SSL certificate generation.

However, if you would like to use your own certificate obtained by a different CA, you can do so by choosing (option 2) during the installation prompt.

If you would like to use your own certificate, Keeper Connection Manager installation will prompt you to enter the full path and file name first for your .crt file, and next for your .pem file. Make sure to transfer these files to your server before beginning installation.

Select an Install Method

Keeper Connection Manager can be installed using one of the following methods.

Option 1: Auto Docker Install

An automated installer script is available for Linux which performs several of the Docker setup steps, such as generating a Docker Compose file, setting up SSL certificates and other options.

Go to: Installation Instructions for Auto Docker Install

This method is recommended for users who are new to Docker and prefer Linux.

Option 2: Docker Compose Install

This advanced and customized Docker install for Keeper Connection Manager provides the Docker Compose file to deploy in any Docker environment with support for additional packages such as SSO, LDAP, TOTP and more.

Go to: Installation Instructions for Docker Compose Install

This method is required for Windows and recommended for users who are familiar with Docker.

License Key

Activating your Keeper Connection Manager license key

Starting with Keeper Connection Manager version 2.19, customers are required to obtain a license key from Keeper in order to continue the use of the application.

Before installing KCM 2.19 or newer versions, please ensure you have a valid license key. Without a valid license key, users and administrators will be unable to use KCM after the update is applied

Obtaining a License Key

To obtain a license key, please contact Keeper Support directly at: https://www.keepersecurity.com/support.html

Upon request, Keeper staff will generate your KCM on-prem license key. It can then be accessed directly from the Keeper Admin Console:

To install your license key, follow the steps below:

New Customers

During the installation process, you will be prompted to input the license key.

Existing Customers

If using the Auto Docker Install or Docker Compose Install method, simply update the keeper/guacamole container definition with the license as the value of the KCM_LICENSE environment variable.

Example:

    guacamole:
        image: keeper/guacamole:2
        restart: unless-stopped
        environment:
            ACCEPT_EULA: "Y"
            .
            .
            .
            KCM_LICENSE: "XXXXXXXXXXXXXXXXXXXXXXXXXX"
        volumes:
            - "common-storage:/var/lib/guacamole:rw"

(Optional) If the license will be present within a file in your container, you may alternatively use the KCM_LICENSE_FILE environment variable to point to that file.
(Optional) If using the RPM packages, you must provide the license as the sole contents of /etc/guacamole/kcm.license, which must be readable by the guacamole group.

After adding the license key, restarting the container is necessary. If using the Auto Docker Install method, simply run:

sudo ./kcm-setup.run apply

System Requirements

Detailed list of system and operating system requirements for Keeper Connection Manger

Supported Operating Systems:

The recommended method to install Keeper Connection Manager is via the. This removes any operating system, system pre-requisites and other requirements. If the underlying system supports a current version of Docker, the container is fully supported.

Supported KCM Versions:

Glyptodon 1.x - Full support for 2 years after any major release
Glyptodon 2.x - Full support for 2 years after any major release
Keeper Connection Manager 2.x - Full support for 2 years after any major release

Minimum system specs for production deployment:

The generalized formula for sizing Keeper Connection Manager is 1 CPU core and 2 GB of memory for every 25 concurrent users anticipated. We recommend a minimum of 8GB RAM and 2 cores for any small deployment.

Minimum host recommendations:

# Concurrent connections

CPU

Min. RAM

For anything over 200 concurrent sessions, we have several options, and it may be best to talk through this with our sales engineering team to find the right solution based on your needs and connection types.

Disk space requirements

A single session recording can vary based on the content being shown. This is affected by the type of connection. GUIs typically have higher recording sizes versus CLI connections like SSH, which can be quite small.

There are far too many variables in play to accurately predict disk space needs for recordings. The best practices are to monitor the recordings folder and offload them to another location as needed.

Network throughput for concurrent connections

Network throughput also varies based on activity, type of session and connection settings. From actual examples, we've found that for a system running about 100 concurrent sessions, network traffic varies between 9Mbit/s and 15Mbit/s for all 100 connections. Each connection would be on average 1/100th of the 15Mbit value.

In the same above scenario with 100 connections, we would expect about 15gb total traffic per hour on the network adaptor. Comparing inbound and outbound traffic, just over 90% of the traffic is outbound from the server to the clients.

Preparing for Installation

Get your environment, network, and system ready and prepared.

Preparing for Installation

Keeper Connection Manager will serve your secure "jumpbox" and you'll use your web browser to access it. First, choose a URL that you'd like to use for accessing KCM.

You'll need the following:

1. A designated machine (usually a Linux VM) with a static IP address 2. Choose a fully-qualified domain name (FQDN) 3. Your DNS record set to point your FQDN to the IP of your designated machine 4. An SSL certificate

No cert? Don't worry, you can:

Start by choosing "use a self-signed certificate" (for testing)
Choose "Let's Encrypt" to generate a 90 day auto-renewing cert (requires 80 and 443 open)
Bring your own cert during setup or add it in later using the reconfigure command

You can either bring your own SSL certificate, or you can generate one during the installation by choosing the option for . If planning to use Let's Encrypt, make sure that ports 80 and 443 are open to the internet during the installation.

To prepare for installation:

Create/Identify and establish root access to the server that will run the Keeper Connection Manager gateway
Decide if you want your KCM gateway to be public-facing (assign public IP), or internal-only (assign private IP)
Add internal/external DNS A Record (or AAAA record) to point your domain to your KCM server's IP address
Make sure that ports 80 and 443 are open to the public if you plan to use Let's Encrypt.

Check your firewall to make sure that traffic can flow between your server and Docker. Some domains that it will need to reach include docker.com, docker.io and others.

Platform-specific Setup

Virtual Machines with Depletable Entropy Bits

Linux kernels before 5.18 had a depletable entropy measured in bits, with a default limit of 256 bits. This is insufficient for KCM and requires modules like haveged to increase the entropy limit.

If your Linux machine's kernel version is 5.18 or greater the steps below can be ignored. Attempting the cat command below will also always return 256.

To check your that your Linux system's entropy level is at least 1000, use the command:

To increase the speed of entropy generation, you can install the haveged service to ensure that the environment can efficiently create secure random numbers.

On RHEL, the haveged package is not available from the Red Hat repositories and must instead be installed from the EPEL repository. EPEL provides instructions for configuring their repository here: . After EPEL is installed, run the following commands:

RHEL / Rocky Linux 8 (and derivatives)

If Podman is installed, you must run the following two commands before installation:

Auto Docker Install

Automated Linux Docker installer for users without Docker experience

Overview

Auto Docker Install is Keeper's recommended installation method.

Make sure to read the section first.

The Auto Docker Install method creates a standard Keeper Connection Manager environment using a script that is easy to run. This method does not restrict any features and you can still utilize this installation with advanced control at a later time.

If you are already familiar with Docker, you may choose to use the method.

Licensing

Before installing KCM, please ensure you have a valid license key. Without a valid license key, users and administrators will be unable to use KCM after the update is applied

For more info, visit this .

Installation

(1) Download the Installer

From the linux command line, download the installer script using the curl command.

(2) Add the execute permission to the Installer

(3) Run the Installer as root

The next question asks if you already have SSL termination available. If unsure, select N for no.

At the next prompt, enter your FQDN, even if it is internal. This is where users will access KCM in their browser.

Then, choose an option for SSL. A self-signed certificate (option 3) is okay for testing. After testing is complete, make sure to put a proper SSL certificate in place.

If you want to use Let's Encrypt (option 1) to quickly and easily generate and install an SSL certificate, you must have public DNS in place pointing to your static public IP. Also, Let's Encrypt requires HTTP port 80 and HTTPS port 443 to be open during the install process.

Secrets Manager Integration (optional)

The next prompt will be to choose your database, and then it will prompt for "Your one-time access token or base64 configuration". This value is (a tab in your vault). If this doesn't apply to you, just press enter. You can always add it later, too.

Next up is SAML. You can choose "no" to skip it (you can come back and set it up later), or you can choose "yes" to set up SSO now.

Save the credentials and URL in your Vault

After installation is completed, an admin login and password is created for you. Make sure to store this in your Keeper vault, as it's not provided again later.

Store the provided username, password, and URL in your Keeper Vault

Navigate to the URL in your Browser

Now that the installation is complete, simply go to the URL/hostname that you designated. You'll be able to login as the guacadmin default user with the credentials provided at the completion of the installation.

🎉 Installation Complete!

Now that your Keeper Connection Manager instance is running, you can login as guacadmin and start setting up some connections. Need to import connections in bulk?

The next section of this documentation reviews the process of managing, upgrading and adding packages to the Docker Compose environment.

Service Management

Auto Docker Install service management

Overview

The Auto Docker Method installs Docker and 4 containers (if you selected all options) which start up automatically after the installer completes:

Database (MySQL or PostgreSQL depending on selection)
Guacamole (Tomcat)
Guacd
SSL (NGINX)

The installer also creates a docker-compose.yml file that can be found in the filesystem:

/etc/kcm-setup/docker-compose.yml

This Docker Compose file is the configuration file which manages the multi-docker container system. If you need to make further changes to the environment, you can modify this file and restart the docker services using the kcm-setup.run script or by directly using Docker functionality.

Managing the Service

When using the Docker Simple Install method, the kcm-setup.run script can be used to manage the entire service and the underlying docker containers. The purpose of this script is to make management of the Keeper Connection Manager platform very simple.

Usage:

sudo ./kcm-setup.run [OPTIONS] [COMMAND] [ARG...]

Install, maintain, or uninstall Keeper Connection Manager automatically.

Command

Description

backup

Backup all database data to a file.

check

Perform an automated self-check of all services.

install

Install Keeper Connection Manager (DEFAULT).

logs

Display the log files from all installed services.

reconfigure

Modify the configuration of an existing KCM installation.

restart

Restart all installed services, starting any that are stopped.

restore

Restore database data from a prior backup.

start

Start all installed services that are not started.

status

Display the status of installed services.

stop

Stop all installed services that are not stopped.

uninstall

Completely remove the existing installation. This will delete all stored data in the database.

upgrade

Upgrade the existing installation by pulling the latest docker images. Your data stored in the service is retained.

apply

Strictly apply changes made externally to docker-compose.yml and do not pull new images.

version

Print out the version of each component of your KCM instance (db, guacamole, guacd, ssl)

Shared Volume

When using the Auto Docker Install method, a shared volume is automatically added to store file transfers and session recordings. The created volumes are located at /var/lib/guacamole/ which contains the drives and recordings.

Upgrading

Upgrading Keeper Connection Manager with the Docker Automated Install method

Before making any changes to your environment, we recommend backing up in accordance with the instructions on the Backup and Recovery page.

Update Instructions

From the Linux command line, update to the latest installer script using the curl command.

curl -O https://keepersecurity.com/kcm/kcm-setup.run

To update all of the underlying software and Docker containers when using the Docker Automated Install method, run the below commands:

sudo ./kcm-setup.run stop
sudo ./kcm-setup.run upgrade

Select "Y" when prompted.

Once the upgrade is complete, the service is started again automatically after a minute.

If you run into any issues with the upgrade, see our troubleshooting page.

Adding Packages

Activating additional packages on the Auto Docker Install method

When using the Auto Docker Install method, packages can be added by directly modifying the generated Docker Compose file. For example, adding SSO or LDAP support.

To modify your Keeper Connection Manager environment, you'll need to edit the docker-compose.yml file located here:

/etc/kcm-setup/docker-compose.yml

Applying Configuration Changes

The kcm-setup.run script has an apply feature which allows you to apply configuration changes without updating the containers. From the Linux command line, update to the latest installer script using the curl command.

Apply the changes

Update and Restart the Containers

To update the environment, use the kcm-setup.run upgrade command to update the containers and start with the latest configuration:

or.....

keeper/guacd

Docker deployment of guacd with Keeper Connection Manager

Image: keeper/guacd

keeper/guacd is a Dockerized deployment of guacd, the Apache Guacamole proxy daemon, with support for VNC, RDP, SSH, K8s, MySQL, PostgreSQL, SQL Server and telnet. It is normally used to provide a guacd instance for a container using the image.

Starting a guacd instance

To start a guacd instance which listens on TCP port 4822:

where some-guacd is the name you wish to assign to your container.

Viewing the guacd logs

The guacd logs are useful if debugging unexpected behavior of the remote desktop or failure to connect, as it is guacd that handles protocol-specific communication. To view the guacd logs:

By default, these logs will show messages only at the "info" level or above. This can be overridden when the container is created using the LOG_LEVEL environment variable.

Environment variables

`ACCEPT_EULA`

The ACCEPT_EULA environment variable must be set to "Y" to indicate your acceptance of the Keeper Connection Manager EULA. This Docker image may not be used except under the terms of the .

`CA_CERTIFICATES`

This variable is optional and specifies the contents of one or more certificates used by your internal certificate authority (CA), in PEM form. When specified, SSL/TLS connections to other servers will be verified against these certificates, including connections to RDP servers and Remote Browser Isolation sessions that use SSL/TLS.

Below is an example guacd section of docker-compose.yml with 2 certificates:

`GUACD_UID`

This variable is optional and specifies the numeric UID which should be assigned to the user that the guacd service runs as. If omitted, the guacd service will run with the UID of the reduced-privilege user created by the Keeper Connection Manager package for guacd.

This is mainly useful if guacd will need to write to a volume mount whose file permissions may not match those of the keeper/guacd Docker image.

`GUACD_GID`

This variable is optional and specifies the numeric GID which should be assigned to the group that the guacd service runs as. If omitted, the guacd service will run with the GID of the reduced-privilege group created by the Keeper Connection Manager package for guacd.

This is mainly useful if guacd will need to write to a volume mount whose file permissions may not match those of the keeper/guacd Docker image.

`LOG_LEVEL`

This variable is optional and specifies the lowest level of log message that should be displayed. In order of increasing verbosity, valid values are: "error", "warning", "info", "debug", "trace".

The default log level is "info".

`AUTOFILL_RULES`

This variable is optional and specifies the full contents of the /etc/guacamole/autofill-rules.yml file that can be used to configure autofill of username/password in the protocol.

Database images

Docker deployment of Pre-Initialized Database Images with Keeper Connection Manager

For convenience, Docker images for both MySQL and PostgreSQL are provided which automatically initialize themselves using the Apache Guacamole database schema:

Image name

Base image

Description

An instance of MySQL, automatically initialized with the Apache Guacamole database schema.

An instance of PostgreSQL, automatically initialized with the Apache Guacamole database schema.

Each of these images:

Is based off Docker's official images for the same databases, and thus each accepts the same core environment variables.
Accepts a common set of Guacamole-specific environment variables defining the name to be used for Guacamole's database and the reduced-privilege credentials to be used by Guacamole to execute queries.
Requires the same ACCEPT_EULA environment variable as the keeper/guacamole and keeper/guacd images.

The images may be used as part of an entirely Dockerized deployment of Apache Guacamole, or separately as an easier method of deploying a functional, pre-initialized, and supported database. When combined with the keeper/guacamole and keeper/guacd images using docker-compose, an entire deployment of Apache Guacamole can be created and managed using a single docker-compose.yml.

keeper/guacamole-db-mysql

Docker deployment of MySQL with Keeper Connection Manager

Image: keeper/guacamole-db-mysql

keeper/guacamole-db-mysql is a Dockerized deployment of MySQL, built off Docker's official MySQL image which is automatically initialized with the Apache Guacamole database schema. It is built using the packages provided by Keeper Connection Manager and made available under the same EULA. It is normally used to provide a MySQL database for a container using the keeper/guacamole image.

Environment variables

In addition to the environment variables documented below, all environment variables supported by the official Docker MySQL image are accepted, as the official MySQL image forms the basis of this image.

`ACCEPT_EULA`

The ACCEPT_EULA environment variable must be set to "Y" to indicate your acceptance of the Keeper Connection Manager EULA. This Docker image may not be used except under the terms of the EULA.

`MYSQL_RANDOM_ROOT_PASSWORD`

This is an optional variable. Set to a non-empty value, like yes, to generate a random initial password for the root user (using pwgen). The generated root password will be printed to stdout (GENERATED ROOT PASSWORD: .....).

`GUACAMOLE_DATABASE`

The name of the database to create and initialized for use with Apache Guacamole. This environment variable is required and ultimately maps to the MYSQL_DATABASE environment variable of the official MySQL image.

The GUACAMOLE_DATABASE variable is provided here for consistency with the other Guacamole-specific variables, but may be omitted if MYSQL_DATABASE is provided.

`GUACAMOLE_ADMIN_PASSWORD`

This is the Administrator password for the guacadmin user.

`GUACAMOLE_USERNAME` and `GUACAMOLE_PASSWORD`

The username and password to use for the MySQL database user specific to the Guacamole web application. This pair of variables differ from the MYSQL_USER and MYSQL_PASSWORD environment variables provided by the official MySQL image in that the created user has limited privileges, being granted only what privileges are absolutely required for Guacamole to run.

The GUACAMOLE_USERNAME and GUACAMOLE_PASSWORD are not strictly required, as the user created with MYSQL_USER and MYSQL_PASSWORD may be used instead, however they are strongly recommended to ensure the Principle of Least Privilege is followed.

Docker secrets

Rather than pass data directly in environment variables, a _FILE suffix may be added to any environment variable supported by this image to force that variable to be read from the named file within the container. As Docker secrets store sensitive data within files beneath /run/secrets/ within the container, this can be used to load sensitive data from Docker secrets.

For example, to load the username and password for the limited-privilege user specific to the Guacamole web application from Docker secrets:

docker run --name some-guacamole-db \
    -e ACCEPT_EULA=Y \
    -e MYSQL_RANDOM_ROOT_PASSWORD=yes \
    -e GUACAMOLE_ADMIN_PASSWORD=some_password \
    -e GUACAMOLE_DATABASE=guacamole_db \
    -e GUACAMOLE_USERNAME_FILE=/run/secrets/mysql-username \
    -e GUACAMOLE_PASSWORD_FILE=/run/secrets/mysql-password \
    -d keeper/guacamole-db-mysql

keeper/guacamole-db-postgres

Docker deployment of Postgres with Keeper Connection Manager

Image: keeper/guacamole-db-postgres

keeper/guacamole-db-postgres is a Dockerized deployment of PostgreSQL, built off Docker's official PostgreSQL image which is automatically initialized with the Apache Guacamole database schema. It is built using the packages provided by Keeper Connection Manager and made available under the same EULA. It is normally used to provide a PostgreSQL database for a container using the keeper/guacamole image.

