Management of KeeperPAM functionality including Discovery, Rotation, Connections and Tunneling
Overview
KeeperPAM including discovery, password rotation, PAM Configuration and Keeper Gateway configuration can be controlled and managed through Commander using the pam command and sub-commands. These commands support the Password Rotation and Discovery capabilities of Keeper Secrets Manager and KeeperPAM.
pam command
command: pam
Detail: Perform KeeperPAM controls.
My Vault> pam --help
pam command [--options]
Command Description
--------- -----------------------------
gateway Manage Gateways
config Manage PAM Configurations
rotation Manage Rotations
action Execute action on the Gateway
tunnel Manage Tunnels
Sub-Command: gateway
Detail: View, create and remove Keeper Gateway services. To learn more about the Keeper Gateway click here.
My Vault> pam gateway help
pam command [--options]
Command Description
--------- ------------------
list List Gateways
new Create new Gateway
remove Remove Gateway
Sub-Command: config
Detail: View, create, edit and remove Keeper PAM Configurations. To learn more about PAM Configurations click here.
My Vault> pam config help
pam command [--options]
Command Description
--------- -------------------------------------------------------------
new Create new PAM Configuration
edit Edit PAM Configuration
list List available PAM Configurations associated with the Gateway
remove Remove a PAM Configuration
Sub-Command: connection
Prerequisites: Ensure that the PAM user credential, PAM Machine or PAM Database records are staged in a shared folder - that there is a gateway configured, and everything is tied together in a PAM Configuration.
This command will edit KCM connection parameters and user accounts that are attached to PAM Machine and PAM Database records. The process can be done in bulk with the run-batch command.
edit
usage: pam connection edit [-h] [--configuration CONFIG] [--admin-user ADMIN]
[--protocol {,http,kubernetes,mysql,postgresql,rdp,sql-server,ssh,telnet,vnc}]
[--connections {on,off,default}] [--connections-recording {on,off,default}]
[--typescript-recording {on,off,default}]
[--connections-override-port CONNECTIONS_OVERRIDE_PORT] [--silent]
record
positional arguments:
record The record UID or path of the PAM resource record with network information to use for
connections
options:
-h, --help show this help message and exit
--configuration CONFIG, -c CONFIG
The PAM Configuration UID or path to use for connections. Use command `pam config list` to
view available PAM Configurations.
--admin-user ADMIN, -a ADMIN
The record path or UID of the PAM User record to configure the admin credential on the PAM
Resource
--protocol {,http,kubernetes,mysql,postgresql,rdp,sql-server,ssh,telnet,vnc}, -p {,http,kubernetes,mysql,postgresql,rdp,sql-server,ssh,telnet,vnc}
Set connection protocol
--connections {on,off,default}, -cn {on,off,default}
Set connections permissions
--connections-recording {on,off,default}, -cr {on,off,default}
Set recording connections permissions for the resource
--typescript-recording {on,off,default}, -tr {on,off,default}
Set TypeScript recording permissions for the resource
--connections-override-port CONNECTIONS_OVERRIDE_PORT, -cop CONNECTIONS_OVERRIDE_PORT
Port to use for connections. If not provided, the port from the record will be used.
--silent, -s Silent mode - don't print PAM User, PAM Config etc.
example 1: Creates an RDP connection and assigns an administrative credential and PAM configuration. Activates the connection and screen recording.
example 2: Creates an SSH connection and assigns and administrative credential and PAM configuration. Activates the connection and screen recording while running in silent mode without screen outputs.
example 3: Creates an MSSQL connection and assigns and administrative credential and PAM configuration. Activates the connection and typescript recording.
Sub-Command: rotation
Detail: View and create Keeper Rotation configuration for records.
My Vault> pam rotation help
pam command [--options]
Command Description
--------- -----------------------------------
edit Edits Record Rotation configuration
list List Record Rotation configuration
info Get Rotation Info
script Add, delete, or edit script field
edit
My Vault> pam rotation edit --help
usage: pam rotation edit [-h] (--record RECORD_NAME | --folder FOLDER_NAME) [--force] [--config CONFIG] [--iam-aad-config IAM_AAD_CONFIG_UID] [--resource RESOURCE]
[--schedulejson SCHEDULE_JSON_DATA | --schedulecron SCHEDULE_CRON_DATA | --on-demand | --schedule-config] [--complexity PWD_COMPLEXITY]
[--admin-user ADMIN] [--enable | --disable]
options:
-h, --help show this help message and exit
--record RECORD_NAME, -r RECORD_NAME
Record UID, name, or pattern to be rotated manually or via schedule
--folder FOLDER_NAME, -fd FOLDER_NAME
Used for bulk rotation setup. The folder UID or name that holds records to be configured
--force, -f Do not ask for confirmation
--config CONFIG, -c CONFIG
UID or path of the configuration record.
