PAM Resources
Guide for using PAM Resource Records in the Keeper Vault for privileged access functionality.
Overview
KeeperPAM Resource records are special record types designed to organize and store information of your target infrastructure, machines, web apps, workloads and user accounts.
KeeperPAM Record Types
In your Keeper Vault, resources that represent your infrastructure are created with the following Record Types:
Windows/macOS/Linux Machines, EC2 Instances, Azure VMs, etc.
MySQL, PostgreSQL, SQL Server, MongoDB, MariaDB, Oracle
Active Directory, OpenLDAP
Web-based Applications, internal apps or cloud apps
Any local user, remote user, database credential or admin account. PAM User records can also be configured for scheduled or on-demand password rotation.
Record Linking
The PAM User record is special because it can be linked from the other resources. This way, you can share access to a Machine, Database, Directory or Remote Browser without sharing access to the underlying credentials.
Creating a PAM Record
From the Vault UI, click on Create New and select either Rotation, Tunnel or Connection.
Alternatively, you can right-click on a folder and select Rotation, Tunnel or Connection.
The "Target" selection will determine what type of record will be created.
PAM Machine
KeeperPAM resource for managing machines on-prem or in the cloud
Overview
A PAM Machine record is a type of KeeperPAM resource that represents a workload, such as a Windows or Linux server.
PAM Machine
Windows/macOS/Linux Machines, EC2 Instances, Azure VMs
Features Available
The PAM Machine resource supports the following features:
Password rotation
SSH key rotation
Zero-trust Connections using RDP, SSH, VNC, K8s and Telnet protocols
TCP Tunnels
Session recording
Sharing access without sharing credentials
File transfer through drag-and-drop
Creating a PAM Machine
Prior to creating a PAM Machine, make sure you have already created a PAM Configuration. The PAM Configuration contains information of your target infrastructure while the PAM Machine contains information of an asset, such as a Windows or Linux server.
To create a PAM Machine:
Click on Create New
Depending on your use case, click on "Rotation", "Tunnel", or "Connection"
On the prompted window:
Select "New Record"
Select the Shared Folder you want the record to be created in
Specify the Title
Select "Machine" for the Target
Click "Next" and complete all of the required information.
PAM Machine Record Type Fields
The following table lists all the configurable fields on the PAM Machine Record Type:
Hostname or IP Address
Address of the machine resource
Required
Port
Port to connect on. The Gateway uses this to determine connection method.
Required Must be a port for SSH or WinRM
Keeper expects 22, 5985, 5986, or an alternative port for SSH or WinRM specified in the PAM Configuration port mapping
Administrative Credentials
Linked PAM User credential used for connection and administrative operations
Required Visit this section for more details
PAM settings
This is where you configure Connection and Tunnel settings for this machine.
Required Visit this section for more details
Operating System
The target's Operating System
For your reference only
SSL Verification
When checked, verifies certificate of host when connecting with SSH
Only applies to certain databases and directories where SSL is optional
Instance Name
Azure or AWS Instance Name
Required if AWS/Azure Machine
Instance Id
Azure or AWS Instance ID
Required if AWS/Azure Machine
Provider Group
Provider Group for directories hosted in Azure
Required if Azure Machine
Provider Region
AWS region of hosted directory
Required if AWS Machine
PAM Settings and Administrative Credentials
On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential.
PAM Settings
PAM Configuration
Associated PAM Configuration record which defines the environment
Required
Administrative Credential Record
Linked PAM User credential used for connection and administrative operations
Required
Protocol
Native protocol used for connecting the session from the Gateway to the target
Required
Connection Parameters (multiple)
Connection-specific protocol settings which can vary based on the protocol type
Depends on protocol. We recommend specifying the Connection Port at a minimum.
Below are a couple examples of PAM Machine records with Connections and Tunnels activated.
Examples
Visit the following pages to set up:
Example: Linux Machine
Configuring SSH Server as a PAM Machine Record
Overview
In this example, you'll learn how to configure a Linux Machine in your Keeper Vault as a PAM Machine record.
