Jira Workflow

About

The Keeper Security Integration for Jira is an Atlassian Forge application that enables seamless management of Keeper vault operations directly from Jira issues. This integration bridges the gap between project management workflows and secrets management, allowing teams to request, approve, and execute credential operations without leaving their Jira environment.

Features

• Vault Operations from Jira

  • Create New Records: Add credentials, secure notes, payment cards, and custom record types

  • Update Records: Modify existing vault records with new information

  • Share Records: Grant or revoke access to individual records with time-bound permissions

  • Share Folders: Manage folder-level access for teams and users

  • Manage Permissions: Control granular access rights for records in shared folders

• Endpoint Privilege Management (Administrator Only)

  • Real-Time Approval Workflows: Review and approve privilege elevation requests from endpoints

  • Live Request Monitoring: View pending requests with countdown timers and detailed context

  • One-Click Actions: Approve or deny requests instantly with full audit trail

  • Comprehensive Request Details: User identity, application, justification, and expiration status

  • Smart Search & Filtering: Find requests by user, application, or justification text

• Role-Based Workflows

  • Admin Direct Execution: Project administrators can execute vault operations immediately

  • User Request & Approval: Non-admin users submit requests that require admin approval

  • Audit Trail: All actions are logged as Jira comments with timestamps and user information

Prerequisites

Jira Cloud Administrator Access

• Administrator:

  • Needs Jira Administrator or Manage apps permission to install and configure the Forge app.

  • Must access Jira Settings → Apps to set up and manage app connections.

• End User:

  • Requires Edit Issues and Add Comments permissions to view and use the Keeper panel

  • Works across all Jira Cloud project types; no extra setup needed

• See Jira Project Permissions for details

Keeper Security Account

• Standard Features:

  • Requires an active Keeper Business, Enterprise, or PAM subscription with vault access.

  • Ensure permissions to create, update, and share records.

• PEDM Features (Optional):

  • Active Keeper PAM (Privileged Access Management) subscription

  • PEDM module enabled and configured in your Keeper environment

  • PEDM deployments, agents, and policies configured

  • For more information, see Endpoint Privilege Manager Overview

Keeper Commander CLI

• Install using Docker or Python pip.

• Version Requirement: Commander CLI version 17.1.7 or later is required for API v2 async queue support.

• Docker provides an isolated environment with simplified updates and consistent cross-platform behavior.

• Refer to the Installation and Setup Guide for installation steps.

• Persistent Login & Timeout : Keeper Commander supports Persistent Login (Stay Logged In) which allows you to automatically authenticate without entering your master password or 2FA each time. This improves usability for everyday CLI usage and automation.

  • How It Works

    • Login tokens are stored securely in the local config.json

    • Session persists across terminal restarts

    • Device must be registered and trusted

    • Enable Persistent Login

    • Configure Timeout

Tunneling

• Keeper Commander Service Mode runs locally, so tunneling is required to securely expose its REST API to Jira Cloud.

• You can use solutions like Ngrok or Cloudflare Tunnel to create a secure HTTPS bridge between Jira Cloud and your local environment.

• See Service Tunneling Guide for setup details.

Setup

Service Mode REST API Configuration & Deployment

• Purpose: Service Mode turns Keeper Commander into a REST API server, exposing the /api/v2/executecommand-async endpoint for asynchronous command execution with queue support. A secure API key is automatically generated on startup. Requires Commander CLI version 17.1.7 or later.

• Required Commands:

  • For Vault Operations record-add, list, ls, get, record-type-info, record-update, share-record, share-folder, rti, record-permission, service-status .

  • For Vault + PEDM Operations record-add, list, ls, get, record-type-info, record-update, share-record, share-folder, rti, record-permission, pedm, service-status .

• Run Mode: Foreground (-rm foreground).

• Queue System: Enabled (-q y) - Required for API v2 async queue mode.

• Authentication: KSM Token, User/Password, or Config File.

• Persistent Login: Must be enabled (this-device persistent-login on) for continuous operation.

• Deployment Options:

  • Docker basic deployment.

    • Docker with Ngrok tunneling.

