PAM Database

KeeperPAM resource for managing databases either on-prem or in the cloud

Overview

In your Keeper Vault, the following assets can be configured on the PAM Database record type:

PAM Record Type

Supported Assets

PAM Database

MySQL, PostgreSQL, SQL Server, MongoDB, MariaDB, Oracle

This guide will cover the PAM Database Record type in more details.

Features Available

The PAM Database resource supports the following features:

Password rotation
Zero-trust Connections
TCP Tunnels
Graphical session recording
Text session recording (Typescript)
Sharing access without sharing credentials

Connecting to the PAM database requires only that the Keeper Gateway has access to the database either through native protocols or AWS/Azure APIs. The Keeper Vault operates independently and does not require direct connectivity to the database, leveraging Keeper's zero-trust network access model to securely manage access through the Gateway. See the network architecture diagram for more details.

Creating a PAM Database

Prior to creating a PAM Database, make sure you have already created a PAM Configuration. The PAM Configuration contains information of your target infrastructure while the PAM Database contains information about the target database, such as the hostname, type (MySQL, PostgreSQL, etc) and port number.

To create a PAM Database:

Click on Create New
Depending on your use case, click on "Rotation", "Tunnel", or "Connection"
On the prompted window:
- Select "New Record"
- Select the Shared Folder you want the record to be created in
- Specify the Title
- Select "Database" for the Target
Click "Next" and complete all of the required information.

PAM Database Record Type Fields

The following table lists all the configurable fields on the PAM Database Record Type:

Field

Description

Notes

Hostname or IP Address

Address of the Database Resource

Required

Port

Port to connect to the Database Resource

Required Standard ports are: PostgreSQL: 5432 MySQL: 3306 Maria DB: 3306 Microsoft SQL: 1433 Oracle: 1521 Mongo DB: 27017

Use SSL

Use SSL when connecting

Connect Database

Database name to connect to

Required for connecting to PostgreSQL, MongoDB, and MS SQL Server

Database Id

Azure or AWS Resource ID

Required if a managed AWS or Azure Database

Database Type

Appropriate database type from supported databases.

If a non-standard port is provided, the Database Type will be used to determine connection method.

Provider Group

Azure or AWS Provider Group

Required if a managed AWS or Azure Database

Provider Region

Azure or AWS Provider Region

Required if a managed AWS or Azure Database

PAM Settings and Administrative Credentials

On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential.

PAM Settings

Field

Description

Required

PAM Configuration

Associated PAM Configuration record which defines the environment

Required

Administrative Credential Record

Linked PAM User credential used for connection and administrative operations

Required Visit this section for more details

Protocol

Native database protocol used for connecting from the Gateway to the target

Required

Session Recording

Options for recording sessions and typescripts

See session recording

Connection Parameters (multiple)

Connection-specific protocol settings which can vary based on the protocol type

Depends on protocol

Below is an example of a PAM Database record with Connections and Tunnels activated.

Examples

Visit the following pages to set up:

MySQL Database
PostgreSQL Database
Microsoft SQL Server Database

Example: MySQL Database

Configuring MySQL DB as a PAM Database Record

Overview

In this example, you'll learn how to configure a MySQL DB in your Keeper Vault as a PAM Database record.

Prerequisites

Prior to proceeding with this guide, make sure you have

PAM Database Record

Databases such as a MySQL DB can be configured on the PAM Database record type.

Creating a PAM Database

To create a PAM Database:

Click on Create New
Depending on your use case, click on "Rotation", "Tunnel", or "Connection"
On the prompted window:
- Select "New Record"
- Select the Shared Folder you want the record to be created in
- Specify the Title
- Select "Database" for the Target
Click "Next" and complete all of the required information.

Configure a MySQL Database on the PAM Database Record

Suppose I have a database with the hostname "db-mysql-1", the following table lists all the configurable fields and their respective values:

Field

Description

Value

Title (Required)

Title of the PAM Database Record

Local MySQL Database

Hostname or IP Address (Required)

Address or RDP endpoint or Server name of the Database Resource

db-mysql-1

Port (Required)

Port to connect to the Database Resource

3306

Use SSL (Required)

Check to perform SSL verification before connecting, if your database has SSL configured

Enabled

Database ID

Azure or AWS Resource ID (if applicable)

Required if a managed AWS or Azure Database

Database Type

Appropriate database type from supported databases.

mysql

Provider Group

Azure or AWS Provider Group

Required if a managed AWS or Azure Database

Provider Region

Azure or AWS Provider Region

Required if a managed AWS or Azure Database

Configuring PAM Settings on the PAM Database

On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential. The following table lists all the configurable fields and their respective values for the MySQL Database:

Field

Description

Required

PAM Configuration

Associated PAM Configuration record which defines the environment

Required - This is the PAM configuration you created in the prerequisites

Administrative Credential Record

Linked PAM User credential used for connection and administrative operations

Required Visit this section for more details

Protocol

Native database protocol used for connecting from the Gateway to the target

Required - for this example: "MySQL"

Session Recording

Options for recording sessions and typescripts

See session recording

Connection Parameters

Connection-specific protocol settings which can vary based on the protocol type

See this section for MySQL protocol settings We recommend specifying the Connection Port at a minimum. E.g. "3306" for MySQL.

Administrative Credential Record

The Admin Credential Record in the PAM Database links a user to the PAM Database record in your Keeper Vault. This linked user is used for authenticating the connection when clicking "Launch".

User Accounts are configured on the PAM User record. Visit this page for more information.

Setting a Non Admin User as the Administrative Credential Record

If you prefer not to authenticate a connection using the admin credential, you can optionally designate a regular user of the resource as the admin credential.

PAM Database records can be shared with other Keeper users within your organization. However, the recipient must be assigned to a role with the appropriate PAM enforcement policies in place to utilize KeeperPAM features.

When sharing a PAM Database record, the linked admin credentials will not be shared. For example, if the PAM Database is configured with a MySQL Database, the recipient can connect to the database without having direct access to the linked credentials.

Learn more about Sharing and Access Control

Setup Complete

The MySQL Database record is set up. The user with the ability to launch connections can now launch an interactive MySQL connection or tunnel to the target database.

Example: PostgreSQL Database

Configuring PostgreSQL DB as a PAM Database Record

Overview

In this example, you'll learn how to configure a PostgreSQL DB in your Keeper Vault as a PAM Database record.

Prerequisites

Prior to proceeding with this guide, make sure you have