Prerequisites
Prior to proceeding with this guide, make sure you have
PAM Machine Record
Machines such as a Linux Machines can be configured on the PAM Machine record type.
Creating a PAM Machine
To create a PAM Database:
Click on Create New
Depending on your use case, click on "Rotation", "Tunnel", or "Connection"
On the prompted window:
Select "New Record"
Select the Shared Folder you want the record to be created in
Specify the Title
Select "Machine" for the Target
Click "Next" and complete all of the required information.
Configure a Linux Machine on the PAM Machine Record
Suppose I have a local Linux Virtual Machine with the hostname "linux-machine", the following table lists all the configurable fields and their respective values:
Title (Required)
Title of the PAM Machine Record
Linux Machine
Hostname or IP Address (Required)
Address or RDP endpoint or Server name of the Machine Resource
linux-machine
Port (Required)
Port to connect to the Linux Resource
22
Operating System
The target's Operating System
linux
Instance Name
Azure or AWS Instance Name
Required if AWS/Azure Machine
Instance ID
Azure or AWS Instance ID
Required if AWS/Azure Machine
Provider Group
Azure or AWS Provider Group
Required if a managed Azure Machine
Provider Region
Azure or AWS Provider Region
Required if a managed AWS Machine
Configuring PAM Settings on the PAM Machine
On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential. The following table lists all the configurable fields and their respective values for the Linux Machine:
PAM Configuration
Associated PAM Configuration record which defines the environment
Required - This is the PAM configuration you created in the prerequisites
Administrative Credential Record
Linked PAM User credential used for connection and administrative operations
Required Visit this section for more details
Protocol
Native protocol used for creating a session from the Gateway to the target
Required - for this example: "SSH"
Connection Parameters
Connection-specific protocol settings which can vary based on the protocol type.
See this section for SSH protocol settings. We recommend specifying the Connection Port at a minimum. E.g. "22" for SSH.
Administrative Credential Record
The Admin Credential Record in the PAM Machine links the admin user to the PAM Machine record in your Keeper Vault. This admin user is used for performing password rotations and authenticating connections.
User Accounts can be configured on the PAM User record. Visit this page for more information on the PAM User.
Setting a Non Admin User as the Administrative Credential Record
If you prefer not to authenticate a connection using the admin credential, you can optionally designate a regular user of the resource as the admin credential.
Sharing PAM Machine Records
PAM Machine records can be shared with other Keeper users within your organization. However, the recipient must have the appropriate PAM enforcement policies in place to utilize KeeperPAM features on the shared PAM records.
When sharing a PAM Machine record, the linked admin credentials will not be shared. For example, if the PAM Machine is configured with a Linux Machine, the recipient can connect to the Linux Machine on the PAM Machine record without having direct access to the linked credentials.
Learn more about Sharing and Access Control
Example: Azure Windows VM
Configuring an Azure Windows VM as a PAM Machine Record
Overview
In this example, you'll learn how to configure a Azure Windows VM in your Keeper Vault as a PAM Machine record.
Prerequisites
Prior to proceeding with this guide, make sure you have
PAM Machine Record
Machines such as a Azure Virtual Machines can be configured on the PAM Machine record type.
Creating a PAM Machine
To create a PAM Database:
Click on Create New
Depending on your use case, click on "Rotation", "Tunnel", or "Connection"
On the prompted window:
Select "New Record"
Select the Shared Folder you want the record to be created in
Specify the Title
Select "Machine" for the Target
Click "Next" and complete all of the required information.