--iam-aad-config IAM_AAD_CONFIG_UID, -iac IAM_AAD_CONFIG_UID
UID of a PAM Configuration. Used for an IAM or Azure AD user in place of --resource.
--resource RESOURCE, -rs RESOURCE
UID or path of the resource record.
--schedulejson SCHEDULE_JSON_DATA, -sj SCHEDULE_JSON_DATA
JSON of the scheduler. Example: -sj '{"type": "WEEKLY", "utcTime": "15:44", "weekday": "SUNDAY", "intervalCount": 1}'
--schedulecron SCHEDULE_CRON_DATA, -sc SCHEDULE_CRON_DATA
Cron tab string of the scheduler. Example: to run job daily at 5:56PM UTC enter following cron -sc "56 17 * * *"
--on-demand, -od Schedule On Demand
--schedule-config, -sf
Schedule from Configuration
--complexity PWD_COMPLEXITY, -x PWD_COMPLEXITY
Password complexity: length, upper, lower, digits, symbols. Ex. 32,5,5,5,5[,SPECIAL CHARS]
--admin-user ADMIN, -a ADMIN
UID or path for the PAMUser record to configure the admin credential on the PAM Resource as the Admin when rotating
--enable, -e Enable rotation
--disable, -d Disable rotation
Example - Set the rotation schedule using JSON
The --schedulejsonor -sj params are used to set the schedule via JSON.
Rotate the PAM User record every month, on the 1st, at 4:00AM my time.
time - A 24 hours formatted time when the jobs should be triggered.
tz - You local IANA time zone. (i.e., America/Chicago)
intervalCount - Optional; The number of days between triggers. Allows ability to skip days.
WEEKLY
The job is triggered every week.
type - WEEKLY
weekday - Week day name. Must be the full name, all in uppercase.
SUNDAY
MONDAY
TUESDAY
WEDNESDAY
THURSDAY
FRIDAY
SATURDAY
time - A 24 hours formatted time when the jobs should be triggered.
tz - You local IANA time zone. (i.e., America/Chicago)
intervalCount - Optional; If set to a value greater than 1, weekday will be ignored. The job will be triggers the multiple times per week starting on Sunday. The day will be based on the value of intervalCount .
MONTHLY_BY_DAY
The job is triggered every month on a specific month day.
type - MONTHLY_BY_DAY
monthDay - Day of the month. Starts at 1 and goes to max number of days per month. Remeber that 29 can be a leap year day.
time - A 24 hours formatted time when the jobs should be triggered.
tz - You local IANA time zone. (i.e., America/Chicago)
intervalCount - Optional; If set to a value greater than 1, the job will trigger on the monthDay and will re-trigger every intervalCount days.
MONTHLY_BY_WEEKDAY
The job is triggered every month on a specific week day and time.
type - MONTHLY_BY_WEEKDAY
weekday - Week day name. Must be the full name, in all uppercase.
SUNDAY
MONDAY
TUESDAY
WEDNESDAY
THURSDAY
FRIDAY
SATURDAY
occurrence - Which week to trigger. If fifth week, use LAST.
FIRST
SECOND
THIRD
FOURTH
LAST
time - A 24 hours formatted time when the jobs should be triggered.
tz - You local IANA time zone. (i.e., America/Chicago)
intervalCount - Optional; If set, and set to value other than 1, the trigger will start on the weekday and then trigger every intervalCount weeks.
YEARLY
The job is triggered yearly on a specific month, day and time.
type - YEARLY
month - Month name. Must be the full month name, in all uppercase.
JANUARY
FEBURARY
MARCH
APRIL
MAY
JUNE
JULY
AUGUST
SEPTEMBER
OCTOBER
NOVEMBER
DECEMBER
monthDay - Day of the month. Starts at 1 and goes to max number of days per month. Remeber that 29 can be a leap year day.
time - A 24 hours formatted time when the jobs should be triggered.
tz - You local IANA time zone. (i.e., America/Chicago)
intervalCount - Optional; If set, and set to value other than 1, every intervalCount year will be triggered.
Example - Set the password complexity for the PAM User
The --complexity or -x params are used to set the password complexity.
