Importing PAM Resources

How to bulk import KeeperPAM resources

Overview

Keeper supports importing of PAM resources in bulk through the Keeper Commander CLI. This allows you to import a large number of resources, along with a PAM Configuration, Gateway and project folders.

In this page, we will demonstrate importing a large number of domain-joined Windows servers and local admin accounts.

Overview of the Workflow

Create a JSON file that includes information about your project and resources.
A CSV file can be used to create or merge content into this JSON file. This process is documented here.
Import the JSON file with the pam project import command.

Prerequisites

Requirement

Notes

Keeper Commander v17.1.8 or newer

Verify with keeper version

KeeperPAM License

Enabled in the Keeper Admin Console

Admin role with Manage PAM permission

Enabled in the Keeper Admin Console

1 - JSON Structure

You can find an example JSON file below:

{
    "project": "XXX:Project1",
    "shared_folder_users": {
        "manage_users": true,
        "manage_records": true,
        "can_edit": true,
        "can_share": true
    },
    "shared_folder_resources": {
        "manage_users": true,
        "manage_records": true,
        "can_edit": true,
        "can_share": true
    },
    "pam_configuration": {
        "environment": "local",
        "connections": "on",
        "rotation": "on",
        "graphical_session_recording": "on"
    },
    "pam_data": {
        "resources": [
            {
                "_comment1": "Every key that starts with '_' is a comment and can be ignored or deleted",
                "_comment2": "Every value that starts with uppercase 'XXX:' must be replaced with actual value (removed if not required)",
                "_comment3": "Every value that starts with lowercase 'xxx:' is just a placeholder - can be replaced with anything but must be present",
                "type": "pamDirectory",
                "title": "XXX:Project1 AD",
                "directory_type": "XXX:active_directory|ldap",
                "host": "XXX:demo.local",
                "port": "XXX:636",
                "use_ssl": true,
                "domain_name": "XXX:demo.local",
                "pam_settings": {
                    "options": {
                        "rotation": "on",
                        "connections": "on",
                        "tunneling": "on",
                        "graphical_session_recording": "on"
                    },
                    "connection": {
                        "protocol": "rdp",
                        "port": "XXX:3389",
                        "security": "XXX:any",
                        "ignore_server_cert": true,
                        "_comment_administrative_credentials": "Must match the unique title of one of the users below",
                        "administrative_credentials": "XXX:DomainAdmin"
                    }
                },
                "users": [
                    {
                        "type": "pamUser",
                        "_comment_title": "Must match administrative_credentials above if this is the admin user",
                        "title": "XXX:DomainAdmin",
                        "_comment_login_password": "Must provide valid credentials but delete sensitive data/json after import",
                        "login": "XXX:[email protected]",
                        "password": "XXX:P4ssw0rd_123",
                        "rotation_settings": {
                            "rotation": "general",
                            "enabled": "on",
                            "schedule": {
                                "type": "on-demand"
                            }
                        }
                    }
                ]
            },
            {
                "_comment4": "While pamDirectory section above is static, the pamMachine section below is dynamicly generated",
                "_comment5": "One pamMachine with one pamUser will be generated per each line from the CSV file",
                "_comment6": "Only one pamMachine is needed and it will be used as a template for all CSV rows",
                "_comment7": "Please do NOT edit lines with xxx: in them - these are placeholders",
                "_comment8": "Any other line that don't contain xxx: can be altered/added/deleted in the template",
                "_comment9": "CSV Format: server_name,username,password",
                "type": "pamMachine",
                "_comment_title_and_host": "server value from CSV",
                "title": "xxx:server1",
                "host": "xxx:server1",
                "port": "5986",
                "ssl_verification": true,
                "operating_system": "Windows",
                "pam_settings": {
                    "options": {
                        "rotation": "on",
                        "connections": "on",
                        "tunneling": "on",
                        "graphical_session_recording": "on"
                    },
                    "connection": {
                        "protocol": "rdp",
                        "port": "3389",
                        "security": "any",
                        "ignore_server_cert": true,
                        "_comment_administrative_credentials": "Format: pamDirectory#title.pamDirectory#administrative_credentials - exact match needed",
                        "administrative_credentials": "XXX:Project1 AD.DomainAdmin"
                    }
                },
                "users": [
                    {
                        "type": "pamUser",
                        "_comment_title": "username value from CSV or server-username if --prefix-names option is used",
                        "title": "xxx:admin",
                        "_comment_login": "username value from CSV",
                        "login": "xxx:Administrator",
                        "_comment_password": "password value from CSV",
                        "password": "xxx:P4ssw0rd_123",
                        "rotation_settings": {
                            "rotation": "general",
                            "enabled": "on",
                            "schedule": {
                                "type": "on-demand"
                            }
                        }
                    }
                ]
            }
        ]
    }
}