Configure a Windows Machine on the PAM Machine Record
Suppose I have a Azure Virtual Machine with the hostname "10.0.1.4", the following table lists all the configurable fields and their respective values:
Title (Required)
Title of the PAM Machine Record
Windows VM
Hostname or IP Address (Required)
Address or RDP endpoint or Server name of the Machine Resource
10.0.1.4
Port (Required)
Port to connect to the Azure VM for rotation. 22 for SSH, 5986 for WinRM
5986
Operating System
The target's Operating System
Set to: Windows
Instance Name
Azure or AWS Instance Name
Required if AWS/Azure Machine
webserver-prod-01
Instance ID
Azure or AWS Instance ID
Required if AWS/Azure Machine
Provider Group
Azure or AWS Provider Group
Required if a managed Azure Machine
Provider Region
Azure or AWS Provider Region
Required if a managed AWS Machine
Configuring PAM Settings on the PAM Machine
On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential. The following table lists all the configurable fields and their respective values for the Azure Virtual Machine:
PAM Configuration
Associated PAM Configuration record which defines the environment
Required - This is the PAM configuration you created in the prerequisites
Administrative Credential Record
Linked PAM User credential used for connection and administrative operations
Required Visit this section for more details
Protocol
Native protocol used for connecting from the Gateway to the target
Required - for this example: "RDP"
Connection Parameters
Connection-specific protocol settings which can vary based on the protocol type
See this section for RDP protocol settings We recommend specifying the Connection Port at a minimum. E.g. "3389" for RDP.
Administrative Credential Record
The Admin Credential Record in the PAM Machine links the admin user to the PAM Machine record in your Keeper Vault. This admin user is used for performing password rotations and authenticating connections.
User Accounts can be configured on the PAM User record. Visit this page for more information.
Setting a Non Admin User as the Administrative Credential Record
If you prefer not to authenticate a connection using the admin credential, you can optionally designate a regular user of the resource as the admin credential.
Sharing PAM Machine Records
PAM Machine records can be shared with other Keeper users within your organization. However, the recipient must have the appropriate PAM enforcement policies in place to utilize KeeperPAM features on the shared PAM records.
When sharing a PAM Machine record, the linked admin credentials will not be shared. For example, if the PAM Machine is configured with a Azure Virtual Machine, the recipient can connect to the Azure Virtual Machine on the PAM Machine record without having direct access to the linked credentials.
Learn more about Sharing and Access Control
PAM Database
KeeperPAM resource for managing databases either on-prem or in the cloud
Overview
In your Keeper Vault, the following assets can be configured on the PAM Database record type:
PAM Database
MySQL, PostgreSQL, SQL Server, MongoDB, MariaDB, Oracle
This guide will cover the PAM Database Record type in more details.
Features Available
The PAM Database resource supports the following features:
Password rotation
Zero-trust Connections
TCP Tunnels
Graphical session recording
Text session recording (Typescript)
Sharing access without sharing credentials
Creating a PAM Database
Prior to creating a PAM Database, make sure you have already created a PAM Configuration. The PAM Configuration contains information of your target infrastructure while the PAM Database contains information about the target database, such as the hostname, type (MySQL, PostgreSQL, etc) and port number.
To create a PAM Database:
Click on Create New
Depending on your use case, click on "Rotation", "Tunnel", or "Connection"
On the prompted window:
Select "New Record"
Select the Shared Folder you want the record to be created in
Specify the Title
Select "Database" for the Target
Click "Next" and complete all of the required information.
PAM Database Record Type Fields
The following table lists all the configurable fields on the PAM Database Record Type:
Hostname or IP Address
Address of the Database Resource
Required
Port
Port to connect to the Database Resource
Required Standard ports are: PostgreSQL: 5432 MySQL: 3306 Maria DB: 3306 Microsoft SQL: 1433 Oracle: 1521 Mongo DB: 27017
Use SSL
Use SSL when connecting
Connect Database
Database name to connect to
Required for connecting to PostgreSQL, MongoDB, and MS SQL Server
Database Id
Azure or AWS Resource ID
Required if a managed AWS or Azure Database
Database Type
Appropriate database type from supported databases.
If a non-standard port is provided, the Database Type will be used to determine connection method.
