KeeperPAM Commands
Management of KeeperPAM functionality including Discovery, Rotation, Connections and Tunneling
Last updated
Was this helpful?
Management of KeeperPAM functionality including Discovery, Rotation, Connections and Tunneling
Last updated
Was this helpful?
KeeperPAM including discovery, password rotation, PAM Configuration and Keeper Gateway configuration can be controlled and managed through Commander using the pam command and sub-commands. These commands support the and capabilities of Keeper Secrets Manager and KeeperPAM.
command: pam
Detail: Perform KeeperPAM controls.
My Vault> pam --help
pam command [--options]
Command Description
--------- -----------------------------
gateway Manage Gateways
config Manage PAM Configurations
rotation Manage Rotations
action Execute action on the Gateway
tunnel Manage TunnelsMy Vault> pam gateway help
pam command [--options]
Command Description
--------- ------------------
list List Gateways
new Create new Gateway
remove Remove GatewayMy Vault> pam config help
pam command [--options]
Command Description
--------- -------------------------------------------------------------
new Create new PAM Configuration
edit Edit PAM Configuration
list List available PAM Configurations associated with the Gateway
remove Remove a PAM ConfigurationPrerequisites: Ensure that the PAM user credential, PAM Machine or PAM Database records are staged in a shared folder - that there is a gateway configured, and everything is tied together in a PAM Configuration. This command will edit KCM connection parameters and user accounts that are attached to PAM Machine and PAM Database records. The process can be done in bulk with the run-batch command.
usage: pam connection edit [-h] [--configuration CONFIG] [--admin-user ADMIN]
[--protocol {,http,kubernetes,mysql,postgresql,rdp,sql-server,ssh,telnet,vnc}]
[--connections {on,off,default}] [--connections-recording {on,off,default}]
[--typescript-recording {on,off,default}]
[--connections-override-port CONNECTIONS_OVERRIDE_PORT] [--silent]
record
positional arguments:
record The record UID or path of the PAM resource record with network information to use for
connections
options:
-h, --help show this help message and exit
--configuration CONFIG, -c CONFIG
The PAM Configuration UID or path to use for connections. Use command `pam config list` to
view available PAM Configurations.
--admin-user ADMIN, -a ADMIN
The record path or UID of the PAM User record to configure the admin credential on the PAM
Resource
--protocol {,http,kubernetes,mysql,postgresql,rdp,sql-server,ssh,telnet,vnc}, -p {,http,kubernetes,mysql,postgresql,rdp,sql-server,ssh,telnet,vnc}
Set connection protocol
--connections {on,off,default}, -cn {on,off,default}
Set connections permissions
--connections-recording {on,off,default}, -cr {on,off,default}
Set recording connections permissions for the resource
--typescript-recording {on,off,default}, -tr {on,off,default}
Set TypeScript recording permissions for the resource
--connections-override-port CONNECTIONS_OVERRIDE_PORT, -cop CONNECTIONS_OVERRIDE_PORT
Port to use for connections. If not provided, the port from the record will be used.
--silent, -s Silent mode - don't print PAM User, PAM Config etc.1. My Vault> pam connection edit "/Share Folder Name/Record Name" -c ocYDOuzwt3n0iYXuYk0lHw
-a "/Share Folder Name/Record Name" -p=rdp -cn=on -cr=on -cop=3389
2. My Vault> pam connection edit "/{{ Email }}/{{ Email }} SSH" -c ocYDOuzwt3n0iYXuYk0lHw
-a "/Share Folder Name/Record Name" -p=ssh -cn=on -cr=on -cop=22 -s
3. My Vault> pam connection edit "/{{ Email }}/{{ Email }} MSSQL" -c ocYDOuzwt3n0iYXuYk0lHw
-a "/Share Folder Name/Record Name" -p=sql-server -cn=on -tr=on -cop=1433example 1: Creates an RDP connection and assigns an administrative credential and PAM configuration. Activates the connection and screen recording.
example 2: Creates an SSH connection and assigns and administrative credential and PAM configuration. Activates the connection and screen recording while running in silent mode without screen outputs.
example 3: Creates an MSSQL connection and assigns and administrative credential and PAM configuration. Activates the connection and typescript recording.
Detail: View and create Keeper Rotation configuration for records.
My Vault> pam rotation help
pam command [--options]
Command Description
--------- -----------------------------------
edit Edits Record Rotation configuration
list List Record Rotation configuration
info Get Rotation Info
script Add, delete, or edit script fieldMy Vault> pam rotation edit --help
usage: pam rotation edit [-h] (--record RECORD_NAME | --folder FOLDER_NAME) [--force] [--config CONFIG] [--iam-aad-config IAM_AAD_CONFIG_UID] [--resource RESOURCE]
[--schedulejson SCHEDULE_JSON_DATA | --schedulecron SCHEDULE_CRON_DATA | --on-demand | --schedule-config] [--complexity PWD_COMPLEXITY]
[--admin-user ADMIN] [--enable | --disable]
options:
-h, --help show this help message and exit
--record RECORD_NAME, -r RECORD_NAME
Record UID, name, or pattern to be rotated manually or via schedule
--folder FOLDER_NAME, -fd FOLDER_NAME
Used for bulk rotation setup. The folder UID or name that holds records to be configured
--force, -f Do not ask for confirmation
--config CONFIG, -c CONFIG
UID or path of the configuration record.
