All pages
Powered by GitBook
1 of 11

PAM Resources

Guide for using PAM Resource Records in the Keeper Vault for privileged access functionality.

Overview

KeeperPAM Resource records are special record types designed to organize and store information of your target infrastructure, machines, web apps, workloads and user accounts.

  • What's a Record Type?

KeeperPAM Record Types

In your Keeper Vault, resources that represent your infrastructure are created with the following Record Types:

PAM Record Type
Target Infrastructure

PAM Machine

Windows/macOS/Linux Machines, EC2 Instances, Azure VMs, etc.

PAM Database

MySQL, PostgreSQL, SQL Server, MongoDB, MariaDB, Oracle

PAM Directory

Active Directory, OpenLDAP

PAM Remote Browser

Web-based Applications, internal apps or cloud apps

PAM User

Any local user, remote user, database credential or admin account. PAM User records can also be configured for scheduled or on-demand password rotation.

Record Linking

The PAM User record is special because it can be linked from the other resources. This way, you can share access to a Machine, Database, Directory or Remote Browser without sharing access to the underlying credentials.

Creating a PAM Record

From the Vault UI, click on Create New and select either Rotation, Tunnel or Connection.

Create a new PAM Resource Record

Alternatively, you can right-click on a folder and select Rotation, Tunnel or Connection.

Right-click to create PAM Resource Records

The "Target" selection will determine what type of record will be created.

Selecting a Target

Bulk Import of Resources

There are several ways of creating resources in the Keeper vault.

  • Manually in the Keeper Vault

  • Using Keeper Discovery

  • Bulk Import with Keeper Commander

Manually in the Keeper Vault

As described in this section, you can create PAM Machines, Databases, Directories, Remote Browsers and Users directly in the Keeper Vault.

Using Keeper Discovery

KeeperPAM can perform discovery on a network or cloud resource to find all associated machines, accounts, etc. Visit the Discovery section to learn more.

Bulk Import with Keeper Commander

Keeper Commander CLI can perform import of resources based on a template. See this Importing PAM Resources example for a step by step guide. See the pam project import command for more advanced import options.

The following sections will describe each of the PAM resources.

PAM Machine

KeeperPAM resource for managing machines on-prem or in the cloud

Overview

A PAM Machine record is a type of KeeperPAM resource that represents a workload, such as a Windows or Linux server.

PAM Record Type
Supported Assets

PAM Machine

Windows/macOS/Linux Machines, EC2 Instances, Azure VMs

Features Available

The PAM Machine resource supports the following features:

  • Password rotation

  • SSH key rotation

  • Zero-trust Connections using RDP, SSH, VNC, K8s and Telnet protocols

  • TCP Tunnels

  • Session recording

  • Sharing access without sharing credentials

  • File transfer through drag-and-drop

Connecting to the PAM machine requires only that the Keeper Gateway has access to the target machine. The Keeper Vault operates independently and does not require direct connectivity to the machine, leveraging Keeper's zero-trust network access model to securely manage access through the Gateway. See the network architecture diagram for more details.

Creating a PAM Machine

Prior to creating a PAM Machine, make sure you have already created a PAM Configuration. The PAM Configuration contains information of your target infrastructure while the PAM Machine contains information of an asset, such as a Windows or Linux server.

To create a PAM Machine:

  • Click on Create New

  • Depending on your use case, click on "Rotation", "Tunnel", or "Connection"

  • On the prompted window:

    • Select "New Record"

    • Select the Shared Folder you want the record to be created in

    • Specify the Title

    • Select "Machine" for the Target

  • Click "Next" and complete all of the required information.

Creating a new PAM Machine record

PAM Machine Record Type Fields

The following table lists all the configurable fields on the PAM Machine Record Type:

Field
Description
Notes

Hostname or IP Address

Address of the machine resource

Required

Port

Port to connect on. The Gateway uses this to determine connection method.

Required Must be a port for SSH or WinRM

Keeper expects 22, 5985, 5986, or an alternative port for SSH or WinRM specified in the PAM Configuration port mapping

Administrative Credentials

Linked PAM User credential used for connection and administrative operations

Required Visit this section for more details

PAM settings

This is where you configure Connection and Tunnel settings for this machine.