Environment variables

In addition to the environment variables documented below, all environment variables supported by the official Docker PostgreSQL image are accepted, as the official PostgreSQL image forms the basis of this image.

`ACCEPT_EULA`

The ACCEPT_EULA environment variable must be set to "Y" to indicate your acceptance of the Keeper Connection Manager EULA. This Docker image may not be used except under the terms of the EULA.

`POSTGRES_PASSWORD`

The PostgreSQL administrator password.

`GUACAMOLE_DATABASE`

The name of the database to create and initialized for use with Apache Guacamole. This environment variable ultimately maps to the POSTGRES_DB environment variable of the official PostgreSQL image. If omitted, the default value defined by the official PostgreSQL image will be used.

The GUACAMOLE_DATABASE variable is provided here for consistency with the other Guacamole-specific variables and may be omitted if POSTGRES_DB is provided.

`GUACAMOLE_ADMIN_PASSWORD`

This is the Administrator password for the guacadmin user.

`GUACAMOLE_USERNAME` and `GUACAMOLE_PASSWORD`

The username and password to use for the PostgreSQL database user specific to the Guacamole web application. This pair of variables differ from the POSTGRES_USER and POSTGRES_PASSWORD environment variables provided by the official PostgreSQL image in that the created user has limited privileges, being granted only what privileges are absolutely required for Guacamole to run.

The GUACAMOLE_USERNAME and GUACAMOLE_PASSWORD are not strictly required, as the user created with POSTGRES_USER and POSTGRES_PASSWORD may be used instead, however they are strongly recommended to ensure the Principle of Least Privilege is followed.

Docker secrets

For example, to load the username and password for the limited-privilege user specific to the Guacamole web application from Docker secrets:

docker run --name some-guacamole-db \
    -e ACCEPT_EULA=Y \
    -e GUACAMOLE_DATABASE=guacamole_db \
    -e POSTGRES_PASSWORD=some_password \
    -e GUACAMOLE_ADMIN_PASSWORD=some_password \
    -e GUACAMOLE_USERNAME_FILE=/run/secrets/postgres-username \
    -e GUACAMOLE_PASSWORD_FILE=/run/secrets/postgres-password \
    -d keeper/guacamole-db-postgres

SSL Termination

Docker deployment of NGINX with Keeper Connection Manager for SSL Termination

For convenience, a Docker image for SSL termination using NGINX is provided which automatically configures itself with an SSL certificate:

Image name

Base image

Description

This image:

Is based off Docker's official image for NGINX, and thus each accepts the same core environment variables.
Accepts a set of Keeper-specific environment variables defining the Guacamole instance that will be behind SSL termination.
Can automatically retrieve a certificate from Let's Encrypt, generate its own self-signed certificate for testing, or use an existing certificate that you have already obtained from a certificate authority.
Requires the same ACCEPT_EULA environment variable as the and images.

See the to view configuration examples.

Using a Custom SSL Cert

How to deploy a custom SSL Certificate to Keeper Connection Manager

This page provides details on how to create an SSL certificate for use with the Keeper Connection Manager service.

Generate and Prepare the SSL Certificate

The process of generating an SSL certificate varies depending on the provider, but the general flow is documented here.

(1) On your local workstation, Generate a private key

(2) Generate a CSR, making sure to use the hostname which you plan to use for KCM. In this case, we will be using demo3.kcmdemo.com. The important item here is that the Common Name matches exactly to the domain.

(3) Purchase an SSL certificate and Submit the CSR to your SSL certificate provider.

Ensure that the SSL certificate created for your KCM instance is only used for this purpose. Do not use a wildcard certificate that is shared with other services.

If you don't have a provider already, a good site is:

Create a certificate for a domain that is specific for this KCM instance, e.g. demo3.kcmdemo.com. The SSL certificate provider will deliver you a zip file that contains a signed certificate (.crt file) and intermediate CA cert.

(4) After the certificate has been issued, combine the certificate (.crt) and bundle (bundle.crt) into a single file that is PEM-encoded.

The file needs to be formatted like this:

Note that a newline exists after each "END CERTIFICATE" line. KCM will reject a malformed certificate.

The private key file will be PEM-encoded, formatted like this:

(5) Transfer the 2 files to the KCM server

Copy the files to a location in the server which is running Keeper Connection Manager.

If you are using the Auto Docker install method of Keeper Connection Manager, a good place to put the files is in /etc/kcm-setup. Make sure to set the permissions appropriately, e.g.:

(6) Update the docker-compose.yml file with the SSL cert

Using your preferred editor, update the Docker Compose file. If you used the Auto Docker install method of KCM, the file will be located in /etc/kcm-setup/docker-compose.yml. The section to edit is below:

Make sure to edit the SSL_HOSTNAME and volume mount paths and filenames.

To restart the service with the new certificate:

Annual Renewal

On an annual basis, you will need to renew your cert. Most certificate providers will generate a new cert for you. After certificate renewal, you need to replace the certificate file and restart the service.

Upgrading

Upgrading Keeper Connection Manager with the Docker Manual Install method

Before making any changes to your environment, we recommend backing up in accordance with the instructions on the Backup and Recovery page.

To update all of the Keeper Connection Manager docker images when using the Docker Compose Install method, run the below command (assuming docker-compose.yml is in the current folder):

sudo docker-compose pull
sudo docker-compose up -d

If you originally installed with the Auto Docker Install method (kcm-setup.run script), run the below command:

sudo ./kcm-setup.run stop
sudo ./kcm-setup.run upgrade

Select "Y" when prompted.

If you run into any issues with the upgrade, see our troubleshooting page.

Backup & Recovery

Backup and recovery options

Keeper Connection Manager is packaged and installed in your environment. As such, backups should be taken in order to recover the environment if required.

It is highly recommended to perform backups of the following components:

Server backup
Database snapshots
Docker compose and other critical files

Server Backup Instructions

We recommend performing daily snapshots of your Keeper Connection Manager instances.
In most installations, a database running locally or within the Docker containers includes the connection and user data. When backing up the instance, ensure that the database is included.
When using the Advanced Linux Install method, ensure that the /etc/guacamole/ folder is included in the snapshot.

Database Snapshots

For Docker and Auto Docker install methods, the kcm-setup.run backup command will run a backup locally.
For other installation methods, please use the database platform's backup features, for example mysqladmin on MySQL-backed installs.

Docker compose

Back up and protect the files located in /etc/kcm-setup/ which include docker-compose.yml and any other files which are being utilized by your container.

Authentication Options

Configuration of Keeper Connection Manager Authentication methods

Keeper Connection Manager supports multiple authentication mechanisms which can be enabled through installing additional packages.

Multi-Factor Authentication

If you wish to enable multi-factor authentication in front of Keeper Connection Manager, you may do so with Duo or TOTP.

TOTP
Duo

Microsoft Azure

Keeper Connection Manager SAML configuration with Microsoft Azure

Azure Configuration

The first step regardless of installation method is to configure your SAML 2.0 identity provider using Microsoft Azure.

(1) In Azure, go to Enterprise Applications and Create a new application.

(2) Give the Enterprise Application a name, and then select "non-gallery" application.

(3) Set up Single Sign On with SAML.

(4) Configure for SAML

(5) Set up the SAML properties to point Azure to your Keeper Connection Manager installation URL:

(6) To support Azure Group to Keeper Connection Manager User Group mappings, you can add a Group claim by editing the Attributes & Claims then adding a Group Claim.

When prompted, you can decide whether the group claim is always sent, or only for specific groups or assigned users. If unsure, choose all groups.

For hybrid environments, if the group originates from on-prem AD, you may need to change the display name of the security group.

If you would like to automatically map group assignments in the identity provider to Keeper Connection Manager Groups, ensure that the saml-group-attribute parameter is defined to match the Identity Provider Group Attribute. The name of the Group in Keeper Connection Manager needs to match this identifier exactly in order for the mapping to work.

Azure Group to Keeper Connection Manager Group mapping is unique. KCM will not show a list of the members of a group, however, group member users will have access to any connections that are assigned to the group.

(7) Assign users and/or groups to the Keeper Connection Manager application, as you would normally do with any SAML connected app.

(8) Copy the URL of the App Federation Metadata and paste it into the prompt on your KCM server.

(9) Add the KCM Logo

From the "Properties" screen of the Enterprise Application, upload the KCM logo. The file can be downloaded below.

Here's how the logo will look:

Google Workspace

Keeper Connection Manager SAML configuration with Google Workspace

Google Workspace Configuration

The first step regardless of installation method is to configure your SAML 2.0 identity provider using Google Workspace.

(1) Login to Google Workspace

Visit the Apps > Web and Mobile Apps screen.

(2) Select "Add App" and select "Add Custom SAML App".

Enter an application name and description. You can also upload a Keeper Connection Manager logo. The image logo is here:

Click Continue.

(3) Download the metadata.xml file

...and then click Continue

(4) Configure the SAML Settings

Update 3 fields: ACS URL, Entity ID and Name ID format.

The ACS URL needs to start with your Keeper Connection Manager domain followed by "/api/ext/saml/callback".
The Entity ID is just the Keeper Connection Manager domain.
The Name ID format must be EMAIL

Click Continue.

(5) Assign group membership (Optional)

You can now assign Group Membership to the Keeper Connection Manager application, which is optional. If you would like to assign a group, make sure that the "App Attribute" is groups (lowercase). Then click FINISH.

Google Group to Keeper Connection Manager Group mapping is through the Group Name. If the Keeper Connection Manager contains a Group that has the name corresponding to the Google Group Name, the user will receive all Keeper connections assigned to that user group.

(6) Enable Access

After creating the SAML app, it is not yet active for all users. To enable access, click on View details and turn the application ON.

The Google Workspace side of the setup is complete. Note if you change anything, you need to re-download a new metadata.xml file.

OneLogin

Keeper Connection Manager SAML configuration with OneLogin

OneLogin Configuration

The first step regardless of installation method is to configure your SAML 2.0 identity provider.

You must have OneLogin developer account.

Configure OneLogin

Log in to the OneLogin Dashboard, and click Administration. Then Applications > Add App.
Search for SAML, and select SAML Test Connector (IdP).
When prompted, change the Display Name of your app. Enter an application name and description. You can also upload a Keeper Connection Manager logo. Click save.
Go to the Configuration tab, Update 3 fields: Recipient, ACS (Consumer) URL Validator, and ACS (Consumer) URL with your KCM server URL and /api/ext/saml/callback on the end as shown below.

Click on the More Actions dropped-down menu. Select SAML Metadata to download and save the .XML file.
Under the Users tab on the top, find the users that need to log in using SSO, click into them and on the applications tab on the left, add the new SAML application to them.

Oracle

This documentation will detail how to connect your Oracle Cloud environment to Keeper Security Connection Manager for the purpose of Single Sign-On.

Go to your Oracle Admin Console and navigate to the Identity Domains Overview page, then select Applications as depicted above.

Click on Add Application.

Select SAML as the application type.

Apply the appropriate settings to the Application Information as needed for your security posture. Click on Edit SSO Configuration. Download the Metadata and rename the file to metadata.xml. Set the Entity ID to the URL of your Connection Manager server. For example: https://kcm.somedomain.com. For the Assertion Consumer URL, add /api/ext/saml/callback to the end of the domain URL. For example: https://kcm.somedomain.com/api/ext/saml/callback. Next, set the Name ID Format to Email Address and the Name ID Value to Primary Email. Leave the Signed SSO setting as Assertion. Uncheck the box to Include Signing Certificate in Signature, and leave the Signature Hashing Algorithm as SHA-256.

Assign attributes for email as listed above mapped to the value User Name. Add another attribute for groups with the settings of Type Value Group Membership and a Condition of All groups.

Assign users and groups as appropriate to your SAML application. You'll need to assign at least one user for testing purposes.

Connection Manager Server Configuration

Upload the metadata.xml file to your KCM server and move it into the directory /etc/kcm-setup.

Run the reconfigure command after production hours on your Connection Manager server.

Say Y to the option when presented to setup SAML support.

Select 1 for Local Metadata file. Then input the path of your metadata file as /etc/kcm-setup/metadata.xml and press enter. Answer N to Does your SAML IDP require signed requests? Input your SAML entity ID as the URL of your Connection Manager instance. For example: https://kcm.somedomain.com. Then enter groups as the SAML group attribute.

Choose which setting best applies to your security posture with regard to the default authentication method. If you want Just-In-Time provisioning of users, then answer Y to Would you like user accounts to be automatically created for each successful login?

Click the SAML link to authenticate to the main sign on page.

Your user email address should display in the top right corner after authenticating.

PingIdentity

This page documents the process of integrating PingIdentity with Keeper Connection Manager, which is also known as KCM. We will be adding SAML 2.0 application connectors between the two platforms.

PingIdentity Configuration

Login as an Administrator for PingIdentity. From the PingIdentity menu, click Applications > Add Application
Give the Application a name such as "KCM," select SAML and Save.

Next, you'll encounter the SAML configuration. Select Manually Enter, then add the URL of your KCM server to the ACS URLs box as follows: https://<YOUR DOMAIN>/api/ext/saml/callback
Then add the URL of your KCM server to the Entity ID box as follows: https://<YOUR DOMAIN> and press Save.

Next, Edit Attribute Mappings. Since saml_subject is immutable, leave it as is. Add an attribute named EMAIL that has a Mapping of Username, and an attribute named groups that has a Mapping of Group Names.

Then Edit Configuration and scroll down to SUBJECT NAMEID FORMAT and select the option urn:oasis:names:to:SAML:1.1:nameid-format:emailAddress. And hit Save.

On the Overview section, verify that Access is for All Users (or the group you specified). Leave the Signon URL as the Default Signon Page. And Enable the Application by clicking the slider at the top of the application.

Download the Metadata file from the Configuration tab, and ensure that it is named to metadata.xml.

Ensure that all users are added with a Username that matches the email address of a user in your Keeper Connection Manager. **When you add users to Keeper Connection Manager use the matching email address, but leave the password blank.

Video Example

2FA with TOTP

Integrating TOTP based authentication for 2FA

Keeper Connection Manager provides support for TOTP as a second authentication factor, verifying the identities of enrolled users using authentication codes generated with the TOTP standard.

Docker Environmental Variables

To enable TOTP add the following lines to the "environment" section of the "guacamole" service in the docker-compose.yml file. Only the EXTENSIONS: totp line is required, the rest are optional.

TOTP_ISSUER: "KCM"
TOTP_DIGITS: "6"
TOTP_PERIOD: "30"
TOTP_MODE: "sha1"
EXTENSIONS: "totp"

For example:

        environment:
            ACCEPT_EULA: "Y"
            GUACD_HOSTNAME: "guacd"
            MYSQL_HOSTNAME: "db"
            MYSQL_DATABASE: "guacamole_db"
            MYSQL_USERNAME: "guacamole_user"
            MYSQL_PASSWORD: "XXXXXXXXX"
            KSM_CONFIG: ""
            TOTP_ISSUER: "KCM"
            TOTP_DIGITS: "6"
            TOTP_PERIOD: "30"
            TOTP_MODE: "sha1"
            EXTENSIONS: "totp"

The image keeper/guacamole can be modified to support TOTP using environmental variables. See the TOTP_* variables defined in the documentation.

TOTP with SAML / OIDC

Keeper Connection Manager supports the use of 2FA with TOTP in addition to supporting SAML or OIDC authentication. If TOTP is configured along with SAML, the user will be prompted for 2FA after successfully authenticating with the identity provider.

2FA with Duo

Integrating Duo with Keeper Connection Manager for MFA

Keeper Connection Manager provides support for Duo as a second authentication factor, automatically verifying user identity with Duo after the user is initially authenticated. This integration utilizes the V4.

Duo Setup

From the DUO Security Admin portal:

Select "Protect an Application"
Search for "Web SDK" (Do NOT select Keeper Security - this is for the Vault only)
Select Web SDK and click "Protect"
Capture the Client ID, Client Secret, and API Hostname
Provide these 3 configuration options as DUO_* environment variables in the keeper/guacamole Docker image.

Docker Environment Variables

The image keeper/guacamole section in the docker-compose.yaml file can be modified to support Duo using environment variables.

Environment Variable

Description

Multiple Hostnames

Multiple Hostnames/Configurations for SSL Termination

The keeper/guacamole-ssl-nginx image is specifically intended to provide SSL termination for the Guacamole image provided by Keeper for KCM. Historically, this image supported only a single hostname and configuration:

As of KCM 2.12.0, the keeper/guacamole-ssl-nginx image can be used with multiple hostnames and configurations via a special SERVERS environment variable that accepts YAML (or JSON).

The SERVERS variable must contain a YAML (or JSON) array of objects, where each object contains the name/value pairs of environment variables that should apply to that additional configuration. Any variable that is not specified is inherited from the top-level environment. For example:

The above configuration would result in an NGINX instance that handles both example.net and *.example.net hostnames equivalently. Both will get their own self-signed certificates because SELF_SIGNED is set to Y.

A more complex example:

The above configuration would result in an NGINX instance that generates and uses a self-signed certificate for *.example.net, but obtains a certificate for example.net from Let’s Encrypt.

IMPORTANT: The value of SERVERS must be a string, hence the | symbol within the above examples. If this symbol is omitted, then the YAML that follows is parsed as an object, and validation of the docker-compose.yml will fail, as all Docker environment variables must be strings.

NOTE: NGINX will use the first server as the default for any request that does not match any configured hostname. If any server declared in SERVERS should have this behavior, it must be the first server listed.

Account Approve/Deny Workflow

Approve or Deny User's ability to authenticate with KSM using SSO

In an environment where KCM users may be automatically created from an SSO system, such as SAML or OpenID or PIV/CAC, administrators may wish to more tightly control whether those users are allows to use KCM. To facilitate this, KCM provides administrators an approve/deny workflow to decide whether an individual user should be allowed to authenticate with KCM using that SSO method.

Configuring the KCM user creation workflow

To require approval for users signing in with a particular authentication method, use the require-account-approval property (or, for Docker, the REQUIRE_ACCOUNT_APPROVAL environment variable). This property accepts a comma-separated list of the names of all authentication methods that should require administrator approval. KCM supports the following authentication types:

For example, to require administrator approval for SAML and LDAP, you would specify:

The following examples shows a docker.yaml file with the SAML Authentication method enabled:

Once you have successfully configured and setup the authentication method, the corresponding SSO login method will be displayed on the login screen of the application. In the following image, the instance has been configured to use the saml authentication method:

Users with at least one authentication method that needs to be approved or denied will be shown in the user list with a “Pending Login Request” badge next to their username:

Administrators can approve/deny access for that user via that authentication method by editing the user account in KCM:

OpenID Connect Auth

Instructions for authenticating users with OpenID Connect

Keeper Connection Manager provides support for OpenID Connect for authentication.

