Getting Started
Getting Started with configuring connections on your PAM Record types
Overview
In this guide, you will learn how to setup connections for all the supported protocols on your PAM Record types in your Keeper Vault.
An active license is required in order to use the features available with KeeperPAM. This license is available for both business and enterprise customers.
Prerequisites
Prior to configuring Connections, make sure to have the following:
Connection Enforcement Policies
The following Enforcement Policies affect user's permissions to use Connections and need to be enabled.
Enforcement policies for KeeperPAM are managed in the Keeper Admin Console under Admin > Roles > Enforcement Policies > Privileged Access Manager.
Can configure connection settings
ALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGSAllow users to configure Tunnel settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Records Types
Can start connections
ALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTIONAllow users to start tunnels on PAM Machine, PAM Directory and PAM Database Record Types
Can view recordings
ALLOW_VIEW_KCM_RECORDINGSAllow users to view session Recordings.
Tunnels can also be enabled on the Keeper Commander CLI using the enterprise-role command:
enterprise-role "My Role" --enforcement "ALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGS":true
enterprise-role "My Role" --enforcement "ALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTION":true
enterprise-role "My Role" --enforcement "ALLOW_VIEW_KCM_RECORDINGS":trueEnforcement Policy Use Cases
If a user should only have access to launching connections and not configuring connections, then only "Can start connections" policy should be enabled for the user.
In addition to launching connections, If a user should also have access to configure connections, then "Can configure connections settings" and "Can start connections" should be enabled for the user.
Session Recordings
Launched connections can also be recorded. These recordings are available on the PAM Machine, PAM Database, or PAM Directory record types and can be played back on your Vault. For more details on session recording and playback, visit this page.
Installing the Keeper Gateway
The Keeper Gateway is a hosted agentless service that is installed on the customer's network to enabled zero-trust access to target infrastructure. Typically this service is installed on a Linux or Docker environment in each of the networks that requires access.
For more details on installing and setting up your gateway, visit this page.
PAM Configuration
The PAM Configuration contains essential information of your target infrastructure, settings and Keeper Gateway. Setting up a PAM Configuration for your infrastructure is required. For more information on creating and configuring the PAM Configuration, visit this page.
PAM Machine, PAM Database and PAM Directory
A Keeper Connection is a secure, encrypted interactive session established between your vault client to the target endpoint. The target endpoint needs to be defined on one of the following PAM Record types:
Windows/MacOS/Linux Machines, EC2 Instances, Azure VMs
MySQL, PostgreSQL, SQL Server, MongoDB, MariaDB, Oracle
Active Directory, OpenLDAP
Web-based applications
Depending on your target endpoint, visit the corresponding PAM Record Type page for more information on setup.
Supported Connection Protocols
The following table lists all the supported connection protocol that can be configured in your Keeper Vault. Visit the associated link for each protocol for more details on configuration.
PAM Machine
Connecting to the target defined on the PAM Machine Record with the SSH connection protocol
PAM Machine
Connecting to the target defined on the PAM Machine Record with the RDP connection protocol
PAM Browser
Connecting to the URL defined in the PAM Browser Record with the Remote Browser Isolation (http/https) protocol
PAM Database
Connecting to the target defined on the PAM Database Record with the MySQL connection protocol
PAM Database
Connecting to the target defined on the PAM Database Record with the SQL Server connection protocol
PAM Database
Connecting to the target defined on the PAM Database Record with the PostgreSQL connection protocol
PAM Machine
Connecting to the target defined on the PAM Machine Record with the VNC connection protocol
PAM Machine
Connecting to the target defined on the PAM Machine Record with the Telnet connection protocol
Connection Authentication Methods
Keeper Connections can be authenticated using one of the following methods:
Launch Credential The session to the target is authenticated using the "Launch Credentials" configured directly on the PAM Machine, PAM Database, or PAM Directory record types. The user does not need access to the credentials in order to launch the connection.
Personal/Private Credential When "Allow users to select credentials from the vault" is enabled, users can choose to authenticate the session to the target using a personal/private credential stored securely in their own Keeper Vault.
Ephemeral Accounts When the ephemeral account feature is enabled on the PAM Machine or PAM database resources, a system-generated, time-limited privileged account is created specifically for the session. This account is deleted automatically after the session ends, eliminating standing privilege. This method is used for Just-In-Time access with no persistent account on the target system.
Connection Templates
The PAM record type with your target system can also be configured as a Connection template. These templates serve as reusable record types for launching sessions to target systems without needing to predefine a specific hostname or credential. For more information, visit the following:
Connection TemplatesLast updated
Was this helpful?