Provider Group
Azure or AWS Provider Group
Required if a managed AWS or Azure Database
Provider Region
Azure or AWS Provider Region
Required if a managed AWS or Azure Database
PAM Settings and Administrative Credentials
On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential.
PAM Settings
PAM Configuration
Associated PAM Configuration record which defines the environment
Required
Administrative Credential Record
Linked PAM User credential used for connection and administrative operations
Required Visit this section for more details
Protocol
Native database protocol used for connecting from the Gateway to the target
Required
Connection Parameters (multiple)
Connection-specific protocol settings which can vary based on the protocol type
Depends on protocol
Below is an example of a PAM Database record with Connections and Tunnels activated.
Examples
Visit the following pages to set up:
Example: MySQL Database
Configuring MySQL DB as a PAM Database Record
Overview
In this example, you'll learn how to configure a MySQL DB in your Keeper Vault as a PAM Database record.
Prerequisites
Prior to proceeding with this guide, make sure you have
PAM Database Record
Databases such as a MySQL DB can be configured on the PAM Database record type.
Creating a PAM Database
To create a PAM Database:
Click on Create New
Depending on your use case, click on "Rotation", "Tunnel", or "Connection"
On the prompted window:
Select "New Record"
Select the Shared Folder you want the record to be created in
Specify the Title
Select "Database" for the Target
Click "Next" and complete all of the required information.
Configure a MySQL Database on the PAM Database Record
Suppose I have a database with the hostname "db-mysql-1", the following table lists all the configurable fields and their respective values:
Title (Required)
Title of the PAM Database Record
Local MySQL Database
Hostname or IP Address (Required)
Address or RDP endpoint or Server name of the Database Resource
db-mysql-1
Port (Required)
Port to connect to the Database Resource
3306
Use SSL (Required)
Check to perform SSL verification before connecting, if your database has SSL configured
Enabled
Database ID
Azure or AWS Resource ID (if applicable)
Required if a managed AWS or Azure Database
Database Type
Appropriate database type from supported databases.
mysql
Provider Group
Azure or AWS Provider Group
Required if a managed AWS or Azure Database
Provider Region
Azure or AWS Provider Region
Required if a managed AWS or Azure Database
Configuring PAM Settings on the PAM Database
On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential. The following table lists all the configurable fields and their respective values for the MySQL Database:
PAM Configuration
Associated PAM Configuration record which defines the environment
Required - This is the PAM configuration you created in the prerequisites
Administrative Credential Record
Linked PAM User credential used for connection and administrative operations
Required Visit this section for more details
Protocol
Native database protocol used for connecting from the Gateway to the target
Required - for this example: "MySQL"
Connection Parameters
Connection-specific protocol settings which can vary based on the protocol type
See this section for MySQL protocol settings We recommend specifying the Connection Port at a minimum. E.g. "3306" for MySQL.
Administrative Credential Record
The Admin Credential Record in the PAM Database links a user to the PAM Database record in your Keeper Vault. This linked user is used for authenticating the connection when clicking "Launch".
User Accounts are configured on the PAM User record. Visit this page for more information.
Setting a Non Admin User as the Administrative Credential Record
If you prefer not to authenticate a connection using the admin credential, you can optionally designate a regular user of the resource as the admin credential.
Sharing PAM Database Records
PAM Database records can be shared with other Keeper users within your organization. However, the recipient must be assigned to a role with the appropriate PAM enforcement policies in place to utilize KeeperPAM features.
When sharing a PAM Database record, the linked admin credentials will not be shared. For example, if the PAM Database is configured with a MySQL Database, the recipient can connect to the database without having direct access to the linked credentials.
Learn more about Sharing and Access Control
Setup Complete
The MySQL Database record is set up. The user with the ability to launch connections can now launch an interactive MySQL connection or tunnel to the target database.
Example: PostgreSQL Database
Configuring PostgreSQL DB as a PAM Database Record
Overview
In this example, you'll learn how to configure a PostgreSQL DB in your Keeper Vault as a PAM Database record.