Docker Environmental Variables

The image keeper/guacamole can be modified to support OpenID using environmental variables. See the OPENID_* variables defined in the documentation.

LDAP Auth

Instructions for authenticating users with LDAP

Keeper Connection Manager provides support for LDAP authentication.

Docker Environmental Variables

The image keeper/guacamole can be modified to support LDAP using environmental variables. See the LDAP_* variables defined in the documentation.

Auto Docker and Docker Compose Install Method

If you installed Keeper Connection Manager using the Docker Install method, this does not come preconfigured with LDAP support. The instructions for activating LDAP are below:

(1) On the local instance, stop the containers.

Auto Docker Install:

sudo ./kcm-setup.run stop

Docker Compose Install:

cd /path/to/docker-compose.yml
docker-compose stop

(2) Edit the docker-compose file

Using the simple or custom docker method requires modification of docker-compose.yml file to add LDAP support. As root, edit your docker-compose.yml file and find the "guacamole" section.

    guacamole:
        image: keeper/guacamole:2
        environment:
            ACCEPT_EULA: "Y"
            GUACD_HOSTNAME: "guacd"
            MYSQL_HOSTNAME: "db"
            MYSQL_DATABASE: "guacamole_db"
            MYSQL_USERNAME: "guacamole_user"
            MYSQL_PASSWORD: "xxxxxxx"
            
            # LDAP Connection
            LDAP_HOSTNAME: "localhost"
            LDAP_PORT: 389
            LDAP_ENCRYPTION_METHOD: "none"
            
            # Mapping Guacamole usernames to LDAP DN’s
            LDAP_USER_BASE_DN: "ou=people,dc=example,dc=net"
            
            ## Optional Settings ##
            LDAP_USERNAME_ATTRIBUTE: "sAMAccountName"
            
            # Indirect Username Mapping
            LDAP_SEARCH_BIND_DN: "cn=someUser,ou=people,dc=example,dc=net"
            LDAP_SEARCH_BIND_PASSWORD: "some_password"
            
            # Mapping Guacamole groups to LDAP DN's
            LDAP_GROUP_BASE_DN: "ou=groups,dc=example,dc=net"
            LDAP_GROUP_NAME_ATTRIBUTE: "cn"

Optional settings

Mapping Guacamole usernames to LDAP DN's

To authenticate users using LDAP, Guacamole must translate usernames into their corresponding LDAP DN’s. Depending on the complexity of your LDAP directory, this can be as simple as adding a single attribute to a common base DN, or can involve an LDAP query.

Add the following options to docker-compose.yml to enable username mapping

            # Mapping Guacamole usernames to LDAP DN’s
            LDAP_USER_BASE_DN: "ou=people,dc=example,dc=net"
            LDAP_USERNAME_ATTRIBUTE: "sAMAccountName"

The base DN defined by the LDAP_USER_BASE_DN property should be the common base shared by all Guacamole users within your LDAP directory, while the attribute which contains the user’s username is defined by LDAP_USERNAME_ATTRIBUTE. The base DN is always required if LDAP is being used.

Direct username mapping

By default, Guacamole will attempt to derive the user’s DN directly by prepending the username attribute to the base DN. For example, assume a user is attempting to login with the username “someUser”. If the base DN is “ou=people,dc=example,dc=net” and the username attribute is “uid” (the default), then Guacamole will perform the following steps to authenticate the user:

Prepend the username to the base DN using the “uid” attribute, producing the DN: “uid=someUser,ou=people,dc=example,dc=net”.
Attempt to bind using the DN “uid=someUser,ou=people,dc=example,dc=net” and the password provided by the user.
If the bind attempt succeeds, authentication is successful.

Indirect username mapping

For more complex cases, where the user DN is cannot be directly derived by prepending the username attribute, Guacamole can instead issue an LDAP query to determine the user DN. This requires a search DN and password, defined with the LDAP_SEARCH_BIND_DN and LDAP_SEARCH_BIND_PASSWORD properties respectively, which Guacamole will bind as when performing the query:

            # Indirect Username Mapping
            LDAP_SEARCH_BIND_DN: "cn=someUser,ou=people,dc=example,dc=net"
            LDAP_SEARCH_BIND_PASSWORD: "some_password"

With the search DN and password configured, Guacamole will perform the following steps to authenticate a user:

Bind to the LDAP directory using the search DN and password.
Issue an LDAP query for objects within the subtree of the base DN that contain the user’s username within the defined username attribute.
If exactly one such object is found, attempt to bind using the DN of that object and the password provided by the user.
If the bind attempt succeeds, authentication is successful.

Mapping Guacamole groups to LDAP DN’s

Access to connections within Guacamole may be dictated through LDAP user groups via either of two mechanisms:

Defining connections directly within LDAP using schema modifications and dictating group access using the "seeAlso" attribute.
Mapping LDAP groups to Guacamole groups and leveraging a database to dictate access.

As it is usually preferable to avoid modifying the LDAP schema, mapping LDAP groups to Guacamole groups is recommended. Doing this will require defining the base DN under which all relevant LDAP groups may be found and defining the LDAP attribute that should be used by Guacamole to determine the unique name of the group:

            # Mapping Guacamole groups to LDAP DN's
            LDAP_GROUP_BASE_DN: "ou=groups,dc=example,dc=net"
            LDAP_GROUP_NAME_ATTRIBUTE: "cn"

If connections are being stored within LDAP using "guacConfigGroup" objects, and you wish to control access to these connections via LDAP groups, this is accomplished using the standard "seeAlso" attribute and the LDAP_GROUP_BASE_DN property is required.

If connections are being stored outside of LDAP, such as within a database, and you wish to control access using LDAP groups, both LDAP_GROUP_BASE_DN and LDAP_GROUP_NAME_ATTRIBUTE will be required. The group membership of a user cannot be queried without a base DN, and the unique name to be used by other parts of Guacamole to represent the group cannot be determined without the name attribute.

(3) Restart the containers

Simple Install:

sudo ./kcm-setup.run upgrade

The containers should restart after the upgrade. If not run:

sudo ./kcm-setup.run start

Custom Install:

sudo su
docker-compose up -d

Configuration is complete.

Custom Root Certificate

If you require the use of a custom Root Certificate for your LDAP server, you can volume mount the file /etc/pki/ca-trust/extracted/java/cacerts in your Docker Compose to override this certificate in the guacamole docker container.

Import the certificate into a Java truststore using "keytool".
Volume mount the cacerts file to your target guacamole docker container

Using Multiple LDAP Servers

Multiple LDAP Servers with KCM

Auto Docker or Docker Compose

When using the docker version of KCM, you can list the multiple LDAP servers in your docker-compose.yml file using the environment variable LDAP_SERVERS in the environment section of the guacamole service, as shown below:

version: "3"
services:
    guacamole:
        image: keeper/guacamole:2
        restart: unless-stopped
        depends_on:
            - guacd
            - db
        environment:
            ACCEPT_EULA: "Y"
            GUACD_HOSTNAME: "guacd"
            LDAP_SERVERS: |
              - hostname: server1.example.net
                user-base-dn: OU=Users,DC=example,DC=net
                username-attribute: sAMAccountName
                search-bind-dn: CN=Guacamole,OU=Services,DC=example,DC=net
                search-bind-password: SomePassword!

              - hostname: server2.example.net
                user-base-dn: OU=Users,DC=example,DC=net
                username-attribute: sAMAccountName
                search-bind-dn: CN=Guacamole,OU=Services,DC=example,DC=net
                search-bind-password: SomePassword!

Using LDAP_SERVERS will automatically create /etc/guacamole/ldap-servers.yml within the guacamole container.

When using LDAP_SERVERS in your docker-compose.yml, don't volume mount the ldap-servers.yml file (since this will be handled automatically). For advanced or non-docker installations, .

Using LDAP with a database

If multiple authentication methods are installed, Keeper Connection Manager will poll each method as it attempts to authenticate users, and will retrieve connection data from each method once a user has successfully authenticated. This behavior is designed to allow authentication methods to work together, and can be leveraged to authenticate Keeper Connection Manager users against LDAP while storing the connection data for those users within MySQL, PostgreSQL, or SQL Server.

Keeper Connection Manager's definition of identity

When reading data from multiple authentication methods, Keeper compares the unique identifiers of users (usernames) and groups to determine identity. This means that user accounts from different authentication systems will be automatically combined by Keeper upon successful authentication as long as those user accounts have the same username, and group memberships will take effect across authentication systems so long as the unique names of those groups match.

If both LDAP and a database authentication method have been configured, Keeper will automatically attempt to authenticate against both systems whenever a user attempts to log in. The LDAP account will be considered equivalent to the database user if the username is identical, and that user will have access to any data associated with them via the database, as well as any visible objects within the LDAP directory. If that user has permission to query their group memberships within LDAP, and Keeper has been configured to query groups within LDAP, then the user's group membership will also be retrieved upon authentication, and the user will have access to any data associated with those groups via the database.

For a user known to exist within LDAP, that user can be granted permissions to connections within the database by logging in as the administrative user (by default, “guacadmin”) and creating a corresponding database account having the same username. By leaving the password unspecified for the database account, the user will only be able to log in using LDAP, but will still have access to any associated connections defined within the database.

Administering LDAP users within Keeper Connection Manager

Rather than having to manually look up users or groups within the LDAP directory, and then manually create those same users and groups within Keeper Connection Manager, it is possible to set up administrative user accounts which can already see and manage available LDAP objects. This streamlines the administrative process, reducing the number of users which must be manually created to one.

To see LDAP objects within Keeper Connection Manager's administrative interface, one of the following tasks must be performed:

An administrative user within the Keeper Connection Manager database, such as the default “guacadmin” user, must be manually created within LDAP with the same username and with sufficient privileges to query all Guacamole users and groups defined within LDAP.
An administrative user must be manually created within Keeper Connection Manager having the same username as an LDAP user with sufficient privileges to query all Guacamole users and groups defined within LDAP.

Because a Keeper Connection Manager user created as defined above would have access to LDAP users and groups, database users and groups, and database connections, all of this data will be unified within the same administrative interface within Keeper Connection Manager. The user will be able to grant LDAP users and groups access to connections within the database to just as they would if only the database were in use.

Account Restrictions

Applying user-based account restrictions

User Management in Keeper Connection Manager

Keeper Connection Manager offers flexible user management capabilities that allow administrators to control access, apply account restrictions, assign permissions, and configure connection visibility for individual users or groups.

Accessing User Settings

To manage user accounts:

Log in to your Keeper Connection Manager instance as an administrator.
Navigate to the Settings tab.
From here, you can create new users or edit existing ones.

Account Restrictions

When configuring a user account, the following restrictions can be applied:

Login Disabled: Prevents the user from logging in to the system.
Password Expired: Forces the user to reset their password at next login.
Allow Access After: Grants access starting at a specific date and time.
Do Not Allow Access After: Prevents access after a specific date and time.
Enable Account After: Activates the user account at a scheduled time.
Disable Account After: Deactivates the account after a scheduled time.

Keeper Secrets Manager

Individual users can be assigned a specific Keeper Secrets Manager configuration, allowing the user to use credentials from their vault for establishing privileged sessions to any target. See the Multiple Vaults Integration page for more info.

User and Group Permissions

Permissions can be granted at the individual user level or inherited from a user group. Available permissions include:

Administer System: Full administrative rights over the instance.
Create New Users: Ability to create and manage user accounts.
Create New User Groups: Ability to create and assign user groups.
Create New Connections: Permission to define new connection entries.
Create New Connection Groups: Ability to group related connections.
Create New Sharing Profiles: Manage sharing templates and permissions.
Change Own Password: Allows users to update their own credentials.

Group Assignments and Connection Access

Users can be assigned to one or more groups, inheriting the group’s permissions and restrictions.

In addition, administrators can assign:

Specific Connections: Restrict the user to a defined set of connections.
All Connections: Grant access to all available connections in the environment.

Keeper Connection Manager provides flexible user management options that include account restrictions, administrative permissions and connection targets.

Importing and Exporting

Data can be imported to a MySQL connection from a file on your machine, or exported and downloaded to you machine.

Import

Import data from a file on your machine into the MySQL connection.

To import data from a csv file, is the LOAD DATA MySQL command:

LOAD DATA LOCAL INFILE "input.csv" INTO TABLE <table> FIELDS
  TERMINATED BY ',' ENCLOSED BY '"' LINES TERMINATED BY '\r\n'

In the example above, "<table>" should be replaced with the SQL table to import data into. The other parts of the command are required for CSV-formatted files. If your uploaded file uses different termination characters update the query accordingly.

After running the query, Keeper Connection Manager will prompt you to supply the data file. To upload the file, simply drag and drop it from your machine onto the browser window.

The file uploaded does not have to have the same name given in the query

Export

Data from the connected MySQL database can be exported to a file on your machine. To do this, use the following query:

 SELECT <query> INTO LOCAL OUTFILE "<name>.csv"

The result of the given <query> will be put into a CSV file with the given name and downloaded from the browser to your machine.

Importing and Exporting

Data can be imported to a PostgreSQL connection from a file on your machine, or exported and downloaded to you machine.

Import

Import data from a file on your machine into the PostgreSQL connection.

To import data from a csv file, is the COPY command:

After running the query, Keeper Connection Manager will prompt you to supply the data file. To upload the file, simply drag and drop it from your machine onto the browser window.

The file uploaded does not have to have the same name given in the query

Export

Data from the connected PostgreSQL database can be exported to a file on your machine. To do this, use the following query:

The result of the given <query> will be put into a CSV file with the given name and downloaded from the browser to your machine.

Importing and Exporting

Data can be imported to a SQL Server connection from a file on your machine, or exported and downloaded to you machine.

Import

Import data from a file on your machine into the SQL Server connection.

To import data from a csv file, is the COPY command:

BULK INSERT <table> FROM LOCAL FILE

After running the query, Keeper Connection Manager will prompt you to supply the data file. To upload the file, simply drag and drop it from your machine onto the browser window.

The file uploaded does not have to have the same name given in the query

Export

Data from the connected PostgreSQL database can be exported to a file on your machine. To do this, use the following query:

 SELECT <query> INTO LOCAL OUTFILE "<name>.csv"

The result of the given <query> will be put into a CSV file with the given name and downloaded from the browser to your machine.

Connecting to Host Instance

Connecting from the Docker container to the KCM host instance

In a Docker install environment, it's possible to establish a connection to the Keeper Connection Manager host instance using a special host name called host.docker.internal.

To configure this, update the file /etc/kcm-setup/docker-compose.yml guacd section to include the "extra_hosts" parameter, as seen below:

Update the docker environment for the change to take effect.

Then, from within Keeper Connection Manager, you can create a new connection which simply references the Hostname of host.docker.internal.

For more information, see the below helpful article:

Persistent Reverse SSH Tunnel

Connecting to an environment without ingress connections

Overview

It may be necessary to create a connection into a target system which blocks ingress connections or is behind a firewall, particularly if you cannot install Keeper Connection Manager on a device within the target network.

For this use case, Keeper Connection Manager supports the use of reverse SSH tunnels. This guide provides a method of setting up a reverse SSH tunnel to access a system that is otherwise inaccessible due to inbound network restrictions.

This guide covers reverse SSH tunnels using the Auto Docker Install method and a target endpoint. Once the tunnel and configuration is complete, Keeper Connection Manager can establish a connection to the remote endpoint through the tunnel. You can use any supported connection within the tunnel, one established.

Using KeeperPAM instead of Reverse SSH Tunnels

Keeper's cloud-based product called KeeperPAM provides zero-trust encrypted connections through the Keeper vault. This eliminates the need for reverse SSH tunnels.

How to Use KCM

Features and functionality of the Keeper Connection Manager interface

Keeper Connection Manager provides access to the functionality of a desktop from within your web browser. The interface is designed to be as seamless and unobtrusive as possible.ogin

Home Screen

Selecting connections and user settings.

Launching Connections

Features and functionality of the connection session and the sidebar menu.

Connection Screen

Manage the clipboard, view multiple connections at once, upload or download files, and change input settings within a connection session

Creating Connections

How to create Keeper Connection Manager connections for each supported protocol type

File Transfer

Configure and use Keeper Connection Manager drag-and-drop file transfer

Share access to Keeper Connection Manager connections with anyone with an internet browser

Session Recording

How to configure screen and keystroke recording for all session types.

AWS EC2 Discovery

Automatically discover your EC2 instances for dyanamic connections.

Credential Pass-Through

Pass through tokens from the login screen to the target connections.

Dynamic Connections

Launch connections using arbitrary parameters through signed JSON requests.

Custom Branding

Customize the look and feel of the Keeper Connection Manager instance.

Login Screen

Keeper Connection Manager User Guide - Login Screen

About

The login screen is the first screen users see when they access Keeper Connection Manager. Users use a username and password, or SSO credentials to authenticate into the rest of the platform.

Logging In

Username

Users use their username to login to Keeper Connection Manager. This username is set when creating or importing users.

The KCM username is sometimes an email address, but it can be a non-email username as well.

Password

The user's password. Set when creating or importing the user. Passwords can also be reset by users if allowed.

TIP: The Keeper Browser Extension can be used to automatically fill in the Keeper Connection Manager username and password!

See the authentication documentation pages for more information about setting up additional login methods such as LDAP, SAML 2.0, and OpenID Connect as well as information on setting up 2FA

Authentication Options

As of KCM version 2.9.6, KCM can be configured to limit a user's ability to login after multiple consecutive failed login attempts. This blocks brute-force login attacks on KCM instances.

By default KCM will lock a user out of logging in for 5 minutes after 5 failed attempts

This setting can be removed, and the number of attempts before a user is locked out and how long they are locked for can be configured with the following guacamole properties or environment variables (depending on installation method):

Docker Compose Property

Environment Variable

Type

Descriptions

ban-max-invalid-attempts

BAN_MAX_INVALID_ATTEMPTS

number

The number of invalid attempts before a user is locked out

ban-address-duration

BAN_ADDRESS_DURATION

number

The amount of time in seconds a user is locked out for after hitting the invalid attempts limit

ban-max-addresses

BAN_MAX_ADDRESSES

number

The number of addresses that KCM will track to check for invalid attempts. Defaults to 10485760

Home Screen

Keeper Connection Manager user guide - home screen

Overview

The Keeper Connection Manager home screen provides quick access to any connection that you have been granted access to.