--iam-aad-config IAM_AAD_CONFIG_UID, -iac IAM_AAD_CONFIG_UID
UID of a PAM Configuration. Used for an IAM or Azure AD user in place of --resource.
--resource RESOURCE, -rs RESOURCE
UID or path of the resource record.
--schedulejson SCHEDULE_JSON_DATA, -sj SCHEDULE_JSON_DATA
JSON of the scheduler. Example: -sj '{"type": "WEEKLY", "utcTime": "15:44", "weekday": "SUNDAY", "intervalCount": 1}'
--schedulecron SCHEDULE_CRON_DATA, -sc SCHEDULE_CRON_DATA
Cron tab string of the scheduler. Example: to run job daily at 5:56PM UTC enter following cron -sc "56 17 * * *"
--on-demand, -od Schedule On Demand
--schedule-config, -sf
Schedule from Configuration
--complexity PWD_COMPLEXITY, -x PWD_COMPLEXITY
Password complexity: length, upper, lower, digits, symbols. Ex. 32,5,5,5,5[,SPECIAL CHARS]
--admin-user ADMIN, -a ADMIN
UID or path for the PAMUser record to configure the admin credential on the PAM Resource as the Admin when rotating
--enable, -e Enable rotation
--disable, -d Disable rotationMy Vault> pam rotation list --help
usage: pam rotation list [-h] [--verbose]
optional arguments:
-h, --help show this help message and exit
--verbose, -v Verbose outputMy Vault> pam rotation info --help
usage: dr-router-get-rotation-info-parser [-h] --record-uid RECORD_UID
optional arguments:
-h, --help show this help message and exit
--record-uid RECORD_UID, -r RECORD_UID
Record UID to rotateMy Vault> pam rotation script --help
pam command [--options]
Command Description
--------- ---------------------------------
list List script fields
add List Record Rotation Schedulers
edit Add, delete, or edit script field
delete Delete script fieldDetail: Discovery, rotation and service account management of PAM Resources
My Vault> pam action help
pam command [--options]
Command Description
------------ ---------------------
gateway-info Info command
discover Discover command
rotate Rotate command
job-info View Job details
job-cancel View Job details
service Manage services and scheduled tasks
debug PAM debug informationMy Vault> pam action gateway-info --help
usage: dr-info-command [-h] [--gateway GATEWAY_UID] [--verbose]
optional arguments:
-h, --help show this help message and exit
--gateway GATEWAY_UID, -g GATEWAY_UID
Gateway UID
--verbose, -v Verbose OutputMy Vault> pam action discover --help
pam command [--options]
Command Description
--------- ----------------------------------
start Start a discovery process
status Status of discovery jobs
remove Cancel or remove of discovery jobs
process Process discovered items
rule Manage discovery rulesMy Vault> pam action discover start --help
usage: dr-discover-start-command [-h] --gateway GATEWAY [--resource RESOURCE_UID] [--lang LANGUAGE] [--include-machine-dir-users] [--inc-azure-aadds]
[--skip-rules] [--skip-machines] [--skip-databases] [--skip-directories] [--skip-cloud-users] [--cred CREDENTIALS]
[--cred-file CREDENTIAL_FILE]
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name of UID.
--resource RESOURCE_UID, -r RESOURCE_UID
UID of the resource record. Set to discover specific resource.
--lang LANGUAGE Language
--include-machine-dir-users
Include directory users found on the machine.
--inc-azure-aadds Include Azure Active Directory Domain Service.
--skip-rules Skip running the rule engine.
--skip-machines Skip discovering machines.
--skip-databases Skip discovering databases.
--skip-directories Skip discovering directories.
--skip-cloud-users Skip discovering cloud users.
--cred CREDENTIALS List resource credentials.
--cred-file CREDENTIAL_FILE
A JSON file containing list of credentials.My Vault> pam action discover status --help
usage: dr-discover-status-command [-h] [--gateway GATEWAY] [--job-id JOB_ID] [--history]
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Show only discovery jobs from a specific gateway.
--job-id JOB_ID, -j JOB_ID
Detailed information for a specific discovery job.
--history Show history
My Vault> pam action discover remove --help
usage: dr-discover-command-process [-h] --job-id JOB_ID
options:
-h, --help show this help message and exit
--job-id JOB_ID, -j JOB_ID
Discovery job id.My Vault> pam action discover process --help
usage: dr-discover-command-process [-h] --job-id JOB_ID [--add-all] [--debug-gs-level DEBUG_LEVEL]
options:
-h, --help show this help message and exit
--job-id JOB_ID, -j JOB_ID
Discovery job to process.
--add-all Respond with ADD for all prompts.