Prerequisites
Prior to proceeding with this guide, make sure you have
PAM Database Record
Databases such as a PostgreSQL DB can be configured on the PAM Database record type.
Creating a PAM Database
To create a PAM Database:
Click on Create New
Depending on your use case, click on "Rotation", "Tunnel", or "Connection"
On the prompted window:
Select "New Record"
Select the Shared Folder you want the record to be created in
Specify the Title
Select "Database" for the Target
Click "Next" and complete all of the required information.
Configure a PostgreSQL Database on the PAM Database Record
Suppose I have a database with the hostname "db-postgres-1", the following table lists all the configurable fields and their respective values:
Title (Required)
Title of the PAM Database Record
PostgreSQL Database - postgresuser
Hostname or IP Address (Required)
Address or RDP endpoint or Server name of the Database Resource
db-postgres-1
Port (Required)
Port to connect to the PostgreSQL DB Resource
5432
Use SSL (Required)
Check to perform SSL verification before connecting, if your database has SSL configured
Enabled
Database ID
Azure or AWS Resource ID (if applicable)
Required if a managed AWS or Azure Database
Database Type
Appropriate database type from supported databases.
postgresql
Provider Group
Azure or AWS Provider Group
Required if a managed AWS or Azure Database
Provider Region
Azure or AWS Provider Region
Required if a managed AWS or Azure Database
Configuring PAM Settings on the PAM Database
On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential. The following table lists all the configurable fields and their respective values for the PostgreSQL Database:
PAM Configuration
Associated PAM Configuration record which defines the environment
Required - This is the PAM configuration you created in the prerequisites
Administrative Credential Record
Linked PAM User credential used for connection and administrative operations
Required Visit this section for more details
Protocol
Native database protocol used for connecting from the Gateway to the target
Required - for this example: "PostgreSQL"
Connection Parameters
Connection-specific protocol settings which can vary based on the protocol type
See this section for PostgreSQL protocol settings We recommend specifying the Connection Port at a minimum. E.g. "5432" for PostgreSQL.
Administrative Credential Record
The Admin Credential Record in the PAM Database links a user to the PAM Database record in your Keeper Vault. This linked user is used for authenticating the connection when clicking "Launch".
User Accounts are configured on the PAM User record. Visit this page for more information.
Setting a Non Admin User as the Administrative Credential Record
If you prefer not to authenticate a connection using the admin credential, you can optionally designate a regular user of the resource as the admin credential.
Sharing PAM Database Records
PAM Database records can be shared with other Keeper users within your organization. However, the recipient must be assigned to a role with the appropriate PAM enforcement policies in place to utilize KeeperPAM features.
When sharing a PAM Database record, the linked admin credentials will not be shared. For example, if the PAM Database is configured with a PostgreSQL Database, the recipient can connect to the database without having direct access to the linked credentials.
Learn more about Sharing and Access Control
Setup Complete
The PostgreSQL Database record is set up. The user with the ability to launch connections can now launch an interactive PostgreSQL connection or tunnel to the target database.
Example: Microsoft SQL Server Database
Configuring Microsoft SQL Server DB as a PAM Database Record
Overview
In this example, you'll learn how to configure a Microsoft SQL Server DB in your Keeper Vault as a PAM Database record.
Prerequisites
Prior to proceeding with this guide, make sure you have
PAM Database Record
Databases such as a Microsoft SQL Server DB can be configured on the PAM Database record type.
Creating a PAM Database
To create a PAM Database:
Click on Create New
Depending on your use case, click on "Rotation", "Tunnel", or "Connection"
On the prompted window:
Select "New Record"
Select the Shared Folder you want the record to be created in
Specify the Title
Select "Database" for the Target
Click "Next" and complete all of the required information.