If you have access to multiple connections, you will be taken to the dashboard where all available connections are listed. If you only have access to a single connection, you will be routed directly to that connection.

My Connections

The home screen contains a list of all connections to which you have access, along with thumbnails of any recently used or active connections. Thumbnail images update dynamically while a machine is being accessed. If you have access to a large number of connections and wish to quickly locate a specific connection, you can also enter search terms within the “Filter” field to filter the list of connections by name.

Clicking on any connection will open that connection within the current window or tab, but multiple connections can be used simultaneously.

Each connection you use will remain active until explicitly disconnected, or until you navigate away from Keeper Connection Manager entirely. Active connections can be seen as thumbnails updating in real-time on the home screen.

If a user only has access to a single remote connection, they will immediately connect upon login.

With the exception of the client connection screen, all Keeper Connection Manager screens contain a menu in the upper-right corner called the “user menu”. This menu displays your username and contains several options which depend on your level of access.

Home

Navigates back to the home screen, if you are not already there. If you only have access to one connection, this will be replaced with a link to that connection.

Settings

Navigates to the settings interface, which provides the core Administrative functions (if you have rights to access this area) and and user preferences such as display language.

Logout

Logs out of Keeper Connection Manager completely, closing all current connections and ending the Keeper Connection Manager session.

Sharing Connections

Creating on-demand, shared and collaborative remote connections in Keeper Connection Manager

Overview

Keeper Connection Manager supports on-demand, shared, and collaborative access to sessions through a simple, shareable URL. This enables teams to easily grant access to server or application sessions—even to users without a Keeper Connection Manager account.

Key use cases include:

Training or remote assistance with monitored access to a server or web app
Collaborative sessions with multiple users in view-only or full-control mode
Granting temporary access without consuming a user license

To enable this feature:

Create a Sharing Profile on the desired connection
Generate and distribute a Share URL

The first step to connection sharing is to create a Sharing Profile. This needs to be made for each connection that will be shared.

To create a sharing profile, head to the "Connection" tab of the Settings menu and click the arrow next to the connection you would like to add a sharing profile to.

You will see a list of all the sharing profiles created for this connection, click "New Sharing Profile" to create a new profile, or click an existing sharing profile to edit it.

The Sharing Profile form will open. Fill in the name and options to configure the sharing profile.

Click "Save" to create the sharing profile.

When editing an existing profile, you also have the options to delete or clone the profile.

To initiate a connection share, from within a connection session first open the connection menu using Ctrl+Shift+Win (Ctrl+Shift+Cmd for Mac). When at least one sharing profile exists for the connection, the "Sharing" menu will appear next to the user's name.

Click "Sharing" to see a list of the sharing profiles for this connection.

Select which profile to use and click it to create a sharing URL which can be shared to give anyone access to this connection session.

When someone without an account in this Keeper Connection Manager system connections to the session, they will have full access to the connection (unless "Read Only" was selected in the sharing profile settings) however they will not have a user menu, or sharing menu.

Join & Leave Notifications for Shared Connections

When joining a shared connection via a share link or the “Active Sessions” tab of the admin/settings area, the original user of that connection will now receive a notification in the upper-right corner of the connection view showing that a user has joined:

If the user that joined was authenticated with KCM at the time, the original user will also be able to see that user’s username. A similar notification will appear whenever a user leaves the connection.

An indicator showing the number of other users currently sharing the connection will remain visible to the original user for as long as there are other users on the connection. If the user hovers the mouse over the indicator, a tooltip appears showing the usernames of all other users and how many concurrent connections they have to the current shared connection:

If the user sharing the session has no associated username (common for share links), the user appears as “Anonymous”:

Credential Pass-Through

Dynamic pass-through tokens for establishing connections

The values of connection parameters can contain "tokens" which will be dynamically replaced by Keeper Connection Manager when used. These tokens allow the values of connection parameters to vary dynamically by the user using the connection, and provide a simple means of forwarding authentication information without storing that information in the connection configuration itself, so long as the remote desktop connection uses the same credentials as Keeper Connection Manager.

Common uses for these tokens include:

Automatically authenticating users with their remote desktops by. This is typically useful when both Keeper Connection Manager and the remote desktops authenticate against the same, central authority, such as.
Providing remote desktops with, as may be required for licensing, auditing, or logging.
Automatically organizing session recordings using

Each token is of the form ${TOKEN_NAME}, where TOKEN_NAME is some descriptive name for the value the token represents. Tokens with no corresponding value will never be replaced, but should you need such text within your connection parameters, and wish to guarantee that this text will not be replaced with a token value, you can escape the token by adding an additional leading "$", as in "$${TOKEN_NAME}".

These tokens are replaced dynamically each time a connection is used. If two different users access the same connection at the same time, both users will be connected independently of each other using different sets of connection parameters.

Username/password pass-through

When a user authenticates with Keeper Connection Manager, the credentials that they used may be automatically passed through to their connections using the "${GUAC_USERNAME}" and "${GUAC_PASSWORD}" tokens. These may be specified within any connection parameters, including the parameters which specify the username and password to be used to connect to the remote desktop, thus allowing the administrator to explicitly define how and whether user credentials are passed through. Unless these tokens are specified by the administrator, no such pass-through will take place.

Parameter token

Description

Client hostname/address information

The hostname (if known) or IP address of the machine that the current Keeper user is connecting from may be included within connection parameters using the "${GUAC_CLIENT_HOSTNAME}" and "${GUAC_CLIENT_ADDRESS}" tokens respectively. Note that the client address may not be the true address of the user if they are connecting through one or more proxies, or if they are connecting through a VPN, and there may be no associated hostname for that address.

Parameter token

Description

Current date and time

Timestamps representing when the user started the connection may be included within connection parameters using the "${GUAC_DATE}" and "${GUAC_TIME}" tokens. Each of these tokens are replaced by values that consist only of digits. It is common to use these tokens within the parameter specifying the name of the session recording to be created, perhaps together with the "${GUAC_USERNAME}" token, to allow recordings to be given reasonably unique names and to be organized automatically.

For example, if connection were configured to record sessions to files names "${GUAC_USERNAME}-${GUAC_DATE}-${GUAC_TIME}.guac", and a user named "someuser" connected to that connection on January 1st, 2020, at exactly midnight, the session recording created would be named "someuser-20200101-000000.guac".

Parameter token

Description

Add Your Logo

Easily add your logo to your KCM instance

Adding your logo to KCM

84KB

kcm-add-logo.zip

Vault Integration

Integrate Keeper Connection Manager with the Keeper Vault for protecting and retrieving session credentials

Overview

Keeper Secrets Manager integrates with Keeper Connection Manager to provide dynamic retrieval of credentials that are stored in the Keeper Vault. This integration allows the Admin to provide privileged sessions with credentials that are stored and protected in the encrypted Keeper vault.

Using , Keeper Connection Manager can securely access RDP, SSH, MySQL, VNC and other credentials from the Keeper Vault. With this integration, connection credentials are protected in the encrypted Keeper vault and never stored in plain text. In the connection properties, you can simply reference the hostname or specified Vault record identifier and Keeper will pull the necessary credentials at runtime. Access credentials are never exposed to the user.

This documentation assumes that you already have a Keeper Enterprise subscription with Keeper Secrets Manager activated.

If you do not already have a Keeper subscription, please sign up for a 14-day free trial from this site:
If you already have a Keeper subscription but haven't activated Keeper Secrets Manager, .

Integration Features

Securely store connection secrets like SSH keys and Admin passwords in your Keeper Vault
Dynamically pull credentials from Keeper on-demand when establishing connections
Eliminate hard-coded credentials and secrets
Securely store guacamole properties in the Keeper Vault such as MySQL passwords

Advanced

Advanced features of the Keeper Vault integration

Config Parameter Protection

The Keeper Vault can be utilized to protect and store configuration secrets that would normally be hard-coded into the guacamole.properties or Docker Compose file.

Auto Docker Install Method

If you installed Keeper Connection Manager using the Auto Docker Install method, configuration secrets are protected in the auto-generated Docker Compose file.

As root, edit the /etc/kcm-setup/docker-compose.yml file.

For each configuration secret that you want to protect, you can replace the entry with a direct lookup in the Keeper vault. A good example of this is replacing the hard-coded MySQL database password with a vault record.

BEFORE:

MYSQL_HOSTNAME: "db"
MYSQL_DATABASE: "guacamole_db"
MYSQL_USERNAME: "guacamole_user"
MYSQL_PASSWORD: "your_mysql_database_password"

AFTER:

MYSQL_HOSTNAME: "db"
MYSQL_DATABASE: "guacamole_db"
MYSQL_USERNAME: "guacamole_user"
MYSQL_PASSWORD_KSM_SECRET: keeper://2ZlOFQAYi4DubJWBtSbRxw/field/password

The token syntax is using Keeper Notation. The name of the parameter must follow the format of *_KSM_SECRET. In this example, the MySQL database password is pulled directly from a Keeper record in the Shared Folder.

The value of each *_KSM_SECRET variable should be the Keeper notation of the secret that should be used to pull the necessary configuration value. For example, if SOME_VARIABLE_KSM_SECRET were set to valid Keeper notation, then the value of the Guacamole property normally associated with SOME_VARIABLE will be pulled from that secret in KSM.

Once the file changes have been saved, update the containers:

$ sudo ./kcm-setup.run upgrade

Docker Compose Install Method

Edit your docker-compose.yml file.

MYSQL_HOSTNAME: "db"
MYSQL_DATABASE: "guacamole_db"
MYSQL_USERNAME: "guacamole_user"
MYSQL_PASSWORD_KSM_SECRET: keeper://2ZlOFQAYi4DubJWBtSbRxw/field/password

The token syntax is using Keeper Notation. In this example, the MySQL database password is pulled directly from a Keeper record in the Shared Folder as seen below:

Once the file changes have been saved, update the containers:

sudo su
docker-compose up -d

Other configuration options

In docker installations, the parameter ADDITIONAL_GUACAMOLE_PROPERTIES_KSM can be used to move parameters from the guacamole.properties file into guacamole.properties.ksm.

KeeperPAM

Embedded zero-trust sessions in the Keeper Vault

For a cloud-based solution that is fully integrated into the Keeper Vault, make sure to check out the new KeeperPAM product. KeeperPAM is a next-gen privileged access management solution that secures and manages access to critical resources, including servers, web apps, databases and workloads.

KeeperPAM consolidates enterprise password management, secrets management, connection management, zero-trust network access, remote browser isolation and an cloud-based access control plane in one unified product. Customers who purchase KeeperPAM may also use Keeper Connection Manager for self-hosted use cases.

To learn more about KeeperPAM or sign up for a trial:

For a quick animated demo, click Play below:

Custom Extensions

Integrating Keeper Connection Manager with 3rd party software and applications

Extension API Overview

Keeper Connection Manager is designed to be integrated with third-party systems and applications using the Extension API, which allows arbitrary systems to serve as methods of authentication and as data sources.

The Extension API was used to implement the authentication mechanisms supported by Keeper Connection Manager and Apache Guacamole out-of-the-box. For Keeper Connection Manager 2.x, regardless of any updates, the extension API is compatible with upstream Apache Guacamole 1.0.0 through 1.3.0.

Example Project

We have published an example custom extension project which can be used to inject arbitrary parameter tokens when a user initiates a connection.

The example is published here:

Additional Documentation

(referenced by parts of the extension API)

If you are not sure where to begin with integrating Keeper Connection Manager, or are having difficulties with your existing integration,

Login Attempts Properties

As of KCM version 2.9.6, KCM can be configured to limit a user's ability to login after multiple consecutive failed login attempts. This blocks brute-force login attacks on KCM instances.

By default KCM will lock a user out of logging in for 5 minutes after 5 failed attempts

Use the following properties to change the login attempt settings

Property

Description

Telnet

Advanced configuration of Telnet connection type

Overview

Telnet is a text protocol and provides similar functionality to SSH. By nature, it is not encrypted, and does not provide support for file transfer. As far as graphics are concerned, Guacamole's telnet support works in the same manner as SSH: it emulates a terminal on the server side which renders to the Guacamole client's display.

Keeper's support for the telnet protocol is controlled through the use of several parameters. When a database like MySQL or PostgreSQL is used, these parameters are presented in a convenient web interface. If defining connections through another mechanism, such as through encrypted JSON or LDAP schema modifications, parameters are specified using their internal parameter names.

This document is intended to cover all supported parameters, grouped in the same way they are grouped within the web interface. The field headings which would appear in the web interface are provided for each parameter, along with each parameter's internal name and a thorough description of the behavior and legal values for that parameter.

Keeper Secrets Manager parameters
Network parameters
Authentication parameters
Display settings
- Custom color schemes
Clipboard parameters
Terminal behavior parameters
Text session recording (typescripts)
Screen recording parameters

Keeper Secrets Manager parameters

Field header

Parameter name

Description

Allow user-provided KSM configuration:

ksm-user-config-enabled

If set to "true", each Keeper Connection Manager user profile can be assigned to a Keeper Secrets Manager configuration for any connection. See the screen for more information.

Network parameters

Telnet connections are established over TCP to a specific port and a specific hostname or IP address. The hostname/address must be specified for all telnet connections, but you only need to specify a port if you are not using the standard telnet port (23).

Field header (web interface)

Parameter name

Description

Hostname:

hostname

REQUIRED: The hostname or IP address of the telnet server Guacamole should connect to.

Port:

port

The port the telnet server is listening on. By default, the standard telnet port of 23 will be used.

Authentication parameters

Telnet does not actually provide any standard means of authentication. Authentication over telnet depends entirely on the login process running on the server and is interactive. To cope with this, Guacamole provides non-standard mechanisms for automatically passing the username and entering password. Whether these mechanisms work depends on specific login process used by your telnet server.

The de-facto method for passing the username automatically via telnet is to submit it via the USER environment variable, sent using telnet's "NEW-ENVIRON" option. This is the mechanism used by most telnet clients, typically by specifying -l on the command line.

Passwords cannot typically be sent automatically - at least not as reliably as the username. There is no PASSWORD environment variable, nor any similar mechanism for passing the password to the telnet login process, and most telnet clients provide no built-in support for automatically entering the password. The best that can be done is to heuristically detect the password prompt and type the password on behalf of the user if/when the prompt appears. The prescribed method for doing this with a traditional command-line telnet is to use a utility like expect. Guacamole provides similar functionality by searching for the password prompt with a regular expression. This same regular expression mechanism is also implemented as an option for handling the username prompt (if "NEW-ENVIRON" is unavailable), as well as for detecting login success/failure.

Field header (web interface)

Parameter name

Description

Username:

username

The username to use to authenticate, if any. If not specified, or not supported by the telnet server, the login process on the telnet server will prompt you for your credentials. For this to work, your telnet server must either support the "NEW-ENVIRON" option (and pay attention to the USER environment variable) or provide a prompt which can be matched against a regular expression. Most telnet servers satisfy this criteria.

Password:

password

The password to use when attempting authentication, if any. If specified, your password will be typed on your behalf when the password prompt is detected.

Username regular expression:

username-regex

The regular expression to use to detect the username prompt when the username cannot be provided using "NEW-ENVIRON". If not specified, a reasonable default built into Guacamole will be used. Any regular expression provided must be written in the standard POSIX ERE dialect (the dialect used by egrep).

Password regular expression:

password-regex

The regular expression to use to detect the password prompt. If not specified, a reasonable default built into Guacamole will be used. Any regular expression provided must be written in the standard POSIX ERE dialect (the dialect used by egrep).

login-success-regex

The regular expression to use when detecting that the login attempt has succeeded. If specified, the terminal display will not be shown to the user until text matching this regular expression has been received from the telnet server. Any regular expression provided must be written in the standard POSIX ERE dialect (the dialect used by egrep).

login-failure-regex

The regular expression to use when detecting that the login attempt has failed. If specified, the connection will be closed with an explicit login failure error if text matching this regular expression has been received from the telnet server. Any regular expression provided must be written in the standard POSIX ERE dialect (the dialect used by egrep).

Display settings

Guacamole's telnet support provides a display, but not in the same sense as a remote desktop protocol like VNC or RDP. The display is a terminal emulator, and thus provides options for configuring the font used and its size.

If selecting a different font for a telnet connection, the chosen font must be installed on the server running guacd. It is the server that will handle rendering of characters to the terminal display, not the client.

Field header (web interface)

Parameter name

Description

Color scheme:

color-scheme

The color scheme to use for the terminal emulator used by telnet connections. Each color scheme dictates the default foreground and background color for the terminal. Programs which specify colors when printing text will override these defaults. Legal values are:

"black-white" - Black text over a white background
"gray-black" - Gray text over a black background (the default)
"green-black" - Green text over a black background
"white-black" - White text over a black background
A custom color scheme (as described below)

By default, Guacamole will render text as gray over a black background.

Font name:

font-name

The name of the font to use. If not specified, the default of "monospace" will be used instead. This must be the name of a font installed on the server running guacd, and should be a monospaced font. If a non-monospaced font is used, individual glyphs may render incorrectly.

Font size:

font-size

The size of the font to use, in points. By default, the size of rendered text will be 12 point.

Maximum scrollback size:

scrollback

The maximum number of rows to allow within the terminal scrollback buffer. By default, the scrollback buffer will be limited to a maximum of 1000 rows.

Read-only:

read-only

Whether this connection should be read-only. If set to "true", no input will be accepted on the connection at all. Users will be able to see the terminal (or the application running within the terminal) but will be unable to interact.

Custom color schemes

Custom color schemes may be provided for the terminal emulator used by telnet connections. Custom schemes mimic the format used by Xterm and consist of a semicolon-separated series of name-value pairs. Each name-value pair is separated by a colon and assigns a value to a color in the terminal emulator palette.

For example, to use blue text on white background by default, and change the red color to a purple shade, you would specify:

foreground: rgb:00/00/ff;
background: rgb:ff/ff/ff;
color9: rgb:80/00/80

Legal color names are:

"foreground" - the default foreground color.
"background" - the default background color.
"colorN" - the color at index N within the Xterm 256-color palette. For example, "color9" refers to the color at palette index 9, normally red.