    • Docker with Cloudflare tunneling.

    • CLI deployment without Docker, optionally with Ngrok or Cloudflare tunneling.

• API Key: Displayed after service creation; must be stored securely and used in Jira integration.

• Security: Configuration files are encrypted to protect sensitive data including API keys and tokens.

API v2 (Async Queue Mode)

This integration uses Keeper Commander API v2 which provides:

• Asynchronous Execution: Commands are submitted to a queue and processed asynchronously

• Polling-based Results: Results are retrieved via polling with exponential backoff

• Rate Limiting: Handles 429 (rate limit) and 503 (queue full) responses gracefully

• Request Expiration: Automatic handling of expired requests

Reference: API v2 Documentation

Example Docker Deployment Commands

• Basic Deployment :

• With Ngrok Tunneling :

• With Cloudflare Tunneling :

Parameters: -ng Ngrok auth token, -cd Ngrok custom domain (subdomain portion only), -cf Cloudflare tunnel token, -cfd Cloudflare custom domain.

Keeper Commander CLI Deployment (Without Docker)

• First, install Keeper Commander CLI and configure persistent login:

• Basic Service Creation :

• With Ngrok Tunneling :

• With Cloudflare Tunneling :

Note: After service creation, the API key will be displayed in the console output. Make sure to copy and store it securely.

Reference: Service Mode REST API Documentation

Quick Start Guide

Configuration (Administrator only)

• Configure the Integration

  • In Jira: Apps → Keeper.

  • Enter API URL including the /api/v2 path and API Key.

  • Example URLs:

    • ngrok: https://your-subdomain.ngrok.io/api/v2

    • Cloudflare: https://your-subdomain.trycloudflare.com/api/v2

• Test Connection

  • Click Test Connection → verify success.

• Save Settings

  • Click Save Settings → confirmation appears.

Admin configuration complete.

Endpoint Privilege Manager (Administrator only)

The web trigger URL is automatically generated by Jira Forge and serves as the webhook endpoint for Keeper Security alerts.

• Locate the Web Trigger URL in the configuration page (displayed at the top of the tab).

• Copy the URL by clicking the "Copy URL" button.

• Configure this URL in Keeper Security:

  • Navigate to your Keeper Security Admin Console.

  • Go to Reporting & Alerts → Alerts click on "Add Alert".

  • Provide Alert Name (e.g., "Jira PEDM Integration").

  • In Alert Condition, set Event Type to "All" from "Endpoint Privilege Management".

  • Click on "Add Recipient".

  • Enter Recipient Name (e.g., "Jira Webhook").

  • Click on "Webhook" option.

  • Paste the copied URL as the webhook destination.

  • Click "Save" button on the Add Recipient modal.

  • Click "Save" on the Alerts page.

• Target Project Configuration: Configure which Jira project should receive automatically created tickets from Keeper Security alerts.

  • Select Target Project.

  • Select Default Issue Type.

• Save Configuration

What Happens When a Keeper Alert is Received?

1. Webhook Received: Keeper Security sends a POST request to your web trigger URL.

2. Ticket Created: A Jira ticket is automatically created in your configured project.

3. Data Enrichment: The system attempts to fetch enriched PEDM approval details using pedm approval view command.

4. Description Populated:

   1. Enriched: If API data is available, includes justification, user details, application info, and countdown timers.

   2. Basic: If API data is unavailable, uses the raw webhook payload.

5. Labels Applied: Automatic labels include keeper-webhook, category, and audit_event.

6. Action Panel: For PEDM approval requests, the issue panel includes Approve/Deny buttons with real-time countdown.

Note: If the Keeper Commander service-mode URL is not accessible or the server running service mode is unavailable during the time a webhook is received, tickets will still be created successfully but will use the Alert JSON payload from the webhook as the ticket description. The integration automatically falls back to webhook payload data to ensure no security events are lost, even when the Keeper API is temporarily unavailable. Once the service is restored, new tickets will include enriched data from the PEDM approval view command.

Create Ticket (Admin / End User)

• Navigate to your Jira project (e.g., IT Support, Security Operations)

  • Create a new ticket.

