PAM Database

KeeperPAM resource for managing databases either on-prem or in the cloud

Overview

In your Keeper Vault, the following assets can be configured on the PAM Database record type:

PAM Record Type
Supported Assets

PAM Database

MySQL, PostgreSQL, SQL Server, MongoDB, MariaDB, Oracle

This guide will cover the PAM Database Record type in more details.

Features Available

The PAM Database resource supports the following features:

  • Password rotation

  • Zero-trust Connections

  • TCP Tunnels

  • Graphical session recording

  • Text session recording (Typescript)

  • Sharing access without sharing credentials

Connecting to the PAM database requires only that the Keeper Gateway has access to the database either through native protocols or AWS/Azure APIs. The Keeper Vault operates independently and does not require direct connectivity to the database, leveraging Keeper's zero-trust network access model to securely manage access through the Gateway. See the network architecture diagram for more details.

Creating a PAM Database

Prior to creating a PAM Database, make sure you have already created a PAM Configuration. The PAM Configuration contains information of your target infrastructure while the PAM Database contains information about the target database, such as the hostname, type (MySQL, PostgreSQL, etc) and port number.

To create a PAM Database:

  • Click on Create New

  • Depending on your use case, click on "Rotation", "Tunnel", or "Connection"

  • On the prompted window:

    • Select "New Record"

    • Select the Shared Folder you want the record to be created in

    • Specify the Title

    • Select "Database" for the Target

  • Click "Next" and complete all of the required information.

Create a PAM Database

PAM Database Record Type Fields

The following table lists all the configurable fields on the PAM Database Record Type:

Field
Description
Notes

Hostname or IP Address

Address of the Database Resource

Required

Port

Port to connect to the Database Resource

Required Standard ports are: PostgreSQL: 5432 MySQL: 3306 Maria DB: 3306 Microsoft SQL: 1433 Oracle: 1521 Mongo DB: 27017

Use SSL

Use SSL when connecting

Connect Database

Database name to connect to

Required for connecting to PostgreSQL, MongoDB, and MS SQL Server

Database Id

Azure or AWS Resource ID

Required if a managed AWS or Azure Database

Database Type

Appropriate database type from supported databases.

If a non-standard port is provided, the Database Type will be used to determine connection method.

Provider Group

Azure or AWS Provider Group

Required if a managed AWS or Azure Database

Provider Region

Azure or AWS Provider Region

Required if a managed AWS or Azure Database

PAM Settings and Administrative Credentials

On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential.

PAM Settings and Administrative Credentials

PAM Settings

Field
Description
Required

PAM Configuration

Associated PAM Configuration record which defines the environment

Required

Administrative Credential Record

Linked PAM User credential used for connection and administrative operations

Required Visit this section for more details

Protocol

Native database protocol used for connecting from the Gateway to the target

Required

Session Recording

Options for recording sessions and typescripts

See session recording

Connection Parameters (multiple)

Connection-specific protocol settings which can vary based on the protocol type

Depends on protocol

PAM Settings on Database resource

Below is an example of a PAM Database record with Connections and Tunnels activated.

PAM Database with Connections and Tunnels activated

Examples

Visit the following pages to set up:

PreviousExample: Azure Windows VMNextExample: MySQL Database

Last updated

Was this helpful?