Set the password complexity to create a 20 character password with a minimum of 1 uppercase letter, 4 lowercase letters, 2 digits, and 2 symbols from the symbol set .=+- .
pam rotation edit -r XXXX -x 20,1,4,2,2,.=+-
The value is a comma separated value (CSV) style value with the following parts:
Overall password length
Minimum number of uppercase letters.
Minimum number of lowercase letters.
Minimum number of digits.
Minimum number of symbols.
Special set. After last comma, just type the special characters you would like. You are limited to symbols in the following set. If left blank, this symbol set will be used.
!@#$%^?();',.=+[]<>{}-_/\\*&:"`~|
list
My Vault> pam rotation list --help
usage: pam rotation list [-h] [--verbose]
optional arguments:
-h, --help show this help message and exit
--verbose, -v Verbose output
info
My Vault> pam rotation info --help
usage: dr-router-get-rotation-info-parser [-h] --record-uid RECORD_UID
optional arguments:
-h, --help show this help message and exit
--record-uid RECORD_UID, -r RECORD_UID
Record UID to rotate
script
My Vault> pam rotation script --help
pam command [--options]
Command Description
--------- ---------------------------------
list List script fields
add List Record Rotation Schedulers
edit Add, delete, or edit script field
delete Delete script field
Sub-Command: action
Detail: Discovery, rotation and service account management of PAM Resources
My Vault> pam action help
pam command [--options]
Command Description
------------ ---------------------
gateway-info Info command
discover Discover command
rotate Rotate command
job-info View Job details
job-cancel View Job details
service Manage services and scheduled tasks
debug PAM debug information
gateway-info
My Vault> pam action gateway-info --help
usage: dr-info-command [-h] [--gateway GATEWAY_UID] [--verbose]
optional arguments:
-h, --help show this help message and exit
--gateway GATEWAY_UID, -g GATEWAY_UID
Gateway UID
--verbose, -v Verbose Output
discover
My Vault> pam action discover --help
pam command [--options]
Command Description
--------- ----------------------------------
start Start a discovery process
status Status of discovery jobs
remove Cancel or remove of discovery jobs
process Process discovered items
rule Manage discovery rules
discover start
My Vault> pam action discover start --help
usage: dr-discover-start-command [-h] --gateway GATEWAY [--resource RESOURCE_UID] [--lang LANGUAGE] [--include-machine-dir-users] [--inc-azure-aadds]
[--skip-rules] [--skip-machines] [--skip-databases] [--skip-directories] [--skip-cloud-users] [--cred CREDENTIALS]
[--cred-file CREDENTIAL_FILE]
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name of UID.
--resource RESOURCE_UID, -r RESOURCE_UID
UID of the resource record. Set to discover specific resource.
--lang LANGUAGE Language
--include-machine-dir-users
Include directory users found on the machine.
--inc-azure-aadds Include Azure Active Directory Domain Service.
--skip-rules Skip running the rule engine.
--skip-machines Skip discovering machines.
--skip-databases Skip discovering databases.
--skip-directories Skip discovering directories.
--skip-cloud-users Skip discovering cloud users.
--cred CREDENTIALS List resource credentials.
--cred-file CREDENTIAL_FILE
A JSON file containing list of credentials.
discover status
My Vault> pam action discover status --help
usage: dr-discover-status-command [-h] [--gateway GATEWAY] [--job-id JOB_ID] [--history]
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Show only discovery jobs from a specific gateway.
--job-id JOB_ID, -j JOB_ID
Detailed information for a specific discovery job.
--history Show history
discover remove
My Vault> pam action discover remove --help
usage: dr-discover-command-process [-h] --job-id JOB_ID
options:
-h, --help show this help message and exit
--job-id JOB_ID, -j JOB_ID
Discovery job id.
discover process
My Vault> pam action discover process --help
usage: dr-discover-command-process [-h] --job-id JOB_ID [--add-all] [--debug-gs-level DEBUG_LEVEL]
options:
-h, --help show this help message and exit
--job-id JOB_ID, -j JOB_ID
Discovery job to process.
--add-all Respond with ADD for all prompts.
--debug-gs-level DEBUG_LEVEL
GraphSync debug level. Default is 0
discover rule
My Vault> pam action discover rule --help
pam command [--options]
Command Description
--------- --------------
add Add a rule
list List all rules
remove Remove a rule
update Update a rule
discover rule add
My Vault> pam action discover rule add --help
usage: dr-discover-rule-add [-h] --gateway GATEWAY --action {add,ignore,prompt} --priority PRIORITY [--ignore-case] [--shared-folder-uid SHARED_FOLDER_UID]
--statement STATEMENT
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name of UID.
