# Setup Steps

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FTrW1sx4hPCCYoyJysDQD%2FKeeperPAM%20Preview.jpg?alt=media&#x26;token=06c8f11d-bac6-45c8-9c87-bef333095a7e" alt=""><figcaption></figcaption></figure>

## Setup Steps

Follow the below steps to start using KeeperPAM.

{% stepper %}
{% step %}
**Keeper Enterprise license**

If you are not a Keeper customer or do not have the required license, you can [start a free trial](https://www.keepersecurity.com/password-manager-free-trial-sign-up.html) from our website. The free trial includes KeeperPAM full capabilities.
{% endstep %}

{% step %}
**Activate Privileged Access Manager**

From the Keeper Admin Console, ensure that your Privileged Access Manager subscription is active. Go to the **Admin Console** > **Subscriptions** and activate the trial or contact your Keeper customer success manager.
{% endstep %}

{% step %}
**Enable PAM Policies**

From the Admin Console, enable the corresponding PAM Enforcement Policies.

* Login to the Admin Console for your region.
* Under **Admin** > **Roles**, create a new role for PAM or modify an existing role
* Go to **Enforcement Policies** and open the "**Privileged Access Manager**" section.
* Enable all the [PAM enforcement policies](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/enforcement-policies) to use the new features.
* Assign yourself or your test user account to this role.
  {% endstep %}

{% step %}
**Existing Customers: Updating your Gateway**

This assumes you are an existing customer with Keeper Secrets Manager and you have a Gateway already deployed. Using the latest Keeper Gateway is required to support the new features. Depending on the operating system, features available will differ.

**Docker**

Use the basic `docker-compose.yml` file as shown below:

```
services:
      keeper-gateway:
        platform: linux/amd64
        image: keeper/gateway:latest
        shm_size: 2g
        restart: unless-stopped
        security_opt:
          - seccomp:docker-seccomp.json
          - apparmor:gateway-apparmor-profile
        environment:
          ACCEPT_EULA: Y
          GATEWAY_CONFIG: XXXXXXXXXXXX
```

Download the files called `docker-seccomp.json` and `gateway-apparmor-profile` and place them in the same folder as your Docker Compose file.

[Download Seccomp File](https://raw.githubusercontent.com/Keeper-Security/KeeperPAM/refs/heads/main/gateway/docker-seccomp.json) and [Apparmor File](https://raw.githubusercontent.com/Keeper-Security/KeeperPAM/refs/heads/main/gateway/gateway-apparmor-profile) or use `curl`:

{% code overflow="wrap" %}

```
curl -O https://raw.githubusercontent.com/Keeper-Security/KeeperPAM/refs/heads/main/gateway/docker-seccomp.json

curl -O https://raw.githubusercontent.com/Keeper-Security/KeeperPAM/refs/heads/main/gateway/gateway-apparmor-profile
```

{% endcode %}

**Windows**

* Download the latest installer: [**64-bit Installer**](https://keepersecurity.com/pam/gateway/keeper-gateway_windows_x86_64.exe)
* You'll be asked to confirm uninstalling the previous Gateway, this is OK
* Ensure the "Enter one-time access token" selection is **NOT selected**

**Linux**

To update an existing Gateway on Linux:

{% code overflow="wrap" %}

```sh
curl -fsSL https://keepersecurity.com/pam/install | sudo bash -s --
```

{% endcode %}

**Retrieving the Configuration**

If you are replacing an existing Gateway, get the old base64 configuration string from:\
`/etc/keeper-gateway/gateway-config.json` on Linux or `C:\ProgramData\KeeperGateway\config\gateway-config.json` on Windows.
{% endstep %}

{% step %}
**New Customers: Create a new Gateway and Sandbox**

Follow the step by step guide in the [Getting Started](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started) section of this documentation. A new [Quick Start Wizard](https://docs.keeper.io/en/keeperpam/privileged-access-manager/quick-start-sandbox) is available to instantly create a sandbox for exploring some of the connection types.
{% endstep %}

{% step %}
**Explore new features**

* [Quick Start Sandbox](https://docs.keeper.io/en/keeperpam/privileged-access-manager/quick-start-sandbox)
* [Connections](https://docs.keeper.io/en/keeperpam/privileged-access-manager/connections)
* [Tunnels](https://docs.keeper.io/en/keeperpam/privileged-access-manager/tunnels)
* [Remote Browser Isolation](https://docs.keeper.io/en/keeperpam/privileged-access-manager/remote-browser-isolation)
* [Session Recording & Playback](https://docs.keeper.io/en/keeperpam/privileged-access-manager/session-recording-and-playback)
* [SSH Agent](https://docs.keeper.io/en/keeperpam/privileged-access-manager/ssh-agent)
* [Discovery](https://docs.keeper.io/en/keeperpam/privileged-access-manager/discovery)
  {% endstep %}
  {% endstepper %}

### Notes

* PAM Features differ between Linux, Docker and Windows versions of the Keeper Gateway.
* For a full range of features, use the Docker installation method, or Linux installation method on Rocky Linux or RHEL.
* We recommend setting up a Keeper Gateway using the [Quick Start Sandbox](https://docs.keeper.io/en/keeperpam/secrets-manager/quick-start-guide). This provides a customized Docker Compose file that provides an instant sandbox for testing.

### Feedback

If you have any questions, please [open a support ticket](https://keepersecurity.servicenowservices.com/csm?id=csm_index) or email <business.support@keepersecurity.com>.