Configure a Microsoft SQL Server Database on the PAM Database Record
Suppose I have a database with the hostname "db-mssql-1", the following table lists all the configurable fields and their respective values:
Title (Required)
Title of the PAM Database Record
Local SQL Database
Hostname or IP Address (Required)
Address or RDP endpoint or Server name of the Database Resource
db-mssql-1
Port (Required)
Port to connect to the Database Resource
3306
Use SSL (Required)
Check to perform SSL verification before connecting, if your database has SSL configured
Enabled
Database ID
Azure or AWS Resource ID (if applicable)
Required if a managed AWS or Azure Database
Database Type
Appropriate database type from supported databases.
mssql
Provider Group
Azure or AWS Provider Group
Required if a managed AWS or Azure Database
Provider Region
Azure or AWS Provider Region
Required if a managed AWS or Azure Database
Configuring PAM Settings on the PAM Database
On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential. The following table lists all the configurable fields and their respective values for the Microsoft SQL Database:
PAM Configuration
Associated PAM Configuration record which defines the environment
Required - This is the PAM configuration you created in the prerequisites
Administrative Credential Record
Linked PAM User credential used for connection and administrative operations
Required Visit this section for more details
Protocol
Native database protocol used for connecting from the Gateway to the target
Required - for this example: "SQL Server"
Connection Parameters
Connection-specific protocol settings which can vary based on the protocol type
See this section for SQL Server protocol settings We recommend specifying the Connection Port at a minimum. E.g. "1433" for SQL Server.
Administrative Credential Record
The Admin Credential Record in the PAM Database links a user to the PAM Database record in your Keeper Vault. This linked user is used for authenticating the connection when clicking "Launch".
User Accounts are configured on the PAM User record. Visit this page for more information.
Setting a Non Admin User as the Administrative Credential Record
If you prefer not to authenticate a connection using the admin credential, you can optionally designate a regular user of the resource as the admin credential.
Sharing PAM Database Records
PAM Database records can be shared with other Keeper users within your organization. However, the recipient must be assigned to a role with the appropriate PAM enforcement policies in place to utilize KeeperPAM features.
When sharing a PAM Database record, the linked admin credentials will not be shared. For example, if the PAM Database is configured with a Microsoft SQL Database, the recipient can connect to the database without having direct access to the linked credentials.
Learn more about Sharing and Access Control
Setup Complete
The Microsoft SQL Database record is set up. The user with the ability to launch connections can now launch an interactive SQL connection or tunnel to the target database.
PAM Directory
KeeperPAM resource for managing directory services, either on-prem or in the cloud
Overview
A PAM Directory record is a type of KeeperPAM resource that represents an Active Directory or OpenLDAP service, either on-prem or hosted in the cloud.
PAM Directory
Active Directory, OpenLDAP
Features Available
The PAM Machine resource supports the following features:
Password rotation using either LDAP, LDAPS or WinRM
Connections using RDP
TCP Tunnels over any protocol
Session recording and playback
Sharing access without sharing credentials
Creating a PAM Directory
Prior to creating a PAM Directory Record type, make sure you have already created a PAM Configuration. The PAM Configuration contains information of your target infrastructure while the PAM Directory contains information of an asset, such as a Active Directory server, within that target infrastructure.
To create a PAM Directory:
Click on Create New
Depending on your use case, click on "Rotation", "Tunnel", or "Connection"
On the prompted window:
Select "New Record"
Select the Shared Folder you want the record to be created in
Specify the Title
Select "Directory" for the Target
Click "Next" and complete all of the required information.
PAM Directory Record Type Fields
The following table lists all the configurable fields on the PAM Directory Record Type:
Hostname or IP Address
Address of the directory resource
Required
Port
Port to connect on
Required Typically 389 or 636 (LDAP/LDAPS) Active Directory only supports 636
Use SSL
Use SSL when connecting
Required for Active Directory
Alternative IPs
List of failover IPs for the directory, used for Discovery
Newline separated
Directory ID
Instance ID for AD resource in Azure and AWS hosted environments
Required if Azure Active Directory or AWS Directory Service AWS Example: "d-9a423d0d3b'
Directory Type
Directory type, used for formatting of messaging
Required Must be Active Directory or OpenLDAP
User Match
Match on OU to filter found users during Discovery
Domain Name
domain managed by the directory
Required
Example: some.company.com
Provider Group
Provider Group for directories hosted in Azure
Required for directories hosted in Azure
Provider Region
AWS region of hosted directory
Required for directories hosted in AWS
Example: us-east-2
PAM Settings and Administrative Credentials
On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential.
