PAM Configuration

Creating a PAM Configuration in the Keeper Vault

Overview

In Keeper, the PAM Configuration contains essential information of your target infrastructure, settings and associated Keeper Gateway. We recommend setting up one PAM Configuration for each Gateway and network being managed.

Creating PAM Configuration

To create a new PAM Configuration:

Login to the Keeper Vault
Select Secrets Manager and the "PAM Configurations" tab
Click on "New Configuration"

PAM Configuration Fields

When setting up the PAM Configuration, you have the option of choosing one of the following environments:

The following tables provides more details on each configurable fields in the PAM Configuration record regardless of the environment you choose:

Field

Description

Notes

Title

Name of PAM configuration record

Ex: US-EAST-1 Config

Gateway

The configured gateway

See docs for more info

Application Folder

The shared folder where the PAM Configuration data will be stored

Best practice is to create a folder with limited access to admins. See Security Note (1) below

PAM Settings

List of Zero-Trust KeeperPAM features that should be enabled

See this section for more info

Default Rotation Schedule

Specify frequency of Rotation

Ex: Daily

Port Mapping

Define alternative default ports

Ex: 3307=mysqlSee port mapping docs

Security Note (1) The PAM Configuration information is stored as a record in the vault inside the specified Application Folder and may contain secrets. Therefore, we recommend that the Application Folder should be limited in access to only privileged admins.

The following tables provides more details on each configurable fields in the PAM Network Configuration record based on the environment you chose:

Local Network Environment

Field

Description

Notes

Network ID

Unique ID for the network

This is for the user's reference

Ex: My Network

Network CIDR

Subnet of the IP address

Ex: 192.168.0.15/24 Refer to this for more info

AWS Environment

Field

Description

Notes

AWS ID

A unique id for the instance of AWS

Required, This is for the user's reference Ex: AWS-US-EAST-1

Access Key ID

From an IAM user account, the Access key ID from the desired Access key.

Leave Empty when EC2 instance role is assumed.

Secret Access Key

The secret key for the access key.

Leave Empty when EC2 instance role is assumed.

Region Names

AWS region names used for discovery. Separate newline per region

Ex: us-east-2 us-west-1

Port Mapping

Any non-standard ports referenced. Separate newline per entry

Ex: 2222=ssh 3390=rdp

See additional information on AWS Environment Setup

Azure Environment

Field

Description

Notes

Azure ID

A unique id for your instance of Azure

Required, This is for the user's reference Ex: Azure-1

Client ID

The application/client id (UUID) of the Azure application

Required

Client Secret

The client credentials secret for the Azure application

Required

Subscription ID

The UUID of the subscription (i.e. Pay-As-You-GO).

Required

Tenant ID

The UUID of the Azure Active Directory

Required

Resource Groups

A list of resource groups to be checked. If left blank, all resource groups will be checked. Newlines should separate each resource group.

See additional information on Azure Environment Setup

Domain Controller Environment

This PAM Configuration type is not yet available, it will be launched in January 2025.

Field

Description

Required

DNS Domain Name

The FQDN domain used by the Domain Controller. For example, EXAMPLE.COM and not EXAMPLE.

Yes

Hostname and Port

Hostname and port for the domain controller.

Yes

Use SSL

If using LDAPS (default 636), check the box. If using LDAP (default 389), uncheck the box.

Yes

Scan Network

Scan the CIDRs from the domain controller. Default to False.

Network CIDR

Scan additional CIDRs from the field.

Port Mapping

Define alternative default ports

PAM Features on PAM Configuration

The "PAM Features Allowed" and "Session Recording Types Allowed" sections in the PAM Configuration allow owners to enable or disable KeeperPAM features for resources managed through the PAM configuration:

Field

Description

Rotation

If enabled, allow rotations on privileged user users managed by this PAM configuration

Connections

If enabled, allow connections on resources managed by this PAM configuration

Remote Browser Isolation (RBI)

If enabled, allow RBI sessions on resources managed by this PAM configuration

Tunneling

If enabled, allow tunnels on resources managed by this PAM configuration

Graphical Session Recording

If enabled, visual playback sessions will be recorded for all connections and RBI sessions

Text Session Recording (TypeScript)

If enabled, text input and output logs will be logged for all connections and RBI sessions

PreviousGateway Configuration with Custom Fields NextAWS Environment Setup

Last updated 2 months ago

Was this helpful?