Legal color values are:

"rgb:RR/GG/BB" - a color in RGB format, with each component in hexadecimal. For example, "rgb:ff/00/00" specifies the color red. Each hexadecimal component may be one to four digits, but the effective values are always zero-extended or truncated to two digits; for example, "rgb:f/8/0", "rgb:f0/80/00", and "rgb:f0f/808/00f" all refer to the same effective color.
"colorN" - the color currently assigned to index N within the Xterm 256-color palette. For example, "color9" specifies the color currently assigned to palette index 9. Note that the current color value is used rather than a reference to that color. If the referenced color is changed later in the color scheme configuration, that new color value will not be reflected in this assignment.
"NAME" - the color with human-readable name "NAME", where "NAME" is one of the standard color names supported by X11. These names generally correspond to the names standardized by the W3C for CSS.

Clipboard parameters

Guacamole provides bidirectional access to the clipboard by default for telnet connections. This behavior can be overridden on a per-connection basis, restricting access to the clipboard.

Field header (web interface)

Parameter name

Description

Disable copying from terminal:

disable-copy

If set to "true", text copied within the telnet session will not be accessible by the user at the browser side of the Guacamole session, and will be usable only within the remote desktop. By default, the user will be given access to the copied text.

Disable pasting from client:

disable-paste

If set to "true", text copied at the browser side of the Guacamole session will not be accessible within the telnet session. By default, the user will be able to paste data from outside the browser within the telnet session.

Terminal behavior parameters

In most cases, the default behavior of the Guacamole terminal emulator works without modification. However, when connecting to certain systems (particularly operating systems other than Linux), the terminal behavior may need to be tweaked to allow it to operate properly. Guacamole's telnet support provides parameters for controlling the control code sent for backspace, as well as the terminal type claimed via the TERM environment variable.

Field header (web interface)

Parameter name

Description

Backspace key sends:

backspace

The integer value of the terminal control code that should be sent when backspace is pressed. Under most circumstances this should not need to be adjusted; however, if, when pressing the backspace key, you see control characters (often either ^? or ^H) instead of seeing the text erased, you may need to adjust this parameter. By default, the control code 127 (Delete) is sent.

Terminal type:

terminal-type

The terminal type string that should be passed to the telnet server. This value will typically be exposed within the telnet session as the TERM environment variable and will affect the control characters sent by applications. By default, the terminal type string "linux" is used.

Text session recording (typescripts)

The full, raw text content of telnet sessions, including timing information, can be recorded automatically to a specified directory. This recording, also known as a "typescript", will be written to two files within the directory specified: one file contains the raw text data, and the other contains timing information. Where "NAME" is the value provided for the typescript name, these files will be named "NAME" and "NAME.timing" respectively.

This format is compatible with the format used by the standard UNIX script command, and can be replayed using scriptreplay (if installed). For example, to replay a typescript called "NAME", you would run:

$ scriptreplay NAME.timing NAME

Field header (web interface)

Parameter name

Description

Typescript path:

typescript-path

The directory in which typescript files should be created. If a typescript needs to be recorded, then this parameter is required. Specifying this parameter enables typescript recording. If this parameter is omitted, no typescript will be recorded.

Typescript name:

typescript-name

The base filename to use for any created recordings. If omitted, the base filename "typescript" will be used.

Guacamole will never overwrite an existing typescript. If necessary, a numeric suffix like ".1", ".2", ".3", etc. will be appended to the base filename to avoid overwriting an existing recording. If even appending a numeric suffix does not help, the typescript will not be recorded, and an error will be logged.

This parameter only has an effect if typescript recording is enabled, which is controlled by specifying a typescript path. If the typescript path is not specified, recording of typescripts will not be enabled, and this parameter will be ignored.

Automatically create typescript path:

create-typescript-path

If set to "true", the final directory within the specified typescript path will automatically be created if it does not yet exist. By default, no part of the typescript path will be automatically created, and any attempt to use a non-existent directory will result in the typescript not being recorded and an error being logged.

Only the final directory in the path will be automatically created. If other directories earlier in the path do not exist, the typescript will not be recorded, and an error will be logged.

Screen recording parameters

Telnet sessions can be recorded graphically. These recordings take the form of Guacamole protocol dumps and are recorded automatically to a specified directory. Recordings can be subsequently played back using the Keeper Connection Manager Session Recording Player application hosted at player.glyptodon.com (or using a local deployment of this application).

The player is a static web application, using only JavaScript to play back provided recordings. This functionality is implemented strictly locally; the recordings are not uploaded to a remote service for processing. If you would prefer to use your own deployment of this application, or would like to investigate the source, the full source of the Keeper Connection Manager Session Recording Player can be found on GitHub, along with instructions for local deployment: https://github.com/glyptodon/glyptodon-enterprise-player

The latest version of Keeper Connection Manager supports on-screen playback of recorded sessions. See the Session Recording documentation page.

Field header (web interface)

Parameter name

Description

Recording path:

recording-path

The directory in which screen recording files should be created. If a graphical recording needs to be created, then this parameter is required. Specifying this parameter enables graphical screen recording. If this parameter is omitted, no graphical recording will be created.

Recording name:

recording-name

The filename to use for any created recordings. If omitted, the filename of each recording will simply be "recording".

Guacamole will never overwrite an existing recording. If necessary, a numeric suffix like ".1", ".2", ".3", etc. will be appended to the filename to avoid overwriting an existing recording. If even appending a numeric suffix does not help, the session will not be recorded, and an error will be logged.

This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.

Exclude graphics/streams:

recording-exclude-output

If set to "true", graphical output and other data normally streamed from server to client will be excluded from the recording, producing a recording which contains only user input events. By default, graphical output will be included in the recording.

Exclude mouse:

recording-exclude-mouse

If set to "true", user mouse events will be excluded from the recording, producing a recording which lacks a visible mouse cursor. By default, mouse events will be included in the recording.

Include key events:

recording-include-keys

If set to "true", user key events will be included in the recording. The recording can subsequently be passed through the guaclog utility to produce a human-readable interpretation of the keys pressed during the session. By default, for privacy's sake, key events will be NOT included in the recording.

Automatically create recording path:

create-recording-path

If set to "true", the final directory within the specified recording path will automatically be created if it does not yet exist. By default, no part of the recording path will be automatically created, and any attempt to use a non-existent directory will result in the session not being recorded and an error being logged.

Only the final directory in the path will be automatically created. If other directories earlier in the path do not exist, the session will not be recorded, and an error will be logged.

Creating Connections

Managing and creating connections to your infrastructure

About Connections

Connections specify the protocol and customizable parameters that define the authentication and customized behavior. Connections can be created from the Settings menu. Only users with "Create new connections" permission can create connections.

Administrators can define which connections are available for users and groups.

Use Cases

Connections can be created and utilized in several ways. Connections can be privileged (credentials hidden from the user) and the connections can support user-specified credentials. Additionally, the connections can pull credentials from one or more Keeper Vaults via the Keeper Secrets Manager integration.

Privileged Connections

When setting up a privileged connection, the authentication credentials to the target can be saved in the connection parameters, or in the designated Keeper Vault. When the credentials are stored directly to the connection or in the Keeper Vault, they are never exposed to the end-user. This allows you to create privileged sessions in which the user does not have access to the underlying credentials.

User-Specified Credentials

When setting up the connection, you can skip the authentication details parameters and Keeper Connection Manager will prompt the end-user for their authentication credentials on every login.

For example, with an RDP connection, simply remove the credentials from the connection parameters and the user will be prompted to authenticate.

Vault Credentials

KCM can connect to a Keeper Vault and search for the necessary credentials needed based on Host, User and Domain. See the Vault Integration section to learn more about this capability.

Create a New Connection

The New Connection form is separated into multiple sections each with multiple inputs. Connections have many different options and capabilities, depending on the protocol.

To begin, click Settings > Connections > New Connection which will open the new connection form.

Connection Details

Connection Name

The name of the connection, this is how it will appear in the connections list.

Location

The location of the new connection in the connections list. You can select "ROOT" to put the new connection at the top level of the connections list, or select a collection to place the new connection under an existing collection.

Protocol

Select the type of connection to create. The current available connection types are:

RDP
SSH
Kubernetes
Telnet
VNC
MySQL
PostgreSQL
Microsoft SQL Server
Remote Browser Isolation

Other options in the connection form are affected by the protocol selection

For more information about connection types, see the supported protocols section.

Batch Import for Connections

Create multiple connections via API or by uploading a CSV, JSON, or YAML file. Visit the following page for more information:

Batch Import and API

Concurrency Limits

Max # of Connections

The maximum allowed number of concurrent sessions for this connections. If the maximum number is sessions are already in use, other users will not be able to connect to this connection.

Set this value to 0 to allow unlimited concurrent sessions.

Max # of Connections per User

The maximum allowed number of concurrent sessions for this connection for each user. If the maximum number is sessions are already in use by a user, the user will not be able to open a new session for this connection.

Set this value to 0 to allow unlimited concurrent sessions.

Load Balancing

Keeper Connection Manager can use load balancing among connections in a group to give multiple concurrent users the best experience.

Connection Weight

Enter a number to use as a multiplier of connection assignment. For example, if one connection in a group has a weight of 1, and another has a weight of 2, the second connection will be assigned twice as many concurrent users as the first.

Use for Failover Only

If checked, this connection will only be used if all other connections in the group fail

Guacamole Proxy Parameters

If you are establishing a connect through a guacd service which is operating on a separate server (other than localhost), you would specify the proxy parameters here. In most default installations, this section is not needed and should be left empty. For more information see the guacd documentation.

Hostname and Port

Hostname and port of the proxy

Encryption

Choose if the connection traffic should be encrypted. You can choose unencrypted or TLS/SSL encryption.

RDP Protocol Parameters

Details to facilitate the new RDP connection. Set network and authentication details.

Network

Hostname and Port

Enter the hostname and port of the RDP connection

Authentication

Enter the following connection fields for you RDP connection:

Username
Password
Domain

Security Mode

Select the security mode to use, the supported modes are:

Any
NLA (Network Level Authentication)
RDP Encryption
TLS Encryption
Hyper-V / VMConnect

If you would like users to be prompted for manual authentication, you may need to select "NLA" security mode and leave the authentication parameters empty.

Disable Authentication

Choose to turn off authentication for this RDP connection

Ignore Server Certificate

Choose to ignore the server certificate. In most cases, this is required to establish a connection.

Remote Desktop Gateway

Fill in the following details about the remote desktop gateway:

Hostname and Port
Username
Password
Domain

Basic Settings

Initial Program

Start a program on connection. Enter the location of the program to run

Client Name

Set a name for the computer this connection is connecting to

Keyboard Layout

Choose the type of keyboard to use with this RDP connection

Time Zone

Use the dropdown menus to select the timezone to use with this connection

Enable Multi-touch

Choose to allow multi-touch input for this RDP connection

Administrator Console

Choose to allow access to the Administrator Console for users connecting to this RDP connection

Appearance

Choose settings that affect how the new connection will look.

Width, Height and Resolution

Choose the dimensions and resolution of the screen in pixels (pixels per inch for resolution).

Color Depth

Choose the color depth of the screen over the RDP connection.

Force Lossless Compression

Use lossless compression. Check this option for better visual quality, but it may impact performance.

Resize Method

Choose what the connection should do if the window is resized. Keeper Connection Manager supports "Display Update" Visual channel for RDP 8.1 or higher. For older versions of RDP, use the reconnect method.

Read-Only

If checked, the connection will not allow for any interaction from the user. The user will be able to view what is happening on the connected device, but make no interactions with it.

Clipboard

Disable Copying from Remote Desktop

If selected, users will not be able to copy from the connection

Disable Pasting from Client

If selected, users will not be able to paste values into the connection

Device Redirection

Choose options for connected devices

Support Audio in Console

Choose if audio is supported within the console

Disable Audio

Choose if audio from the connection should be disabled

Enable Audio Input (microphone)

Choose if the user's microphone can be used within the connection

Enable Printing

Choose if users can print from the connection

Redirected Printer Name

If allowing printing, choose the name of the printer to use

Enable Drive

If you would like to transfer files to this target with Drag and Drop, select this option. Along with this, make sure to fill out a "Drive Name", "Drive Path", and select "Automatically Create Drive".

Drive Name

If file transfer is enabled, the name of the drive to use. For example "My Drive".

Disable File Download

Choose if files can be downloaded to the connected drive

Drive Path

The path of the drive to use if enabled. A typical default Drive Path would be something like /var/lib/guacamole/drives/${GUAC_USERNAME}

Automatically Create Drive

If selected, Keeper Connection Manager will automatically create a drive to use with the connection

Static Channel Names

A comma-separated list of static channel names to open and expose as pipes. If you wish to communicate between an application running on the remote desktop and JavaScript, this is the best way to do it. KCM will open an outbound pipe with the name of the static channel. If JavaScript needs to communicate back in the other direction, it should respond by opening another pipe with the same name. KCM allows any number of static channels to be opened, but protocol restrictions of RDP limit the size of each channel name to 7 characters.

Performance

These options can be used to optimize the performance of the Windows Remote Desktop Connection.

Choose to enable or disable the following optional Windows features:

Enable Wallpaper
Enable Theming
Enable Font Smoothing (ClearType)
Enable Full-window Drag
Enable Desktop Composition (Aero)
Enable Menu Animations
Disable Bitmap Caching
Disable Off-screen Caching
Disable Glyph Caching

RemoteApp

Recent versions of Windows provide a feature called RemoteApp which allows individual applications to be used over RDP, without providing access to the full desktop environment. If your RDP server has this feature enabled and configured, you can configure KCM connections to use those individual applications.

Program

Specifies the RemoteApp to start on the remote desktop. If supported by your remote desktop server, this application, and only this application, will be visible to the user.

Windows requires a special notation for the names of remote applications. The names of remote applications must be prefixed with two vertical bars. For example, if you have created a remote application on your server for notepad.exe and have assigned it the name “notepad”, you would set this parameter to: “||notepad”.

Working Directory

The working directory, if any, for the remote application. This parameter has no effect if RemoteApp is not in use.

Parameters

The command-line arguments, if any, for the remote application. This parameter has no effect if RemoteApp is not in use.

Load Balancing

Keeper Connection Manager can use load balancing among connections in a group to give multiple concurrent users the best experience.

Connection Weight

Use for Failover Only

If checked, this connection will only be used if all other connections in the group fail

Screen Recording

Options for recording of the screen. See the Session Recording section for more information.

Recording Path

Enter the path to save the session recording. We recommend using the below value: ${HISTORY_PATH}/${HISTORY_UUID}

Recording Name

Enter the name of the recording file

Exclude Graphics/Streams

Choose to exclude graphics or streams from the recording

Exclude Mouse

Choose to exclude the mouse from the screen recording

Exclude Touch Events

Choose to exclude the touch events the user made from the recording

Include Key Events

If selected, include key events that would not otherwise be visible in the recording

Automatically Create Recording Path

If selected, Keeper Connection Manager will automatically create a path for the recording file

SFTP

Options for file transfers to the connection using SFTP. For more information see the File Transfer section.

Enable SFTP

Choose to enable SFTP file transfers

If enabled, enter the following information to connect to and authenticate connection to your SFTP server:

Hostname Port
Public Host Key (Base64)
Username and Password
Private Key
Passphrase for the private key if applicable

File Browsing Root Directory

The root directory of the SFTP server to display within this connection

Default Upload Directory

If users upload a file from the connection, the directory that the file will go to by default

SFTP Keepalive Interval

Enter the keepalive interval as a number

Disable File Download

If SFTP is enabled, check this option to exclude users from downloading files from the server to this connection

Disable File Upload

If SFTP is enabled, check this option to exclude users from uploading files to the server from this connection

Wake-on-LAN (WoL)

Options to facilitate waking the connected device upon connection if supported.

Send WoL Packet

Enable Wake-on-Lan and send a signal from Keeper Connection Manager

Mac Address of the Remote Host

Identify the device to send the signal to by Mac Address

Broadcast Address for WoL Packet

Where to send the WoL signal

Host Boot Wait Time

How long to wait for the device to wake

SSH Protocol Parameters

Details to facilitate the new SSH connection. Set network and authentication details.

Network

Hostname and Port

Enter the hostname and port for the SSH connection

Public Host Key (Base64)

Enter the Public Key for this SSH connection in Base64 format

Authentication

Username and Password

The username and password (if required) for this SSH connection.

If you would like the user to be prompted for their password, leave the "password" field empty.

Private Key

The private key used for connecting to this SSH connection

Passphrase

The passphrase (if any) for the private key

Appearance

Choose settings that affect how the new connection will look.

Theme

Select a color theme for the terminal.

There are built in themes, and a custom theme option.

Font Name

Enter the name of a font for the terminal to use

Maximum Scroll back Size

Select how far back a user can scroll through past commands. Leave blank for unlimited.

Read-Only

If checked, the connection will not allow for any interaction from the user. The user will be able to view what is happening on the connected device, but make no interactions with it.

Clipboard

Disable Copying from Remote Desktop

If selected, users will not be able to copy from the connection

Disable Pasting from Client

If selected, users will not be able to paste values into the connection

Session/Environment

Settings for basic environment setup

Execute Command

Enter a command to execute on connection start

Language/Local($LANG)

Set the language/local for the connection, this sets the $LANG environment variable

Time Zone($TZ)

Set the time zone for the connection. This sets the $TZ environment variable

Server Keepalive Interval

Set an interval for a keepalive signal

Terminal Behavior

The Terminal Behavior section contains options about the terminal for applicable connections.

Backspace Key Sends

Choose what action is sent when you click the backspace key. The options are:

Delete
Backspace

Terminal Type

Choose the type of terminal to use. The options are:

ansi
linux
vt100
vt220
vterm
vterm-256color

Screen Recording

Options for recording of the screen. See the Session Recording section for more information.

Recording Path

Enter the path to save the session recording. We recommend setting this to ${HISTORY_PATH}/${HISTORY_UUID}

Recording Name

Enter the name of the recording file

Exclude Graphics/Streams

Choose to exclude graphics or streams from the recording

Exclude Mouse

Choose to exclude the mouse from the screen recording

Include Key Events

If selected, include key events that would not otherwise be visible in the recording

Automatically Create Recording Path

If selected, Keeper Connection Manager will automatically create a path for the recording file

SFTP

Options for file transfers to the connection using SFTP. For more information see the File Transfer section.

