# PAM Database

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FG43gSJCEtSl4zWbGowLm%2FKeeperPAM%20Database.jpg?alt=media&#x26;token=977d6327-73b4-4fa5-98cd-2783e905db39" alt=""><figcaption></figcaption></figure>

## Overview

In your Keeper Vault, the following assets can be configured on the PAM Database record type:

<table><thead><tr><th width="215">PAM Record Type</th><th>Supported Assets </th></tr></thead><tbody><tr><td>PAM Database </td><td>MySQL, PostgreSQL, SQL Server, MongoDB, MariaDB, Oracle </td></tr></tbody></table>

This guide will cover the **PAM Database** Record type in more details.&#x20;

## Features Available

The PAM Database resource supports the following features:

* Password rotation
* Zero-trust Connections
* TCP Tunnels
* Graphical session recording
* Text session recording (Typescript)
* Sharing access without sharing credentials

{% hint style="info" %}
Connecting to the PAM database requires only that the Keeper Gateway has access to the database either through native protocols or AWS/Azure APIs. The Keeper Vault operates independently and does not require direct connectivity to the database, leveraging Keeper's zero-trust network access model to securely manage access through the Gateway. See the [network architecture diagram](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/architecture/system-architecture) for more details.
{% endhint %}

## Creating a PAM Database

Prior to creating a PAM Database, make sure you have already created a PAM Configuration. The PAM Configuration contains information of your target infrastructure while the PAM Database contains information about the target database, such as the hostname, type (MySQL, PostgreSQL, etc) and port number.

To create a PAM Database:

* Click on **Create New**&#x20;
* Depending on your use case, click on "Rotation", "Tunnel", or "Connection"&#x20;
* On the prompted window:
  * Select "**New Record**"&#x20;
  * Select the Shared Folder you want the record to be created in&#x20;
  * Specify the Title
  * Select "**Database**" for the Target&#x20;
* Click "**Next**" and complete all of the required information.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FafSL2rOYf5xNGoajV91A%2FScreenshot%202024-12-28%20at%206.45.24%E2%80%AFPM.png?alt=media&#x26;token=c517c017-ae7c-4b7e-8a1e-5b43aedac786" alt=""><figcaption><p>Create a PAM Database</p></figcaption></figure>

## PAM Database Record Type Fields

The following table lists all the configurable fields on the PAM Database Record Type:

<table><thead><tr><th width="167">Field</th><th width="253">Description</th><th>Notes</th></tr></thead><tbody><tr><td>Hostname or IP Address</td><td>Address of the Database Resource</td><td><strong>Required</strong></td></tr><tr><td>Port</td><td>Port to connect to the Database Resource</td><td><strong>Required</strong><br><br>Standard ports are:<br>PostgreSQL: 5432<br>MySQL: 3306<br>Maria DB: 3306<br>Microsoft SQL: 1433<br>Oracle: 1521<br>Mongo DB: 27017</td></tr><tr><td>Use SSL</td><td>Use SSL when connecting</td><td></td></tr><tr><td>Connect Database</td><td>Database name to connect to</td><td><strong>Required</strong> for connecting to PostgreSQL, MongoDB, and MS SQL Server</td></tr><tr><td>Database Id</td><td>Azure or AWS Resource ID</td><td><strong>Required</strong> if a managed AWS or Azure Database</td></tr><tr><td>Database Type</td><td>Appropriate database type from supported databases.</td><td>If a non-standard port is provided, the Database Type will be used to determine connection method.<br></td></tr><tr><td>Provider Group</td><td>Azure or AWS Provider Group</td><td><strong>Required</strong> if a managed AWS or Azure Database</td></tr><tr><td>Provider Region</td><td>Azure or AWS Provider Region</td><td><strong>Required</strong> if a managed AWS or Azure Database</td></tr></tbody></table>

## PAM Settings and Administrative Credentials&#x20;

On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FHeovfKrm4CXGKwiIqq11%2FScreenshot%202025-01-01%20at%209.27.18%E2%80%AFAM.png?alt=media&#x26;token=b4e0a075-94bf-43da-aa25-bf684ab3a00d" alt=""><figcaption><p>PAM Settings and Administrative Credentials</p></figcaption></figure>

### PAM Settings

<table><thead><tr><th>Field</th><th width="235">Description</th><th>Required</th></tr></thead><tbody><tr><td>PAM Configuration</td><td>Associated PAM Configuration record which defines the environment</td><td><strong>Required</strong></td></tr><tr><td>Administrative Credential Record</td><td>Linked PAM User credential used for connection and administrative operations</td><td><strong>Required</strong><br>Visit this <a href="#pam-settings-and-administrative-credentials">section</a> for more details </td></tr><tr><td>Protocol</td><td>Native database protocol used for connecting from the Gateway to the target</td><td><strong>Required</strong></td></tr><tr><td>Session Recording</td><td>Options for recording sessions and typescripts</td><td>See <a href="../../session-recording-and-playback">session recording</a></td></tr><tr><td>Connection Parameters<br>(multiple)</td><td>Connection-specific protocol settings which can vary based on the protocol type</td><td>Depends on protocol</td></tr></tbody></table>

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FQDnmwlO5pIBfiNFcSqJM%2FScreenshot%202025-01-01%20at%209.48.44%E2%80%AFAM.png?alt=media&#x26;token=f3cd398b-968e-4933-8a6d-7b1219374da4" alt=""><figcaption><p>PAM Settings on Database resource</p></figcaption></figure>

Below is an example of a PAM Database record with Connections and Tunnels activated.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FVSwnnpOvh75YONo6GSFD%2FScreenshot%202025-01-01%20at%209.53.35%E2%80%AFAM.png?alt=media&#x26;token=0bbbe72f-3230-4d03-98b7-71f52edd1469" alt=""><figcaption><p>PAM Database with Connections and Tunnels activated</p></figcaption></figure>

## Examples

Visit the following pages to set up:

* [MySQL Database](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-database/example-mysql-database)
* [PostgreSQL Database](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-database/example-postgresql-database)
* [Microsoft SQL Server Database](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-database/example-microsoft-sql-server-database)