PAM Settings
PAM Configuration
Associated PAM Configuration record which defines the environment
Required
Administrative Credential Record
Linked PAM User credential used for connection and administrative operations
Required
Protocol
Native protocol used for connecting the session from the Gateway to the target
Required
Connection Parameters (multiple)
Connection-specific protocol settings which can vary based on the protocol type
Depends on protocol. We recommend specifying the Connection Port at a minimum.
Note: PAM User is only required to successfully configure connections and rotation, and not required for Tunnels.
Configuration Steps:
On the PAM Database record, navigate to the PAM Settings section
Select the PAM Configuration and Administrative Credential Record
To configure Keeper Connections and Keeper Tunnels settings, visit the following page:
The following screenshot is a PAM Directory Record with LDAPS rotation, RDP connections and LDAPS tunnels enabled:
PAM Remote Browser
KeeperPAM resource for managing remote browser isolation access to a protected web application
Overview
A PAM Remote Browser is a type of KeeperPAM resource that represents a remote browser isolation target, such as a protected internal application or cloud-based web app.
PAM Remote Browser
Any http:// or https:// web application, on-prem or in the cloud
What is Remote Browser Isolation
KeeperPAM remote browser isolation records provide secure access to internal and cloud-based web applications through a protected browser, embedded within the vault. This browser is projected visually from the Keeper Gateway through the Keeper Vault, isolating the session and providing zero-trust access.
Features Available
The PAM Remote Browser resource supports the following features:
Zero-trust Connections over http:// and https:// websites
Session recording
Sharing access without sharing credentials
Autofill of linked credentials and 2FA codes
URL AllowList patterns
Navigation bar
Creating a Remote Browser Isolation Record
Prior to creating a PAM Remote Browser, make sure you have already created a PAM Configuration. The PAM Configuration contains information of your target infrastructure while the PAM Remote Browser contains information about the target web application and associated access rules.
To create a PAM Remote Browser:
Click on Create New
Select "Connection"
On the prompted window:
Select "New Record"
Select the Shared Folder you want the record to be created in
Specify the Title
Select "Browser" for the Target
Click "Next" and complete all of the required information.
PAM Remote Browser Record Type Fields
The following table lists all the configurable fields on the PAM Remote Browser Record Type:
URL
IP or Website address
Required The target URL only needs to be accessible from the Keeper Gateway
PAM Settings and Administrative Credentials
On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and link a PAM User credential for performing autofill.
PAM Settings
PAM Configuration
Associated PAM Configuration record which defines the environment
Required
Browser Autofill Credentials
Linked PAM User credential used for autofill
Protocol
Native protocol used for connecting from the Gateway to the target
Required
Additional information on Remote Browser Isolation is available at this page.
PAM User
Record Type Details for PAM User Record Type
Overview
A PAM User is a type of KeeperPAM resource that represents an account credential. The PAM User is typically linked from other resources.
PAM User
Account credential, IAM user, password or SSH Key
What is a PAM User
KeeperPAM User records define a specific account inside another PAM resource. PAM Machines, PAM Databases, PAM Directories and PAM Remote Browser records link to a PAM User.
Features Available
The PAM User resource supports the following features:
On-demand and scheduled password rotation
PAM Scripts for privilege automation
Sharing with time-limited access
Creating a PAM User
Prior to creating a PAM User, make sure you have already created a PAM Configuration and a PAM Resource such as a Machine, Database, Directory or Browser.
To create a PAM User:
Click on Create New
Depending on your use case, click on "Rotation", "Tunnel", or "Connection"
On the prompted window:
Select "New Record"
Select the Shared Folder you want the record to be created in
Specify the Title
Select "User" for the Target
Click "Next" and complete all of the required information.