The JSON body is made up of these basic components:

project 
  └ Name of your project (will be used for naming the application, gateway and folders)
shared_folder_users
  └ Settings to set for the default "Users" folder
shared_folder_resources
  └ Settings to set for the default "Resources" folder
pam_configuration
  └ Settings to set for the PAM Configuration record
  
pam_data
  └ resources
    ├  <resource>
    │    ├ type: pamDirectory
    │    ├ pam_settings
    │    │    ├ options
    │    │    │  └ Enabling PAM settings
    │    │    └ connection
    │    │       ├ administrative_credentials (format:pamUser title)
    │    │       │  └ title of a user resource to map as Administrative Credentials
    │    │       └ launch_credentials (format:pamUser title)
    │    │          └ title of a user resource to map as Launch Credentials
    │    └ users
    │      └ <user>
    │        └ user login and rotation data. General rotation maps to the parent resource
    └  <resource>
         ├ type: pamMachine
         ├ pam_settings
         │    ├ options
         │    │  └ Enabling PAM settings
         │    └ connection
         │       ├ administrative_credentials (format:pamDirectory title.pamUser title)
         │       │  └ title of a user resource to map as Administrative Credentials
         │       └ launch_credentials (format:pamDirectory title.pamUser title)
         │          └ title of a user resource to map as Launch Credentials
         └ users
           └ <user>
             └ user login and rotation data. General rotation maps to the parent resource

Many attributes can be applied to resources and user objects, which are documented here.

Users can be placed either in the users array of the pamDirectory resource (to model Active Directory rotations) or in the users array of the pamMachine resource (to model Local rotations). The example from this documentation uses the latter model.

2 – Create the JSON Template

Create a JSON template as described above. For our simple example, we will use this template and name the file pam_import.json:

{
  "project": "Example Project",
  "shared_folder_users": {
    "manage_users": true,
    "manage_records": true,
    "can_edit": true,
    "can_share": true
  },
  "shared_folder_resources": {
    "manage_users": true,
    "manage_records": true,
    "can_edit": true,
    "can_share": true
  },
  "pam_configuration": {
    "environment": "local",
    "connections": "on",
    "rotation": "on",
    "graphical_session_recording": "on"
  },
  "pam_data": {
    "resources": [
      {
        "type": "pamDirectory",
        "title": "Example AD",
        "directory_type": "active_directory",
        "host": "demo.local",
        "port": "636",
        "use_ssl": true,
        "domain_name": "demo.local",
        "pam_settings": {
          "options": {
            "rotation": "on",
            "connections": "on",
            "tunneling": "on",
            "graphical_session_recording": "on"
          },
          "connection": {
            "protocol": "rdp",
            "port": "3389",
            "security": "any",
            "ignore_server_cert": true,
            "administrative_credentials": "DomainAdmin"
          }
        },
        "users": [
          {
            "type": "pamUser",
            "title": "DomainAdmin",
            "login": "[email protected]",
            "password": "P4ssw0rd_123",
            "rotation_settings": {
              "rotation": "general",
              "enabled": "on",
              "schedule": {
                "type": "on-demand"
              }
            }
          }
        ]
      },
      {
        "type": "pamMachine",
        "title": "srv\u201101",
        "host": "srv\u201101",
        "port": "5986",
        "ssl_verification": true,
        "operating_system": "Windows",
        "pam_settings": {
          "options": {
            "rotation": "on",
            "connections": "on",
            "tunneling": "on",
            "graphical_session_recording": "on"
          },
          "connection": {
            "protocol": "rdp",
            "port": "3389",
            "security": "any",
            "ignore_server_cert": true,
            "administrative_credentials": "Example AD.DomainAdmin"
          }
        },
        "users": [
          {
            "type": "pamUser",
            "title": "srv\u201101-Administrator",
            "login": "Administrator",
            "password": "LocalAdminPassword123",
            "rotation_settings": {
              "rotation": "general",
              "enabled": "on",
              "schedule": {
                "type": "on-demand"
              }
            }
          }
        ]
      },
      {
        "type": "pamMachine",
        "title": "srv\u201102",
        "host": "srv\u201102",
        "port": "5986",
        "ssl_verification": true,
        "operating_system": "Windows",
        "pam_settings": {
          "options": {
            "rotation": "on",
            "connections": "on",
            "tunneling": "on",
            "graphical_session_recording": "on"
          },
          "connection": {
            "protocol": "rdp",
            "port": "3389",
            "security": "any",
            "ignore_server_cert": true,
            "administrative_credentials": "Example AD.DomainAdmin"
          }
        },
        "users": [
          {
            "type": "pamUser",
            "title": "srv\u201102-Administrator",
            "login": "Administrator",
            "password": "LocalAdminPassword123",
            "rotation_settings": {
              "rotation": "general",
              "enabled": "on",
              "schedule": {
                "type": "on-demand"
              }
            }
          }
        ]
      }
    ]
  }
}