--debug-gs-level DEBUG_LEVEL
GraphSync debug level. Default is 0My Vault> pam action discover rule --help
pam command [--options]
Command Description
--------- --------------
add Add a rule
list List all rules
remove Remove a rule
update Update a ruleMy Vault> pam action discover rule add --help
usage: dr-discover-rule-add [-h] --gateway GATEWAY --action {add,ignore,prompt} --priority PRIORITY [--ignore-case] [--shared-folder-uid SHARED_FOLDER_UID]
--statement STATEMENT
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name of UID.
--action {add,ignore,prompt}, -a {add,ignore,prompt}
Action to take if rule matches
--priority PRIORITY, -p PRIORITY
Rule execute priority
--ignore-case Ignore value case. Rule value must be in lowercase.
--shared-folder-uid SHARED_FOLDER_UID
Folder to place record.
--statement STATEMENT, -s STATEMENT
Rule statementMy Vault> pam action rotate --help
usage: dr-rotate-command [-h] --record-uid RECORD_UID
optional arguments:
-h, --help show this help message and exit
--record-uid RECORD_UID, -r RECORD_UID
Record UID to rotateMy Vault> pam action job-info --help
usage: pam-action-job-command [-h] [--gateway GATEWAY_UID] job_id
positional arguments:
job_id
optional arguments:
-h, --help show this help message and exit
--gateway GATEWAY_UID, -g GATEWAY_UID
Gateway UID. Needed only if there are more than one gateway runningMy Vault> pam action job-cancel --help
usage: pam-action-job-command [-h] [--gateway GATEWAY_UID] job_id
positional arguments:
job_id
optional arguments:
-h, --help show this help message and exit
--gateway GATEWAY_UID, -g GATEWAY_UID
Gateway UID. Needed only if there are more than one gateway running
My Vault> pam action service list -h
usage: pam-action-service-list [-h] --gateway GATEWAY
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name or UIDMy Vault> pam action service add -h
usage: pam-action-service-add [-h] --gateway GATEWAY --machine-uid MACHINE_UID --user-uid
USER_UID --type {service,task}
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name or UID
--machine-uid MACHINE_UID, -m MACHINE_UID
The UID of the Windows Machine record
--user-uid USER_UID, -u USER_UID
The UID of the User record
--type {service,task}, -t {service,task}
Relationship to add [service, task]My Vault> pam action service remove -h
usage: pam-action-service-remove [-h] --gateway GATEWAY --machine-uid MACHINE_UID --user-uid
USER_UID --type {service,task}
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name or UID
--machine-uid MACHINE_UID, -m MACHINE_UID
The UID of the Windows Machine record
--user-uid USER_UID, -u USER_UID
The UID of the User record
--type {service,task}, -t {service,task}
Relationship to remove [service, task]Detail: View and create Keeper Tunnels from the local machine to target infrastructure.
My Vault> pam tunnel help
pam command [--options]
Command Description
--------- -------------------------
start Start Tunnel
list List all Tunnels
stop Stop Tunnel to the server
tail View Tunnel Log
edit Edit Tunnel settingsMy Vault> pam tunnel start -h
usage: pam tunnel start [-h] [--host HOST] [--port PORT] uid
positional arguments:
uid The Record UID of the PAM resource record with network information to use for tunneling
options:
-h, --help show this help message and exit
--host HOST, -o HOST The address on which the server will be accepting connections. It could be an IP address or a
hostname. Ex. set to 127.0.0.1 as default so only connections from the same machine will be accepted.
--port PORT, -p PORT The port number on which the server will be listening for incoming connections. If not set, random
open port on the machine will be used.My Vault> pam tunnel list -h
usage: pam tunnel list [-h]
options:
-h, --help show this help message and exitMy Vault> pam tunnel stop -h
usage: pam tunnel stop [-h] uid
positional arguments:
uid The Tunnel UID or Record UID
options:
-h, --help show this help message and exitMy Vault> pam tunnel tail -h
usage: pam tunnel tail [-h] uid
positional arguments:
uid The Tunnel UID
options:
-h, --help show this help message and exitMy Vault> pam tunnel edit -h
usage: pam tunnel edit [-h] [--configuration CONFIG] [--enable-tunneling] [--tunneling-override-port TUNNELING_OVERRIDE_PORT]
[--disable-tunneling] [--remove-tunneling-override-port]
uid
positional arguments:
uid The Record UID of the PAM resource record with network information to use for tunneling
options:
-h, --help show this help message and exit
--configuration CONFIG, -c CONFIG
The PAM Configuration UID to use for tunneling. Use command `pam config list` to view available PAM
Configurations.
--enable-tunneling, -et
Enable tunneling on the record
--tunneling-override-port TUNNELING_OVERRIDE_PORT, -top TUNNELING_OVERRIDE_PORT
Port to use for tunneling. If not provided, the port from the record will be used.
--disable-tunneling, -dt
Disable tunneling on the record
--remove-tunneling-override-port, -rtop
Remove tunneling override portDetail: View, create and remove Keeper Gateway services. To learn more about the Keeper Gateway .
Detail: View, create, edit and remove Keeper PAM Configurations. To learn more about PAM Configurations .