• Open a Jira Issue Page

  • On the right side panel, look for Keeper panel on the right.

  • The panel will load and display available Keeper actions.

  • Select action: Request Access to Record / Request Access to Folder / Request Record Permission Change.

  • Fill in form fields (required fields marked *).

• Submit for Approval

  • First submission: Click Save Request to submit for admin approval.

  • Updating existing request: Click Update Request to modify your previously saved request.

  • A confirmation message will appear: "Request submitted successfully" or "Request updated successfully".

• Monitor Status

  • Jira comments show request status.

  • Once approved, action executes.

Note: You must have Edit Issues permission to see and use the Keeper panel.

Handling Tickets and Requests (Administrator Only)

As an administrator, you'll handle two types of tickets in Jira:

1. Webhook-created tickets: Automatic PEDM approval requests from Keeper Security alerts.

2. User-created tickets: Manual tickets where users have saved Keeper command requests.

Step-by-Step Workflow

1. Open JIRA issue panel : Navigate to the ticket that requires your attention.

2. Open the Keeper Panel : Click the Keeper panel in the right sidebar to expand it.

3. Review the request :

   1. For PEDM Approval Tickets :

      1. Review requester information (user info, application info, justification, etc).

      2. Verify the requested action.

      3. Assess security implications.

   2. For Normal User Requests :

      1. Review all saved request details.

      2. Verify user's justification (in Requirements and Justification fields).

      3. Check and select which action will be executed.

      4. Based on selected action and requirements, select particular record/folder from the dropdown.

      5. Configure permissions and expiration settings as appropriate.

      6. Assess if the request meets security policies.

4. Modify Request (Optional) : As an administrator, you can override any field before execution.

   1. Common Modifications :

      1. Change user email addresses (supports multiple: [email protected], [email protected]).

      2. Update record details (title, login, password, URL).

      3. Adjust permissions (Can Edit, Can Share).

      4. Modify expiration settings.

      5. Change any command parameters.

   2. Email Validation :

      1. All emails are validated automatically.

      2. Error message appears if format is invalid.

5. Execute or Approve :

   1. For PEDM Approval Tickets :

      1. Click Approve Request to grant privilege escalation.

      2. Click Deny Request to reject the request.

      3. Action executes immediately via Keeper API.

      4. Result appears in the panel and ticket comments.

   2. For Normal User Requests :

      1. Click Approve & Execute to Execute Command via Keeper API.

      2. Click on Reject request to reject it by providing reason.

      3. Wait for execution.

      4. Result appears in ticket comments.

6. Review Execution Results :

   1. Success Response :

      1. Green confirmation message in the panel

      2. Success comment added to ticket

      3. Command output shown (if applicable)

   2. Error Response :

      1. Red error message in the panel

      2. Error details in ticket comments

      3. Check Keeper service status if needed: keeper service-status

Integration Actions & Usage

Once the Keeper Security Integration is configured in Jira, users can perform key vault operations and administrators can manage PEDM approvals directly from Jira issues. The following table summarizes the core actions available and when to use them:

Troubleshooting

Debug Mode

If the Commander Service Mode REST API is not behaving as expected, enable debug mode for detailed logs and troubleshooting.

Or (Docker):

When debug mode is enabled:

• Console or Docker logs show detailed request/response traces

• Useful for identifying configuration or API communication issues

• Should be disabled in production to avoid exposing sensitive metadata

Endpoint Privilege Management

Issue: Tickets Created with JSON Payload Instead of Enriched Data

Symptoms: Tickets show webhook JSON payload in description instead of formatted approval details

Cause: Keeper Commander service-mode is not accessible or API endpoint is down

Solutions:

1. Check Service Mode Status via CLI keeper service-status

2. Verify API Accessibility and Status

   • Test API endpoint and check service status:

   • Check if server is running and accessible from Jira

   • Verify firewall rules allow access

3. Restart Service Mode

Note: Tickets will continue to be created using webhook payload data during service outages to ensure no security events are lost. Once service is restored, new tickets will include enriched data from the PEDM approval view command.

Connection Problems