Enable SFTP

Choose to enable SFTP file transfers

File Browsing Root Directory

The root directory of the SFTP server to display within this connection

Disable File Download

If SFTP is enabled, check this option to exclude users from downloading files from the server to this connection

Disable File Upload

If SFTP is enabled, check this option to exclude users from uploading files to the server from this connection

Wake-on-LAN (WoL)

Options to facilitate waking the connected device upon connection if supported.

Send WoL Packet

Enable Wake-on-Lan and send a signal from Keeper Connection Manager

Mac Address of the Remote Host

Identify the device to send the signal to by Mac Address

Broadcast Address for WoL Packet

Where to send the WoL signal

Host Boot Wait Time

How long to wait for the device to wake

VNC Protocol Parameters

Details to facilitate the new VNC connection. Set network and authentication details.

Network

Hostname and Port

Hostname and port information for the VNC connection

Encryption

Choose encryption method for connection traffic. The options are:

No Encryption
TLS/SSL Encryption

Authentication

Username and Password

Appearance

Choose settings that affect how the new connection will look.

Read-Only

If checked, the connection will not allow for any interaction from the user. The user will be able to view what is happening on the connected device, but make no interactions with it.

Swap Red-Blue Channels

Choose if the red and blue channels should be swapped for this connection.

Cursor

Choose to use the cursor of the local machine, or of the remote machine.

Color Depth

Choose the color depth of the screen over the VNC connection.

Force Lossless Compression

Use lossless compression. Check this option for better visual quality, but it may impact performance.

Clipboard

Encoding

Choose which encoding to use when copying and pasting. The options are:

CP1252
ISO 8859-1
UTF-16
UTF-8

Disable Copying from Remote Desktop

If selected, users will not be able to copy from the connection

Disable Pasting from Client

If selected, users will not be able to paste values into the connection

VNC Repeater

There exist VNC repeaters, such as UltraVNC Repeater, which act as intermediaries or proxies, providing a single logical VNC connection which is then routed to another VNC server elsewhere. Additional parameters are required to select which VNC host behind the repeater will receive the connection.

Destination Host and Port

Set the host and port to use

Screen Recording

Options for recording of the screen. See the Session Recording section for more information.

Recording Path

Enter the path to save the session recording. We recommend setting this to ${HISTORY_PATH}/${HISTORY_UUID}

Recording Name

Enter the name of the recording file

Exclude Graphics/Streams

Choose to exclude graphics or streams from the recording

Exclude Mouse

Choose to exclude the mouse from the screen recording

Include Key Events

If selected, include key events that would not otherwise be visible in the recording

Automatically Create Recording Path

If selected, Keeper Connection Manager will automatically create a path for the recording file

SFTP

Options for file transfers to the connection using SFTP. For more information see the File Transfer section.

Enable SFTP

Choose to enable SFTP file transfers

If enabled, enter the following information to connect to and authenticate connection to your SFTP server:

Hostname Port
Public Host Key (Base64)
Username and Password
Private Key
Passphrase for the private key if applicable

File Browsing Root Directory

The root directory of the SFTP server to display within this connection

Default Upload Directory

If users upload a file from the connection, the directory that the file will go to by default

SFTP Keepalive Interval

Enter the keepalive interval as a number

Disable File Download

If SFTP is enabled, check this option to exclude users from downloading files from the server to this connection

Disable File Upload

If SFTP is enabled, check this option to exclude users from uploading files to the server from this connection

Audio

Enable Audio

Choose to enable audio for the connection

Audio Server Name

Name of the audio server to use

Wake-on-LAN (WoL)

Options to facilitate waking the connected device upon connection if supported.

Send WoL Packet

Enable Wake-on-Lan and send a signal from Keeper Connection Manager

Mac Address of the Remote Host

Identify the device to send the signal to by Mac Address

Broadcast Address for WoL Packet

Where to send the WoL signal

Host Boot Wait Time

How long to wait for the device to wake

Telnet Protocol Parameters

Details to facilitate the new Telnet connection. Set network and authentication details.

Network

Hostname and Port

Hostname and port information for the Telnet connection.

Authentication

Username and Password

Authentication credentials for the Telnet connection. To prompt users for the password, leave this field empty.

Username Regular Expression

The regular expression to use when waiting for the username prompt. This parameter is optional. If not specified, a reasonable default built into KCM will be used. The regular expression must be written in the POSIX ERE dialect (the dialect typically used by egrep).

Password Regular Expression

The regular expression to use when waiting for the password prompt. This parameter is optional. If not specified, a reasonable default built into KCM will be used. The regular expression must be written in the POSIX ERE dialect (the dialect typically used by egrep).

The regular expression to use when detecting that the login attempt has succeeded. This parameter is optional. If specified, the terminal display will not be shown to the user until text matching this regular expression has been received from the telnet server. The regular expression must be written in the POSIX ERE dialect (the dialect typically used by egrep).

The regular expression to use when detecting that the login attempt has failed. This parameter is optional. If specified, the connection will be closed with an explicit login failure error if text matching this regular expression has been received from the telnet server. The regular expression must be written in the POSIX ERE dialect (the dialect typically used by egrep).

Appearance

Choose settings that affect how the new connection will look.

Theme

Select a color theme for the terminal.

There are built in themes, and a custom theme option.

Font Name

Enter the name of a font for the terminal to use

Maximum Scroll back Size

Select how far back a user can scroll through past commands. Leave blank for unlimited.

Read-Only

If checked, the connection will not allow for any interaction from the user. The user will be able to view what is happening on the connected device, but make no interactions with it.

Clipboard

Disable Copying from Remote Desktop

If selected, users will not be able to copy from the connection

Disable Pasting from Client

If selected, users will not be able to paste values into the connection

Terminal Behavior

The Terminal Behavior section contains options about the terminal for applicable connections.

Backspace Key Sends

Choose what action is sent when you click the backspace key. The options are:

Delete
Backspace

Terminal Type

Choose the type of terminal to use. The options are:

ansi
linux
vt100
vt220
vterm
vterm-256color

Typescript (Text Session Recording)

Options for text recording. See the Session Recording section for more details about session recording.

Typescript Path

Enter a file path location to save text session recordings to.

Typescript Name

Enter a name for the text session recording file

Automatically Create Typescript Path

Have Keeper Connection Manager automatically create the path location for the text session recording

Screen Recording

Options for recording of the screen. See the Session Recording section for more information.

Recording Path

Enter the path to save the session recording. We recommend setting this to ${HISTORY_PATH}/${HISTORY_UUID}

Recording Name

Enter the name of the recording file

Exclude Graphics/Streams

Choose to exclude graphics or streams from the recording

Exclude Mouse

Choose to exclude the mouse from the screen recording

Include Key Events

If selected, include key events that would not otherwise be visible in the recording

Automatically Create Recording Path

If selected, Keeper Connection Manager will automatically create a path for the recording file

Wake-on-LAN (WoL)

Options to facilitate waking the connected device upon connection if supported.

Send WoL Packet

Enable Wake-on-Lan and send a signal from Keeper Connection Manager

Mac Address of the Remote Host

Identify the device to send the signal to by Mac Address

Broadcast Address for WoL Packet

Where to send the WoL signal

Host Boot Wait Time

How long to wait for the device to wake

Kubernetes Protocol Parameters

Details to facilitate the new connection. Set network and authentication details.

Network

Hostname and Port

The hostname and port of the Kubernetes connection

Use SSL/TLS

Choose to use SSL/TLS encryption

Ignore Server Certificate

Choose to ignore the server certificate

Certificate Authority Certificate

Paste the Certificate Authority Certificate into this text box

Container

Fill in the following information about the Kubernetes container:

Namespace
Pod Name
Container Name

Authentication

Client Certificate

The certificate to use if performing SSL/TLS client authentication to authenticate with the Kubernetes server, in PEM format. This parameter is optional. If omitted, SSL client authentication will not be performed.

Client Key

The key to use if performing SSL/TLS client authentication to authenticate with the Kubernetes server, in PEM format. This parameter is optional. If omitted, SSL client authentication will not be performed.

Appearance

Choose settings that affect how the new connection will look.

Theme

Select a color theme for the terminal.

There are built in themes, and a custom theme option.

Font Name

Enter the name of a font for the terminal to use

Maximum Scroll back Size

Select how far back a user can scroll through past commands. Leave blank for unlimited.

Read-Only

If checked, the connection will not allow for any interaction from the user. The user will be able to view what is happening on the connected device, but make no interactions with it.

Terminal Behavior

The Terminal Behavior section contains options about the terminal for applicable connections.

Backspace Key Sends

Choose what action is sent when you click the backspace key. The options are:

Delete
Backspace

Typescript (Text Session Recording)

Options for text recording. See the Session Recording section for more details about session recording.

Recording Path

Enter a file path location to save text session recordings to. We recommend setting this to ${HISTORY_PATH}/${HISTORY_UUID}

Recording Name

Enter a name for the session recording file.

Exclude Graphics/Streams

Choose to exclude graphics and streams that may appear on the terminal from the recording.

Include Key Events

Choose to include keys that are clicked in the session recording. Events like ctrl+c will be recorded.

Automatically Create Recording Path

Have Keeper Connection Manager automatically create the path location for the session recording

MySQL Protocol Parameters

Details to facilitate the MySQL connection. Set network and authentication details.

Network

Hostname and Port

Enter the hostname and port for the MySQL connection

Unix Socket

Enter the socket name if a host is not present

Authentication

Username and Password

The username and password for this MySQL connection. To prompt users for the password, leave this field empty.

Database

Default Database

Specify the default database schema when establishing a connection.

Disable CSV Export

Disable the ability for users to export data through "select .. into local infile"

Disable CSV Import

Disable the ability for users to import data through "load data local infile..."

Appearance

Choose settings that affect how the new connection will look.

Theme

Select a color theme for the terminal.

There are built in themes, and a custom theme option.

Font Name

Enter the name of a font for the terminal to use.

Maximum Scroll back Size

Select how far back a user can scroll through past commands. Leave blank for unlimited.

Read-Only

If checked, the connection will not allow for any interaction from the user. The user will be able to view what is happening on the connected device, but make no interactions with it.

Clipboard

Disable Copying from Remote Desktop

If selected, users will not be able to copy from the connection

Disable Pasting from Client

If selected, users will not be able to paste values into the connection

Session/Environment

Settings for basic environment setup

Language/Local($LANG)

Set the language/local for the connection, this sets the $LANG environment variable

Time Zone($TZ)

Set the time zone for the connection. This sets the $TZ environment variable

Server Keepalive Interval

Set an interval for a keepalive signal

Screen Recording

Options for recording of the screen. See the Session Recording section for more information.

Recording Path

Enter the path to save the session recording. We recommend setting this to ${HISTORY_PATH}/${HISTORY_UUID}

Recording Name

Enter the name of the recording file.

Exclude Graphics/Streams

Choose to exclude graphics or streams from the recording.

Exclude Mouse

Choose to exclude the mouse from the screen recording.

Include Key Events

If selected, include key events that would not otherwise be visible in the recording.

Automatically Create Recording Path

If selected, Keeper Connection Manager will automatically create a path for the recording file.

SFTP

Options for file transfers to the connection using SFTP. For more information see the File Transfer section.

Enable SFTP

Choose to enable SFTP file transfers.

File Browsing Root Directory

The root directory of the SFTP server to display within this connection.

Disable File Download

If SFTP is enabled, check this option to exclude users from downloading files from the server to this connection.

Disable File Upload

If SFTP is enabled, check this option to exclude users from uploading files to the server from this connection.

Wake-on-LAN (WoL)

Options to facilitate waking the connected device upon connection if supported.

Send WoL Packet

Enable Wake-on-Lan and send a signal from Keeper Connection Manager.

Mac Address of the Remote Host

Identify the device to send the signal to by Mac Address.

Broadcast Address for WoL Packet

Where to send the WoL signal.

Host Boot Wait Time

How long to wait for the device to wake.

Creating a Custom Theme

Terminal based protocols (Kubernetes, SSH, MySQL and Telnet) allow for custom color themes. To use a custom theme first select "custom" from the Theme dropdown, this will open the custom theme builder.

To use the custom theme builder, click each color to select a new color to use in its place. The foreground and background colors are labeled, other colors represent the standard terminal colors.

For example: to replace all red highlighted text in the terminal with orange text, click the red color and choose orange in the color picker.

Remote Browser Isolation Protocol Parameters

Details to facilitate the RBI connection. Set network and authentication details.

Browser Settings

URL

Enter the hostname and port for the remote browser isolation connection

Allowed URL Patterns

Defines the allowed URLs to be loaded by the browser

Allowed Resource URL Patterns

Defines the page resources (such as Javascript, Images, etc) allowed to be loaded.

Browser Profile Storage Directory

Browser session data can be retained with the specified path in the container.

Example: /var/lib/guacamole/rbi-profiles/this-site/${GUAC_USERNAME}

Automatically Create Profile Directory

Creates the path on the container if it doesn't exist.

Browser Autofill Parameters

Username

Password

Password value or reference to Keeper vault field for filling a password on a login form

Autofill Targets

CSS selector for the page and field elements to autofill. More info here.

Example:

- page: "http://172.31.8.134:8080/login"
  username-field: "input[name='j_username']"
  password-field: "input[name='j_password']"

Audio Settings

Disable Audio

Channels

Bit Depth

Sample Rate

Clipboard Settings

Disable Copying from the Browser

Disable Pasting from Client

Display Settings

Read-only

Screen Recording

Options for recording of the screen. See the Session Recording section for more information.

Recording Path

Enter the path to save the session recording. We recommend setting this to ${HISTORY_PATH}/${HISTORY_UUID}

Recording Name

Enter the name of the recording file.

Exclude Graphics/Streams

Choose to exclude graphics or streams from the recording.

Exclude Mouse

Choose to exclude the mouse from the screen recording.

Include Key Events

If selected, include key events that would not otherwise be visible in the recording.

Automatically Create Recording Path

If selected, Keeper Connection Manager will automatically create a path for the recording file.

Allow Writing to Existing Recording File

Allows the connection to write the session recording to a file that already exists. Prior to this option, attempting to write to an existing file would result in a numeric suffix being appended to the new file to avoid overwriting.

Usage History

If you are editing an existing connection, the usage history of the connection is shown in this section

The usage history table displays the username, date, duration of connection and remote IP address of users connecting to this connection.

Establishing Connection through Firewalls

If you would like to establish a connection to a target server with restricted Ingres connections, check out the documentation on Creating Connections via reverse SSH tunnel.

keeper/guacamole

Docker deployment of Apache Guacamole with Keeper Connection Manager

Image: keeper/guacamole

To activate advanced features of Keeper Connection Manager, you simply add an environmental variable to the docker file that controls the feature, or you add one of the EXTENSIONS flags as documented below.

Arbitrary third-party extensions may be used through volume mounts and setting ADDITIONAL_GUACAMOLE_PROPERTIES variables as needed.

Viewing the Guacamole logs

The Guacamole logs are useful if debugging unexpected behavior of the aspects of the web application which are not directly related to remote desktop, including authentication. To view the Tomcat/Guacamole logs follow the troubleshooting documentation.

By default, these logs will show messages only at the "info" level or above. This can be overridden when the container is created using the LOG_LEVEL environment variable.

Environment variables

`ACCEPT_EULA`

The ACCEPT_EULA environment variable must be set to "Y" to indicate your acceptance of the Keeper Connection Manager EULA. This Docker image may not be used except under the terms of the EULA.

`KCM_LICENSE`

The KCM_LICENSE environment variable contains the license key provided by Keeper support.

`ADDITIONAL_GUACAMOLE_PROPERTIES`

This variable is optional and specifies any additional content that should be appended to /etc/guacamole/guacamole.properties during startup. This content is added via guacamole.properties.docker, thus environment variable substitution will be automatically performed on the content of this variable.

`ALLOWED_LANGUAGES`

This variable is optional and restricts the display languages within Guacamole to the comma-separated list of language keys. If specified, only the listed languages will be made available to the user, and only the listed languages will be selected from automatically based on the user's browser's preferred language. For example, to restrict Guacamole to only English and German, specify ALLOWED_LANGUAGES="en, de". As English is the fallback language, used whenever a translation key is missing from the chosen language, English should only be omitted from this list if you are absolutely positive that no strings are missing from your custom translations.

By default, all defined languages will be available.

`API_*`

All environment variables which start with API_ correspond to configuration properties for configuring the Guacamole web application as a whole. These variables control how Guacamole handles user sessions and any HTTP requests that it receives. Note that these variables control only aspects of the Guacamole web application. They do not control the behavior of remote desktop sessions.

Variable name

Description

API_MAX_REQUEST_SIZE

The maximum number of bytes to accept within the entity body of any particular HTTP request to the REST API, including authentication requests. This limit does not apply to files transferred within a remote desktop session. Specifying 0 disables request size limitations. By default, requests are limited to 2097152 bytes (2 MB).

API_SESSION_TIMEOUT

The amount of time, in minutes, a Guacamole session may remain valid despite being inactive. By default, Guacamole sessions are limited to one hour.

This setting affects Guacamole sessions only, not remote desktop sessions. To enforce limits on the duration of remote desktop sessions, you must change the relevant setting within your remote desktop server, such as the session time limit GPOs provided by the Windows RDP server. Guacamole considers a connected remote desktop session to be user activity, and does not attempt to define what constitutes an idle but connected remote desktop session.

`AWS_DISCOVERY_*`

All environment variables which start with AWS_DISCOVERY_ correspond to configuration properties for AWS EC2 discovery which would normally be specified within guacamole.properties.

The following environment variables are required if using EC2 discovery:

Variable name

Description

AWS_DISCOVERY_ACCESS_KEY_ID

The access key ID for the AWS account that should be used to authenticate with AWS.

AWS_DISCOVERY_SECRET_KEY

The secret key associated with the access key

AWS_DISCOVERY_REGIONS

Comma-separated list of regions to query for EC2 instances, such as us-west-1,us-east-1.

Other, optional environment variables are available for the other properties related to EC2 discovery:

Variable name

Description

AWS_DISCOVERY_INSTANCE_BASE_PATH

The name of the organizational connection group that should be used to house the EC2 instances for convenience. By default, this will be "Amazon EC2".

AWS_DISCOVERY_ADMIN_GROUP

The name of the User Group in Keeper Connection Manager to require for any user to see the discovered EC2 instances. By default, this will be a group called "AWS EC2 Administrators".