3 – Import Resources into Keeper

The file pam_import.json will now be imported into Keeper from the Commander CLI. Start your Keeper Commander session. If you haven't set up Commander, follow this setup guide.

keeper shell

Run the import with this command (assumes that the pam_import.json file is in the Commander working directory. It can also have an absolute path).

pam project import -f pam_import.json

When the import is complete, the response output in Commander will contain an access token:

"access_token": "XXXXXXXX...."

Save the value inside the quotes (XXXXX.....) for initializing the Gateway in the next step below.

Note: After the import is complete, the vault will be updated with the resources. If your vault is currently open, it's probably a good idea to click Full Sync or refresh the page.

4 – Start the Gateway

This document doesn't cover the installation of a Keeper Gateway, so let's assume that you have already done this. If you haven't created a Gateway, follow these setup instructions for your preferred method.

In the Gateway's configuration, update the GATEWAY_CONFIG with the access token value provided in Step 4 above. For Docker installations, this will be in the docker-compose.yaml file. For Windows installations, it will be in the C:\ProgramData\KeeperGateway\config\gateway-config.json file
Restart the Gateway

At this point, the Gateway is running and has been associated to all of your imported resources. By default, the import will add all PAM projects to a folder called "PAM Environments".

Import Results

Based on this example, below are some screenshots of the resources created:

Secrets Manager Application
Keeper Gateway
PAM Configuration
PAM Directory (Active Directory Service)
PAM User representing the Domain Admin
PAM Machine Resources (Windows Servers)
PAM Users for each PAM Machine (Local Admins)

Advanced Import Formats

This document demonstrated the basic example of importing a series of Windows servers for the purpose of establishing connections, tunnels and automated password rotation. The configuration of the connections and resources was set up to be simple.

More advanced import options including full JSON template capabilities are documented on this GitHub README Page. This page provides all of the possible settings that can be modified as part of the import process. If you need to re-run this process, it's no big deal - just delete the Folders, PAM Configuration and Gateway from the vault and start over.

If you have any questions on the import process, contact your account team or email [email protected].

Generate the JSON file from CSV

To use a CSV file to generate the JSON file to import, see this section:

Using a CSV Template

Importing with Existing Data

To add content to an existing PAM model instead of creating a new Application, see this section:

Adding PAM Resources to an Existing Model

See the Keeper Commander options for additional PAM automation capabilities.

PreviousEvent Reporting NextUsing a CSV Template

Last updated 14 days ago

Was this helpful?

hashtagOverview

hashtagOverview of the Workflow

hashtagPrerequisites

hashtag1 - JSON Structure

hashtag2 – Create the JSON Template

hashtag3 – Import Resources into Keeper

hashtag4 – Start the Gateway

hashtagImport Results

hashtagAdvanced Import Formats

hashtagGenerate the JSON file from CSV

hashtagImporting with Existing Data

hashtagRelated Topics