Managing Rotation via CLI

Important: The legacy rotate (plugin‑based) and pam rotation set commands are deprecated. Use pam rotation edit to configure rotation schedules and pam action rotate to trigger an on‑demand rotation through a Keeper Gateway.

Prerequisites

1. Target records are in place – all PAM Machine, PAM User and other privileged records you plan to rotate live in shared folders inside your Keeper Vault.

2. A Keeper Gateway is installed and online – see Step 1 below.

3. At least one PAM Configuration exists and points to the gateway – see Step 2.

Step 1 – Create (or locate) a Gateway

Commander’s pam gateway sub‑commands manage the Gateway service.

Tip: Retrieve the UID for an existing gateway at any time with pam gateway list --verbose.

Step 2 – Build a PAM Configuration that uses the Gateway

pam config new (or pam config edit) assembles the rules that tie the gateway to rotation, discovery, tunnelling and connections.

• --gateway binds the configuration to the Keeper Gateway you created in Step 1.

• --rotation on enables the rotation feature for any records attached to this configuration.

• --schedule sets a default CRON schedule that records can inherit (you can still override per record with

Use pam config list to obtain the configuration’s UID for later commands.

Understanding Rotation Commands (Quick Recap)

Command: pam rotation edit

pam rotation edit adjusts the KeeperPAM rotation metadata stored on a record.

Key Options

Full help: pam rotation edit --help

Worked Examples

Replace angle‑bracket placeholders with real UIDs or paths.

1 – Daily rotation on a single machine (CRON)

2 – Weekly rotation using JSON

3 – Bulk‑enable rotation for every record in a folder (monthly)

4 – Change schedule only

Tip: Combine -so with --enable or --disable to quickly activate or pause existing schedules without touching other parameters.

5 – On‑demand rotation (no schedule)

6 – Set password complexity

Triggering an On‑Demand Rotation

Run a rotation right now (ignoring any schedule):

Commander sends the job to the Keeper Gateway, which executes the correct plugin or native driver for the resource.

Where to Go Next

• pam action gateway-info --gateway <Gateway_UID> – check gateway health and version.

• pam rotation list – verify which resources have rotation enabled.

• pam action job-info --gateway <Gateway_UID> – view historical rotation job logs.

Batch Mode

To run a large number of commands in a batch mode, see Keeper's command.