AWS_DISCOVERY_RECORD_CONNECTIONS_BY_DEFAULT

If set to "true", screen recording will be enabled by default on all connections. Connection session recording can also be set at an individual machine level using the "kcm:record" EC2 instance tag, which overrides the value set here, if any.

AWS_DISCOVERY_KSM_CONFIG

The base64-encoded Keeper Secrets Manager configuration to use to retrieve the private keys for EC2 instances from the Keeper vault.

AWS_DISCOVERY_KSM_API_CALL_INTERVAL

The minimum number of milliseconds that must elapse between API calls to Keeper Secrets Manager. By default, KCM will wait 10 seconds between each call, using cached data from the last retrieval until another retrieval attempt is allowed.

`BAN_*`

All environment variables which start with BAN_ correspond to configuration properties for configuring how apparent brute-force authentication attempts against the web application are automatically blocked. Each of these variables is optional.

Variable name

BAN_ADDRESS_DURATION

The amount of time an IP address is temporarily blocked after repeatedly failing to authenticate, in seconds. By default, addresses are blocked for 5 minutes.

BAN_MAX_ADDRESSES

The maximum number of IP addresses that KCM will track to check for invalid attempts. By default, up to 10485760 addresses will be tracked.

BAN_MAX_INVALID_ATTEMPTS

The number of invalid attempts that may occur before the source IP address is temporarily blocked from further attempts. By default, 5 failed authentication attempts will result in a temporary block.

`CA_CERTIFICATES`

`CATALINA_OPTS`

This variable is optional and specifies arbitrary command-line options that should be passed to the JVM running Tomcat. It corresponds to Tomcat's own CATALINA_OPTS environment variable and is primarily used to pass additional system properties to the JVM, as may be necessary to configure platform-level options like whether an HTTP proxy should be used.

For example, if you wish to ensure that all outbound HTTPS connections go through an HTTP proxy, including API calls to services like Keeper Secrets Manager (KSM), you would set CATALINA_OPTS to:

-Dhttps.proxyHost=my.proxy -Dhttps.proxyPort=3129

where "my.proxy" is the hostname or IP address of the desired HTTP proxy and "3129" is its TCP port number.

`CONTEXT_PATH`

This variable is optional and specifies the path that the Guacamole web application should be served under. By default, the web application will be served at the root directory (http://your-container:8080/), but this can be overridden by setting CONTEXT_PATH to the name of a different location.

Note that the location specified with CONTEXT_PATH may not contain slashes. If you need to serve the web application beneath a more complex nested path, you will need to use a reverse proxy like Nginx or Apache HTTPD.

`DUO_*`

The following environment variables are required if using Duo multi-factor authentication:

Environment Variable

Description

DUO_API_HOSTNAME

REQUIRED. The hostname of the Duo API endpoint that will be used to verify user identities, assigned by Duo when Guacamole was added as a "Web SDK" application. This value can be found within the application details in Duo's "Admin" panel.

DUO_AUTH_TIMEOUT

The timeout, in minutes, for in-progress Duo authentication attempts. Authentication attempts exceeding this duration will be invalidated. By default, Duo authentication attempts will time out after 5 minutes.

DUO_CLIENT_ID

REQUIRED. The client ID provided for you by Duo when KCM was added as a "Web SDK" application. This value can be found within the application details in Duo's "Admin" panel.

DUO_CLIENT_SECRET

REQUIRED. The client secret provided for you by Duo when KCM was added as a "Web SDK" application. This value can be found within the application details in Duo's "Admin" panel.

DUO_REDIRECT_URI

REQUIRED. The user-facing URI that the Duo service can use to redirect an authenticated user's browser back to KCM. This is the URI that you use for the KCM deployment, e.g. https://kcm.company.com

`EXTENSIONS`

This variable is optional and specifies a comma- or newline-separated list of the names of all extensions that should be activated in the image, regardless of which other environment variables may be specified. Empty names, whitespace, and trailing commas are ignored.

Extension names are dictated by the guacamole(*) package capability of the corresponding Keeper Connection Manager package (part of the RPM package's metadata):

Extension name

Declared capability

Corresponding package

duo

guacamole(duo)

json

guacamole(json)

ldap

guacamole(ldap)

mysql

guacamole(mysql)

kcm-guacamole-auth-jdbc-mysql

openid

guacamole(openid)

postgresql

guacamole(postgresql)

kcm-guacamole-auth-jdbc-postgresql

saml

guacamole(saml)

sqlserver

guacamole(sqlserver)

kcm-guacamole-auth-jdbc-sqlserver

ssl

guacamole(ssl)

totp

guacamole(totp)

uds

guacamole(uds)

kcm-guacamole-auth-uds

This variable is mainly of use for extensions which can be used without setting any configuration options, like TOTP two-factor authentication, or to force sanity checks on the presence of required environment variables even if all associated variables might be accidentally omitted. Extensions not listed within this environment variable will still be included if any of their corresponding environment variables are set.

`EXTENSION_PRIORITY`

This variable is optional and specifies the order that extensions should be loaded relative to each other. By default, extensions are loaded in alphabetical order based on their filenames.

To override the load order of extensions, list the names of each extension that should be loaded first, separated by commas. The special name * may be used as a placeholder for all other extensions. For example:

Description

Value of EXTENSION_PRIORITY

Force SAML to take priority over all other extensions.

saml

Force all other extensions to take priority over SAML.

*, saml

Prefer LDAP over any other authentication method, and force all other extensions to take priority over SAML and OpenID.

ldap, *, saml, openid

`GUACD_*`

TCP connection information for guacd.

Variable name

Description

GUACD_HOSTNAME

The hostname of the machine hosting the guacd service.

Other, optional environment variables are available for configuring other aspects of the connection to guacd:

Variable name

Description

GUACD_PORT

The port used by the guacd service.

GUACD_SSL

Whether the guacd service has been configured for SSL/TLS.

`JSON_*`

All environment variables which start with JSON_ correspond to configuration properties for encrypted JSON authentication which would normally be specified within guacamole.properties.

The following environment variables are required if using encrypted JSON authentication:

Variable name

Description

JSON_SECRET_KEY

The shared secret key that will be used by systems generating JSON data to encrypt and sign that data. This key must be 128 bits, specified with 32 hexadecimal digits.

Other, optional environment variables are available for the other properties related to encrypted JSON authentication:

Variable name

Description

JSON_TRUSTED_NETWORKS

A comma-separated list of trusted IP addresses and/or CIDR subnets which should be allowed to send encrypted JSON. If omitted, any address will be allowed to send JSON.

`KSM_*`

All environment variables which start with KSM_* correspond to configuration properties for Keeper Secrets Manager. See the Keeper Vault Integration guide.

Variable name

Description

KSM_ALLOW_USER_CONFIG

If set to "true", users will be allowed to provide their own KSM configuration or one-time token. Vault records of users that provide this will be additionally considered for any connection that (1) an administrator enables for use with user vaults and (2) contains a token that cannot be satisfied with a record from the system-wide vault configured with KSM_CONFIG. By default, users are not allowed to provide their own KSM configuration.

KSM_API_CALL_INTERVAL

KSM_CONFIG

The Keeper Secrets Manager b64 configuration, generated by Keeper Commander.

KSM_MATCH_DOMAINS_FOR_USERS

If set to "true", Active Directory domains within KSM records and KCM connections will be considered when determining whether a record matches a username. By default, only the username itself is considered.

KSM_STRIP_WINDOWS_DOMAINS

If set to "true", Active Directory domains within KSM records will be alternatively determined by splitting the record username into username and domain components. Splitting is performed based on . By default, usernames are not split, and Windows domains will be read only from a separate "Domain" field on the record.

KSM_TOKEN_MAPPING

Static tokens used to identify specific Keeper vault records and fields.

*_KSM_SECRET

Used for protection and storage of configuration values in the Keeper vault.

`LDAP_*`

All environment variables which start with LDAP_ correspond to configuration properties for LDAP authentication which would normally be specified within guacamole.properties.

The following environment variables are required if using LDAP authentication (for a single LDAP server):

Variable name

Description

LDAP_HOSTNAME

The hostname or IP address of the LDAP server that Guacamole should use for authentication.

LDAP_USER_BASE_DN

The common base DN shared by all Guacamole users within the LDAP directory.

If using multiple LDAP servers, or if you prefer to provide LDAP server configuration in YAML format, the following environment variable is required:

Variable name

Description

LDAP_SERVERS

A list of LDAP servers in the proper yml format.

Other, optional environment variables are available for the other properties related to LDAP authentication:

Variable name

Description

LDAP_PORT

The TCP port that the LDAP server is listening on. If omitted, the standard LDAP or LDAPS port will be used, depending on the encryption method. Unencrypted LDAP uses the standard port of 389, while LDAPS uses port 636.

LDAP_ENCRYPTION_METHOD

The encryption mechanism to use when communicating with your LDAP server, if any. Legal values are "none" for unencrypted LDAP, "ssl" for LDAP over SSL/TLS (commonly known as LDAPS), or "starttls" for STARTTLS. If omitted, encryption will not be used.

LDAP_NETWORK_TIMEOUT

The maximum amount of time to allow for any LDAP network operation, in milliseconds, including attempts to connect to the LDAP server. By default, LDAP network operations will time out after 30 seconds (30000 milliseconds). Note that this value is intentionally more granular than LDAP_OPERATION_TIMEOUT, as failover to alternative LDAP servers may need to occur quickly

LDAP_OPERATION_TIMEOUT

The maximum amount of time to allow for any LDAP query, in seconds. By default, LDAP queries will time out after 30 seconds.

LDAP_USERNAME_ATTRIBUTE

The attribute which contains the username within all relevant user objects in the LDAP directory. If multiple attributes may contain the username, multiple attributes may be specified separated by commas, and a search DN is required.

LDAP_SEARCH_BIND_DN

The DN that the web application should bind as when determining the DN of the user attempting to authenticate. Specifying a search DN is required if usernames may be within any one of several attributes, or if the user's username is not part of their DN.

LDAP_SEARCH_BIND_PASSWORD

The password to use when authenticating with the search DN.

LDAP_CONFIG_BASE_DN

The common base DN shared by all guacConfigGroup objects, if the LDAP directory is being used to store connection data.

LDAP_GROUP_BASE_DN

The common base DN shared by all user groups which may dictate guacConfigGroup access within the LDAP directory via the seeAlso attribute.

LDAP_MAX_SEARCH_RESULTS

The maximum number of results to attempt to retrieve from the LDAP directory for any particular search. Searches which exceed this limit will fail. By default, searches are limited to 1000 entries.

LDAP_USER_SEARCH_FILTER

The LDAP search filter to use when querying user accounts. If omitted, (objectClass=*) will be used by default.

LDAP_GROUP_SEARCH_FILTER

The LDAP search filter to use when retrieving groups. If omitted, (objectClass=*) will be used by default.

LDAP_DEREFERENCE_ALIASES

Whether aliases should be automatically dereferenced. Legal values are "never", "searching" (dereference only after the base DN is located), "finding" (dereference only when locating the base DN), and "always". By default, aliases are not derefenced.

LDAP_FOLLOW_REFERRALS

If "true", automatically follow referrals received from the LDAP directory. By default, LDAP referrals are not followed.

LDAP_MAX_REFERRAL_HOPS

The maximum number of referrals that may be followed when resolving any particular LDAP referral. By default, if LDAP automatic following of referrals is enabled, up to 5 hops are allowed for any one referral.

CA_CERTIFICATES

The contents of one or more certificates used by your internal certificate authority (CA), in PEM form. When specified, SSL/TLS connections to other servers will be verified against these certificates, including connections to LDAP servers that use SSL/TLS.

`LOG_LEVEL`

This variable is optional and specifies the lowest level of log message that should be displayed. In order of increasing verbosity, valid values are: "error", "warn", "info", "debug", "trace".

The default log level is "info".

`MYSQL_*`

All environment variables which start with MYSQL_ correspond to configuration properties for MySQL authentication which would normally be specified within guacamole.properties.

If intending to use MySQL, you may wish to use the keeper/guacamole-db-mysql image which provides a MySQL database that is automatically initialized for use by Guacamole.

The following environment variables are required if using MySQL authentication:

Variable name

Description

MYSQL_HOSTNAME

The hostname or IP address of the MySQL or MariaDB server hosting the Guacamole database.

MYSQL_DATABASE

The name of the database that has been created for Guacamole on the MySQL or MariaDB server.

MYSQL_USERNAME

The username that Guacamole should use when authenticating with the MySQL or MariaDB server.

MYSQL_PASSWORD

The password that Guacamole should provide when authenticating with the MySQL or MariaDB server.

Other, optional environment variables are available for the other properties related to MySQL authentication:

Variable name

Description

MYSQL_PORT

The TCP port that the MySQL or MariaDB server is listening on. If omitted, the standard MySQL port of 3306 will be used.

MYSQL_USER_PASSWORD_MIN_LENGTH

The minimum length to require for user passwords. By default, password complexity is not enforced.

MYSQL_USER_PASSWORD_REQUIRE_MULTIPLE_CASE

If set to "true", require that user passwords use both uppercase and lowercase characters.

MYSQL_USER_PASSWORD_REQUIRE_SYMBOL

If set to "true", require that user passwords contain at least one symbol. By default, password complexity is not enforced.

MYSQL_USER_PASSWORD_REQUIRE_DIGIT

If set to "true", require that user passwords contain at least one digit. By default, password complexity is not enforced.

MYSQL_USER_PASSWORD_PROHIBIT_USERNAME

If set to "true", disallow user passwords that contain the user's username. By default, password complexity is not enforced.

MYSQL_USER_PASSWORD_MIN_AGE

The minimum number of days that must elapse following a password change before the user may change their password again. By default, users are not required to wait before changing their password.

MYSQL_USER_PASSWORD_MAX_AGE

The maximum number of days that may elapse since the last password change before the user is required to change their password. By default, users are not required to regularly change their password.

MYSQL_USER_PASSWORD_HISTORY_SIZE

Remember this number of previous passwords and prohibit reuse of those passwords when the user's password is changed. By default, users are allowed to reuse previous passwords.

MYSQL_DEFAULT_MAX_CONNECTIONS

The maximum number of concurrent connections to allow to any particular connection, regardless of user, where a value of "0" indicates unlimited. By default, concurrent usage of connections is not limited.

MYSQL_DEFAULT_MAX_GROUP_CONNECTIONS

The maximum number of concurrent connections to allow to any particular connection group, regardless of user, where a value of "0" indicates unlimited. By default, concurrent usage of connection groups is not limited.

MYSQL_DEFAULT_MAX_CONNECTIONS_PER_USER

The maximum number of concurrent connections to allow each user to hold to any particular connection, where a value of "0" indicates unlimited. By default, user-specific concurrent usage of connections is not limited.

MYSQL_DEFAULT_MAX_GROUP_CONNECTIONS_PER_USER

The maximum number of concurrent connections to allow each user to hold to any particular connection group, where a value of "0" indicates unlimited. By default, user-specific concurrent usage of connection groups is limited to one.

MYSQL_ABSOLUTE_MAX_CONNECTIONS

The maximum number of concurrent connections to allow to overall, regardless of user, connection or connection group, where a value of "0" indicates unlimited. By default, overall concurrent usage is not limited.

MYSQL_USER_REQUIRED

If set to "true", require that each user have a corresponding account defined within the database, even if the user authenticated through some other mechanism (such as LDAP). By default, users that successfully authenticate through another mechanism are not required to also have an account within the database.

MYSQL_TRACK_EXTERNAL_CONNECTION_HISTORY

Whether connections that do not exist within the database should have connection history tracked in the database. If set to "true", connection history records will be created for any connection established. If set to "false", connection history records will be created only for connections defined in the database. By default, external connections will be tracked.

MYSQL_ENFORCE_ACCESS_WINDOWS_FOR_ACTIVE_SESSIONS

Whether access time restrictions imposed by the administrator on user accounts should be enforced while a user is logged in. If set to "true", users will be automatically logged out within roughly one minute of reaching their access time limits. If set to "false", access time restrictions will only be enforced at the moment a user attempts to log in. By default, access time restrictions are enforced while users are logged in.

MYSQL_AUTO_CREATE_ACCOUNTS

Whether user account entries should automatically be created within the database for users that successfully authenticate through other means, such as an SSO provider or LDAP. This may be necessary if using an extension that requires account-specific storage, like TOTP or per-account approvals. If set to "true", user account entries will automatically be created. By default, administrators must manually create such entries if needed.

`OPENID_*`

All environmental variables which start with OPENID_ correspond to configuration properties for Open ID Connect authentication which would normally be specified within guacamole.properties.

Variable Name

Description

OPENID_AUTHORIZATION_ENDPOINT

The authorization endpoint (URI) of the OpenID service. This value should be provided to you by the identity provider. For identity providers that implement OpenID Connect Discovery, this value can be retrieved from the "authorization_endpoint" property of your provider's ".well-known/openid-configuration" JSON file.

OPENID_CLIENT_ID

The OpenID client ID which should be submitted to the OpenID service when necessary. This value is typically provided to you by the OpenID service when OpenID credentials are generated for your application.

OPENID_ISSUER

The issuer to expect for all received ID tokens. This value should be provided to you by the identity provider. For identity providers that implement OpenID Connect Discovery, this value can be retrieved from the "issuer" property of your provider's

".well-known/openid-configuration" JSON file.

OPENID_JWKS_ENDPOINT

The endpoint (URI) of the JWKS service which defines how received ID tokens (JSON Web Tokens or JWTs) shall be validated. This value should be provided to you by the identity provider. For identity providers that

implement OpenID Connect Discovery, this value can be retrieved from the "jwks_uri" property of your provider's ".well-known/openid-configuration" JSON file.

OPENID_REDIRECT_URI

The URI that should be submitted to the OpenID service such that they can redirect the authenticated user back to Keeper Connection Manager after the authentication process is complete. This must be the full URL that a user would enter into their browser to access Keeper Connection Manager. The URI that should be submitted to the OpenID service such that they can redirect the authenticated user back to Keeper Connection Manager after the authentication process is complete. This must be the full URL that a user would enter into their browser to access Keeper Connection Manager.

Optional variables:

Variable Name

Description

OPENID_ALLOWED_CLOCK_SKEW

The amount of clock skew tolerated for timestamp comparisons between the Guacamole server and OpenID service clocks, in seconds. By default, clock skew of up to 30 seconds is tolerated.

OPENID_GROUPS_CLAIM_TYPE

The claim type within any valid JWT that contains the list of groups of which the authenticated user is a member. By default, the “groups” claim type is used.