--action {add,ignore,prompt}, -a {add,ignore,prompt}
Action to take if rule matches
--priority PRIORITY, -p PRIORITY
Rule execute priority
--ignore-case Ignore value case. Rule value must be in lowercase.
--shared-folder-uid SHARED_FOLDER_UID
Folder to place record.
--statement STATEMENT, -s STATEMENT
Rule statement
rotate
My Vault> pam action rotate --help
usage: dr-rotate-command [-h] --record-uid RECORD_UID
optional arguments:
-h, --help show this help message and exit
--record-uid RECORD_UID, -r RECORD_UID
Record UID to rotate
job-info
My Vault> pam action job-info --help
usage: pam-action-job-command [-h] [--gateway GATEWAY_UID] job_id
positional arguments:
job_id
optional arguments:
-h, --help show this help message and exit
--gateway GATEWAY_UID, -g GATEWAY_UID
Gateway UID. Needed only if there are more than one gateway running
job-cancel
My Vault> pam action job-cancel --help
usage: pam-action-job-command [-h] [--gateway GATEWAY_UID] job_id
positional arguments:
job_id
optional arguments:
-h, --help show this help message and exit
--gateway GATEWAY_UID, -g GATEWAY_UID
Gateway UID. Needed only if there are more than one gateway running
service list
My Vault> pam action service list -h
usage: pam-action-service-list [-h] --gateway GATEWAY
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name or UID
service add
My Vault> pam action service add -h
usage: pam-action-service-add [-h] --gateway GATEWAY --machine-uid MACHINE_UID --user-uid
USER_UID --type {service,task}
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name or UID
--machine-uid MACHINE_UID, -m MACHINE_UID
The UID of the Windows Machine record
--user-uid USER_UID, -u USER_UID
The UID of the User record
--type {service,task}, -t {service,task}
Relationship to add [service, task]
service remove
My Vault> pam action service remove -h
usage: pam-action-service-remove [-h] --gateway GATEWAY --machine-uid MACHINE_UID --user-uid
USER_UID --type {service,task}
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name or UID
--machine-uid MACHINE_UID, -m MACHINE_UID
The UID of the Windows Machine record
--user-uid USER_UID, -u USER_UID
The UID of the User record
--type {service,task}, -t {service,task}
Relationship to remove [service, task]
Sub-Command: tunnel
Detail: View and create Keeper Tunnels from the local machine to target infrastructure.
My Vault> pam tunnel help
pam command [--options]
Command Description
--------- -------------------------
start Start Tunnel
list List all Tunnels
stop Stop Tunnel to the server
tail View Tunnel Log
edit Edit Tunnel settings
start
My Vault> pam tunnel start -h
usage: pam tunnel start [-h] [--host HOST] [--port PORT] uid
positional arguments:
uid The Record UID of the PAM resource record with network information to use for tunneling
options:
-h, --help show this help message and exit
--host HOST, -o HOST The address on which the server will be accepting connections. It could be an IP address or a
hostname. Ex. set to 127.0.0.1 as default so only connections from the same machine will be accepted.
--port PORT, -p PORT The port number on which the server will be listening for incoming connections. If not set, random
open port on the machine will be used.
list
My Vault> pam tunnel list -h
usage: pam tunnel list [-h]
options:
-h, --help show this help message and exit
stop
My Vault> pam tunnel stop -h
usage: pam tunnel stop [-h] uid
positional arguments:
uid The Tunnel UID or Record UID
options:
-h, --help show this help message and exit
tail
My Vault> pam tunnel tail -h
usage: pam tunnel tail [-h] uid
positional arguments:
uid The Tunnel UID
options:
-h, --help show this help message and exit
edit
My Vault> pam tunnel edit -h
usage: pam tunnel edit [-h] [--configuration CONFIG] [--enable-tunneling] [--tunneling-override-port TUNNELING_OVERRIDE_PORT]
[--disable-tunneling] [--remove-tunneling-override-port]
uid
positional arguments:
uid The Record UID of the PAM resource record with network information to use for tunneling
options:
-h, --help show this help message and exit
--configuration CONFIG, -c CONFIG
The PAM Configuration UID to use for tunneling. Use command `pam config list` to view available PAM
Configurations.
--enable-tunneling, -et
Enable tunneling on the record
--tunneling-override-port TUNNELING_OVERRIDE_PORT, -top TUNNELING_OVERRIDE_PORT
Port to use for tunneling. If not provided, the port from the record will be used.
--disable-tunneling, -dt
Disable tunneling on the record
--remove-tunneling-override-port, -rtop
Remove tunneling override port