PAM User Record Type Fields
The following table lists all the configurable fields on the PAM Remote Browser Record Type:
Login
Username; exact context and format depends on the associated resource. See Note (1) below.
Required
Examples:
username
username@domain
DOMAIN\username
Password
Password of the user
Can be rotated
Private PEM Key
PEM Key associated with user
Can be rotated
Distinguished Name
Distinguished name; used if associated with a PAM Directory
Required only when the User is managed by a directory Example: CN=Jeff Smith,OU=Sales,DC=demo,DC=COM
If left blank, defaults are attempted depending on the provider type
Managed User
Flag for accounts that are managed by the AWS or Azure IAM systems
Set by Keeper Discovery to indicate that the password cannot be rotated. For example, AWS token-based auth.
Connect Database
Used in certain scenarios if a database name is needed
Edge cases, e.g. using LDAP to connect to a MySQL database
Note(1)
When connecting to Windows machines that are domain-joined:
For domain-joined systems, always use the UPN format (
user@domain.local) as it is more modern, DNS-reliant, and avoids NetBIOS issues.Reserve
DOMAIN\userfor older systems or mixed environments where UPN isn't supported.
Configure rotation settings
On the "Rotation Settings" section of the PAM User vault record, you can configure how credential rotation is managed.
Password Rotation Settings
Rotation Type
Specifies which type of rotation is being performed (and which protocol is utilized).
Required "General", "IAM User" or "Run PAM Scripts Only". See below for details.
PAM Resource
For General rotation type, specifies the PAM Resource record which can provide the necessary privilege. For IAM User rotation type, specifies the PAM Configuration utilizing cloud APIs.
Required only for "General" and "IAM User" rotation types
Rotation Schedule
Rotation can be performed on-demand or on a specific schedule.
For advanced scheduling, see the cron spec.
Password Complexity
Applies to password-based rotations, not PEM keys.
Select "Show More" to control special characters and symbols.
Rotation Type
Keeper supports 3 different types of rotation:
General: Uses native protocols for performing the rotation, such as LDAP, Databases, SSH keys, etc.
IAM User: Uses the cloud-specific APIs for performing rotation, such as AWS IAM users and Azure managed resources. In this case, only the PAM Configuration is required since it contains the necessary
Run PAM scripts only: Skips the standard rotation and only executes the attached PAM Scripts.
The rotation schedule can be set on a specific interval, or using a cron spec.
PAM Resource
To complete the Rotation setup, you need to select a resource, which depends on the rotation type.
For a "General" rotation, the Keeper Gateway uses a native protocol for performing the necessary rotation, and the rotation will be executed on the associated PAM Resource supplied. If necessary, the rotation will use the associated administrative credential on the PAM Resource.
In the example below, a Windows service account password is going to be rotated on the associated Windows Server.
For an "IAM User" rotation type, the Keeper Gateway will use the referenced PAM Configuration to determine which APIs and methods are used to perform the rotation. In the example below, an IAM user in AWS will use the "AWS (US-WEST-1)" configuration.
When using the IAM User rotation method, it is assumed that the Keeper Gateway either inherits its privilege from the instance role policy, or through explicit access keys that are provided on the PAM Configuration record.
In Summary:
The PAM User record holds the credential that is being rotated.
The Rotation Settings of the PAM User record references a specific PAM Machine, PAM Database or PAM Directory resource. This is the target resource where the rotation is performed.
The Keeper Gateway uses the Admin Credential associated to the PAM Machine, PAM Database or PAM Directory resource to perform the rotation with native protocols.
For AWS and Azure managed resources, Keeper uses Instance Role permission of the Gateway, or specific PAM Configuration secrets to perform the rotation with APIs.
Examples
Below are some examples of PAM User records.
Windows Domain Admin
Windows Domain User with post-rotation scripts
AWS IAM User
Database user
Azure AD User