OPENID_MAX_NONCE_VALIDITY

The maximum amount of time that a nonce generated by the Guacamole server should remain valid, in minutes. As each OpenID request has a unique nonce value, this imposes an upper limit on the amount of time any particular OpenID request can result in successful authentication within Guacamole. By default, each generated nonce expires after 10 minutes.

OPENID_MAX_TOKEN_VALIDITY

The maximum amount of time that an OpenID token should remain valid, in minutes. By default, each OpenID token remains valid for 300 minutes (5 hours).

OPENID_SCOPE

The space-separated list of OpenID scopes to request. OpenID scopes determine the information returned within the OpenID token, and thus affect what values can be used as an authenticated user’s username. To be compliant with OpenID, at least “openid profile” must be requested. By default, “openid email profile” is used.

OPENID_USERNAME_CLAIM_TYPE

The claim type within any valid JWT that contains the list of groups of which the authenticated user is a member. By default, the “groups” claim type is used.

`POSTGRES_*`

All environment variables which start with POSTGRES_ correspond to configuration properties for PostgreSQL authentication which would normally be specified within guacamole.properties.

If intending to use PostgreSQL, you may wish to use the keeper/guacamole-db-postgres image which provides a PostgreSQL database that is automatically initialized for use by Guacamole.

The following environment variables are required if using PostgreSQL authentication:

Variable name

Description

POSTGRES_HOSTNAME

The hostname or IP address of the PostgreSQL server hosting the Guacamole database.

POSTGRES_DATABASE

The name of the database that has been created for Guacamole on the PostgreSQL server.

POSTGRES_USERNAME

The username that Guacamole should use when authenticating with the PostgreSQL server.

POSTGRES_PASSWORD

The password that Guacamole should provide when authenticating with the PostgreSQL server.

Other, optional environment variables are available for the other properties related to PostgreSQL authentication:

Variable name

Description

POSTGRES_PORT

The TCP port that the PostgreSQL server is listening on. If omitted, the standard PostgreSQL port of 5432 will be used.

POSTGRES_USER_PASSWORD_MIN_LENGTH

The minimum length to require for user passwords. By default, password complexity is not enforced.

POSTGRES_USER_PASSWORD_REQUIRE_MULTIPLE_CASE

If set to "true", require that user passwords use both uppercase and lowercase characters.

POSTGRES_USER_PASSWORD_REQUIRE_SYMBOL

If set to "true", require that user passwords contain at least one symbol. By default, password complexity is not enforced.

POSTGRES_USER_PASSWORD_REQUIRE_DIGIT

If set to "true", require that user passwords contain at least one digit. By default, password complexity is not enforced.

POSTGRES_USER_PASSWORD_PROHIBIT_USERNAME

If set to "true", disallow user passwords that contain the user's username. By default, password complexity is not enforced.

POSTGRES_USER_PASSWORD_MIN_AGE

The minimum number of days that must elapse following a password change before the user may change their password again. By default, users are not required to wait before changing their password.

POSTGRES_USER_PASSWORD_MAX_AGE

The maximum number of days that may elapse since the last password change before the user is required to change their password. By default, users are not required to regularly change their password.

POSTGRES_USER_PASSWORD_HISTORY_SIZE

Remember this number of previous passwords and prohibit reuse of those passwords when the user's password is changed. By default, users are allowed to reuse previous passwords.

POSTGRES_DEFAULT_MAX_CONNECTIONS

POSTGRES_DEFAULT_MAX_GROUP_CONNECTIONS

POSTGRES_DEFAULT_MAX_CONNECTIONS_PER_USER

POSTGRES_DEFAULT_MAX_GROUP_CONNECTIONS_PER_USER

POSTGRES_ABSOLUTE_MAX_CONNECTIONS

POSTGRES_USER_REQUIRED

POSTGRESQL_TRACK_EXTERNAL_CONNECTION_HISTORY

POSTGRESQL_ENFORCE_ACCESS_WINDOWS_FOR_ACTIVE_SESSIONS

POSTGRESQL_AUTO_CREATE_ACCOUNTS

`REQUIRE_ACCOUNT_APPROVAL`

This variable is optional and specifies the extensions that should require explicit approval from an administrator on a per-account basis before they can be used to authenticate a user. By default, any installed authentication method may be used.

To require approval for particular authentication methods, list the names of each extension that should require approval, separated by commas. For example:

Description

Value of REQUIRE_ACCOUNT_APPROVAL

Require approval for logins from SAML.

saml

Require approval for logins from SAML and LDAP.

saml, ldap

Account approval status can only be stored and enforced on users with identities in the KCM database. Depending on which database you are using, you can request that KCM automatically create this storage for accounts that do not yet exist within the database by setting one of the following environment variables to "true":

MYSQL_AUTO_CREATE_ACCOUNTS
POSTGRESQL_AUTO_CREATE_ACCOUNTS
SQLSERVER_AUTO_CREATE_ACCOUNTS

`SAML_*`

All environment variables which start with SAML_ correspond to configuration properties for SAML Authentication which would normally be specified within guacamole.properties.

The following environment variables are required if using SAML authentication:

Variable Name

Description

SAML_CALLBACK_URL

The URI that should be submitted to the SAML service such that they can POST the authentication result to Keeper Connection Manager and redirect the user back to the application. This must be the full URL that a user would enter into their browser to access Keeper Connection Manager.

Optional environmental variables:

Variable Name

Description

SAML_COMPRESS_REQUEST

Enable compression of the HTTP requests sent to the SAML IdP. This property is optional and will default to true (compression enabled).

SAML_COMPRESS_RESPONSE

Request that the SAML response returned by the IdP be compressed. This property is optional and will default to true (compression will be requested).

SAML_ENTITY_ID

The entity ID of the Guacamole SAML client, which is generally the URL of the Guacamole server, but is not required to be so. This property is required if either the saml-idp-metadata-url property is not specified, or if the provided metadata file does not contain the SAML SP Entity ID for Guacamole Client.

SAML_GROUP_ATTRIBUTE

The name of the attribute provided by the SAML IdP that contains group membership of the user. These groups will be parsed and used to map group membership of the user logging in, which can be used for permissions management within Guacamole Client, particularly when layered with other authentication modules. This property is optional, and defaults to “groups”.

SAML_IDP_METADATA_URL

The URI of the XML metadata file that from the SAML Identity Provider that contains all of the information the SAML extension needs in order to know how to authenticate with the IdP. This URI can either be a remote server (e.g. https://) or a local file on the filesystem (e.g. file://). Often the metadata file contains most of the required properties for SAML authentication and the other parameters are not required.

SAML_IDP_URL

The base URL of the SAML IdP. This is the URL that the SAML authentication extension will use to redirect when requesting SAML authentication. If the saml-idp-metadata-url property is provided, this parameter will be ignored. If the metadata file is not provided this property is required.

SAML_PRIVATE_KEY_PATH

The full path of the private key in PEM format that should be used to sign SAML requests submitted to the SAML IdP. This is required only if the SAML IdP requires signed requests. By default, SAML requests are not signed.

SAML_X509_CERT_PATH

The full path of the X.509 certificate in PEM format that should be used to sign SAML requests submitted to the SAML IdP. This is required only if the SAML IdP requires signed requests. By default, SAML requests are not signed.

`SQLSERVER_*`

All environment variables which start with SQLSERVER_ correspond to configuration properties for SQL Server authentication which would normally be specified within guacamole.properties.

The following environment variables are required if using SQL Server authentication:

Variable name

Description

SQLSERVER_HOSTNAME

The hostname or IP address of the SQL Server instance hosting the Guacamole database.

SQLSERVER_DATABASE

The name of the database that has been created for Guacamole on the SQL Server instance.

SQLSERVER_USERNAME

The username that Guacamole should use when authenticating with the SQL Server instance.

SQLSERVER_PASSWORD

The password that Guacamole should provide when authenticating with the SQL Server instance.

Other, optional environment variables are available for the other properties related to SQL Server authentication:

Variable name

Description

SQLSERVER_PORT

The TCP port that the SQL Server instance is listening on. If omitted, the standard SQL Server port of 1433 will be used.

SQLSERVER_USER_PASSWORD_MIN_LENGTH

The minimum length to require for user passwords. By default, password complexity is not enforced.

SQLSERVER_USER_PASSWORD_REQUIRE_MULTIPLE_CASE

If set to "true", require that user passwords use both uppercase and lowercase characters.

SQLSERVER_USER_PASSWORD_REQUIRE_SYMBOL

If set to "true", require that user passwords contain at least one symbol. By default, password complexity is not enforced.

SQLSERVER_USER_PASSWORD_REQUIRE_DIGIT

If set to "true", require that user passwords contain at least one digit. By default, password complexity is not enforced.

SQLSERVER_USER_PASSWORD_PROHIBIT_USERNAME

If set to "true", disallow user passwords that contain the user's username. By default, password complexity is not enforced.

SQLSERVER_USER_PASSWORD_MIN_AGE

The minimum number of days that must elapse following a password change before the user may change their password again. By default, users are not required to wait before changing their password.

SQLSERVER_USER_PASSWORD_MAX_AGE

The maximum number of days that may elapse since the last password change before the user is required to change their password. By default, users are not required to regularly change their password.

SQLSERVER_USER_PASSWORD_HISTORY_SIZE

Remember this number of previous passwords and prohibit reuse of those passwords when the user's password is changed. By default, users are allowed to reuse previous passwords.

SQLSERVER_DEFAULT_MAX_CONNECTIONS

SQLSERVER_DEFAULT_MAX_GROUP_CONNECTIONS

SQLSERVER_DEFAULT_MAX_CONNECTIONS_PER_USER

SQLSERVER_DEFAULT_MAX_GROUP_CONNECTIONS_PER_USER

SQLSERVER_ABSOLUTE_MAX_CONNECTIONS

SQLSERVER_USER_REQUIRED

SQLSERVER_TRACK_EXTERNAL_CONNECTION_HISTORY

SQLSERVER_ENFORCE_ACCESS_WINDOWS_FOR_ACTIVE_SESSIONS

SQLSERVER_AUTO_CREATE_ACCOUNTS

`SSL_*`

All environment variables which start with SSL_ correspond to configuration properties for SSL/TLS client authentication (smart card authentication) which would normally be specified within guacamole.properties.

The following environment variables are required if using SSL/TLS client authentication:

Variable name

Description

SSL_CLIENT_AUTH_URI

A wildcard URI that points to this Guacamole instance and requests SSL/TLS client authentication.

SSL_PRIMARY_URI

A non-wildcard URI that points to this Guacamole instance and does not request SSL/TLS client authentication.

Other, optional environment variables are available for the other properties related to SSL/TLS client authentication:

Variable name

Description

SSL_CLIENT_CERTIFICATE_HEADER

The name of the header to use to retrieve the URL-encoded client certificate from an HTTP request received from an SSL termination service providing SSL/TLS client authentication. By default, X-Client-Certificate is used, matching the behavior of the keeper/guacamole-ssl-nginx image.

SSL_CLIENT_VERIFIED_HEADER

The name of the header to use to retrieve the verification status of the certificate an HTTP request received from an SSL termination service providing SSL/TLS client authentication. This value of this header must be "SUCCESS" (all uppercase) if the certificate was successfully verified. By default, X-Client-Verified is used, matching the behavior of the keeper/guacamole-ssl-nginx image.

SSL_MAX_DOMAIN_VALIDITY

The amount of time that the temporary, unique subdomain generated for SSL/TLS authentication may remain valid, in minutes. By default, temporary subdomains are valid for 5 minutes.

SSL_MAX_TOKEN_VALIDITY

The amount of time that a temporary authentication token for SSL/TLS authentication may remain valid, in minutes. By default, temporary authentication tokens are valid for 5 minutes.

SSL_SUBJECT_BASE_DN

The base DN containing all valid subject DNs. If specified, only certificates asserting subject DNs beneath this base DN will be accepted. By default, all DNs are accepted as long as the certificate is valid.

SSL_SUBJECT_USERNAME_ATTRIBUTE

The LDAP attribute or attributes that may be used to represent a username within the subject DN of a user's X.509 certificate. If the least-significant attribute of the subject DN is not one of these attributes, the certificate will be rejected. By default, any attribute is accepted and used as the username.

`TOTP_*`

All environment variables which start with TOTP_ correspond to configuration properties for TOTP multi-factor authentication which would normally be specified within guacamole.properties.

Variable name

Description

TOTP_ISSUER

The human-readable name of the entity issuing user accounts. By default, this is "Apache Guacamole".

TOTP_DIGITS

The number of digits which should be included in each generated code. TOTP allows for 6-, 7-, or 8-digit codes. Longer or shorter codes than this are not possible as they violate the TOTP standard. By default, 6-digit codes will be used.

TOTP_PERIOD

The duration that each generated code should remain valid, in seconds. The code generation period is given in positive integer seconds and may be any value, however the value should be long enough to allow the user a reasonable amount of time to enter their code. Their authentication device will generate a new code after this period elapses. By default, generated codes are valid for 30 seconds.

TOTP_MODE

The hash algorithm that should be used to generate codes. Valid TOTP modes (hashes) are "sha1", "sha256", and "sha512". By default, "sha1" is used.

`UDS_*`

All environment variables which start with UDS_ correspond to configuration properties for integrating with UDS Enterprise that would normally be specified within guacamole.properties.

Variable name

Description

UDS_BASE_URL

The base URL of the UDS Enterprise deployment that may leverage Keeper Connection Manager to provide remote access. Keeper Connection Manager will use this URL to contact UDS to authenticate and authorize connection requests.

`USER_MAPPING`

This variable is optional and specifies the full contents of the /etc/guacamole/user-mapping.xml file that can be used to test a Guacamole deployment without configuring a more complex authentication method like MySQL, PostgreSQL, or LDAP. This is the authentication mechanism described within the Keeper Connection Manager installation instructions.

As the contents of this file are inherently sensitive, the file will be stored purely in memory (within /dev/shm) unless the USE_SHM environment variable is set to "N" as documented below.

`USE_DEFAULT_BRANDING`

Keeper Connection Manager ships with its own default branding. If you will be using your own custom branding, the optional USE_DEFAULT_BRANDING environment variable should be set to "N" to disable the Keeper branding and avoid conflicts with your branding extension.

`USE_SHM`

This variable is optional and may be used to force storage of known sensitive files on disk rather than in memory. To force storage to disk, set USE_SHM to "N".

By default, the keeper/guacamole image stores the contents of files that are known to be sensitive within /dev/shm, thus storing those files only in memory and without potentially persisting sensitive data to disk. As such files are generated by the Docker image from environment variables during startup, this is particularly useful if Docker secrets are being used.

Docker secrets

Rather than pass data directly in environment variables, a _FILE suffix may be added to any environment variable supported by this image to force that variable to be read from the named file within the container. For example, to read /etc/guacamole/user-mapping.xml from a file:

docker run --name some-guacamole \
    -e ACCEPT_EULA=Y \
    -e GUACD_HOSTNAME=some-guacd \
    -e USER_MAPPING_FILE=/some/volume/mount/user-mapping.xml \
    -d keeper/guacamole

As Docker secrets store sensitive data within files beneath /run/secrets/ within the container, this can be used to load sensitive data from Docker secrets:

docker run --name some-guacamole \
    -e ACCEPT_EULA=Y \
    -e GUACD_HOSTNAME=some-guacd \
    -e MYSQL_HOSTNAME=some-mysql \
    -e MYSQL_DATABASE=guacamole_db \
    -e MYSQL_USERNAME_FILE=/run/secrets/mysql-username \
    -e MYSQL_PASSWORD_FILE=/run/secrets/mysql-password \
    -d keeper/guacamole

Keeper Connection Manager

Overview

Keeper Connection Manager

Video Overview

System Diagram

Apache Guacamole

KeeperPAM Licensing

Getting Started

Security Architecture

Keeper is Fanatical About Data Protection

Overview

System Architecture

Apache Guacamole™

Least Privilege Access

Production Configuration

Upgrade Methods

Compliance & Audits

Certified SOC 2 Compliant

ISO 27001 Certified (Information Security Management System)

GDPR Compliance

Protection of Patient Medical Data

HIPAA Compliance and Business Associate Agreements

Penetration Testing

Third-Party Security Scanning & Penetration Tests

Payment Processing and PCI Compliance

EU-US Privacy Shield

FIPS 140-2 Validated

U.S. Department of Commerce Export Licensed Under EAR

24x7 Remote Monitoring

Phishing or Spoofed Emails

Hosting Infrastructure Certified to the Strictest Industry Standards

Vulnerability Reporting and Bug Bounty Program

Guidelines

Submitting a Report

Additional Information

Installation

Install Methods

Configure DNS

Decide on Let's Encrypt or Existing Cert

Select an Install Method

Option 1: Auto Docker Install

Option 2: Docker Compose Install

License Key

Obtaining a License Key

New Customers

Existing Customers

System Requirements

Supported Operating Systems:

Supported KCM Versions:

Minimum system specs for production deployment:

Minimum host recommendations:

Disk space requirements

Network throughput for concurrent connections

Preparing for Installation

Preparing for Installation

Platform-specific Setup

Virtual Machines with Depletable Entropy Bits

RHEL / Rocky Linux 8 (and derivatives)

Auto Docker Install

Overview

Licensing

Installation

Secrets Manager Integration (optional)

Set up SSO Login (optional)

Save the credentials and URL in your Vault

Navigate to the URL in your Browser

🎉 Installation Complete!

Service Management

Overview

Managing the Service

Shared Volume

Upgrading

Update Instructions

Adding Packages

keeper/guacd

Starting a guacd instance

Viewing the guacd logs

Environment variables

ACCEPT_EULA

CA_CERTIFICATES

`ACCEPT_EULA`

`CA_CERTIFICATES`

`GUACD_UID`

`GUACD_GID`

`LOG_LEVEL`

`AUTOFILL_RULES`

`ACCEPT_EULA`

`MYSQL_RANDOM_ROOT_PASSWORD`

`GUACAMOLE_DATABASE`

`GUACAMOLE_ADMIN_PASSWORD`

`GUACAMOLE_USERNAME` and `GUACAMOLE_PASSWORD`

`ACCEPT_EULA`

`POSTGRES_PASSWORD`

`GUACAMOLE_DATABASE`

`GUACAMOLE_ADMIN_PASSWORD`

`GUACAMOLE_USERNAME` and `GUACAMOLE_PASSWORD`