Required Visit this section for more details

Operating System

The target's Operating System

For your reference only

SSL Verification

When checked, verifies certificate of host when connecting with SSH

Only applies to certain databases and directories where SSL is optional

Instance Name

Azure or AWS Instance Name

Required if AWS/Azure Machine

Instance Id

Azure or AWS Instance ID

Required if AWS/Azure Machine

Provider Group

Provider Group for directories hosted in Azure

Required if Azure Machine

Provider Region

AWS region of hosted directory

Required if AWS Machine

PAM Settings and Administrative Credentials

On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential.

PAM Settings and Administrative Credentials

PAM Settings

Field
Description
Required

PAM Configuration

Associated PAM Configuration record which defines the environment

Required

Administrative Credential Record

Linked PAM User credential used for connection and administrative operations

Required

Protocol

Native protocol used for connecting the session from the Gateway to the target

Required

Session Recording

Options for recording sessions and typescripts

See session recording

Connection Parameters (multiple)

Connection-specific protocol settings which can vary based on the protocol type

Depends on protocol. We recommend specifying the Connection Port at a minimum.

PAM Settings for a PAM Machine resource

Below are a couple examples of PAM Machine records with Connections and Tunnels activated.

PAM Machine Record - Windows
PAM Machine Record - Linux

Examples

Visit the following pages to set up:

  • Linux Machine

  • Azure Virtual Machine

Example: Linux Machine

Configuring SSH Server as a PAM Machine Record

Overview

In this example, you'll learn how to configure a Linux Machine in your Keeper Vault as a PAM Machine record.

Prerequisites

Prior to proceeding with this guide, make sure you have

  1. Installed and configured the Keeper Gateway

  2. Set up a PAM Configuration for your target Environment

PAM Machine Record

Machines such as a Linux Machines can be configured on the PAM Machine record type.

Creating a PAM Machine

To create a PAM Database:

  • Click on Create New

  • Depending on your use case, click on "Rotation", "Tunnel", or "Connection"

  • On the prompted window:

    • Select "New Record"

    • Select the Shared Folder you want the record to be created in

    • Specify the Title

    • Select "Machine" for the Target

  • Click "Next" and complete all of the required information.

Linux Machine Example

Configure a Linux Machine on the PAM Machine Record

Suppose I have a local Linux Virtual Machine with the hostname "linux-machine", the following table lists all the configurable fields and their respective values:

Field
Description
Value

Title (Required)

Title of the PAM Machine Record

Linux Machine

Hostname or IP Address (Required)

Address or RDP endpoint or Server name of the Machine Resource

linux-machine

Port (Required)

Port to connect to the Linux Resource

22

Operating System

The target's Operating System

linux

Instance Name

Azure or AWS Instance Name

Required if AWS/Azure Machine

Instance ID

Azure or AWS Instance ID

Required if AWS/Azure Machine

Provider Group

Azure or AWS Provider Group

Required if a managed Azure Machine

Provider Region

Azure or AWS Provider Region

Required if a managed AWS Machine

Configuring PAM Settings on the PAM Machine

On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential. The following table lists all the configurable fields and their respective values for the Linux Machine:

Field
Description
Required

PAM Configuration

Associated PAM Configuration record which defines the environment

Required - This is the PAM configuration you created in the prerequisites

Administrative Credential Record

Linked PAM User credential used for connection and administrative operations

Required Visit this section for more details

Protocol

Native protocol used for creating a session from the Gateway to the target

Required - for this example: "SSH"

Session Recording

Options for recording sessions and typescripts

See session recording

Connection Parameters

Connection-specific protocol settings which can vary based on the protocol type.

See this section for SSH protocol settings. We recommend specifying the Connection Port at a minimum. E.g. "22" for SSH.

Administrative Credential Record

The Admin Credential Record in the PAM Machine links the admin user to the PAM Machine record in your Keeper Vault. This admin user is used for performing password rotations and authenticating connections.

User Accounts can be configured on the PAM User record. Visit this page for more information on the PAM User.

Setting a Non Admin User as the Administrative Credential Record

If you prefer not to authenticate a connection using the admin credential, you can optionally designate a regular user of the resource as the admin credential.

Sharing PAM Machine Records

PAM Machine records can be shared with other Keeper users within your organization. However, the recipient must have the appropriate PAM enforcement policies in place to utilize KeeperPAM features on the shared PAM records.

When sharing a PAM Machine record, the linked admin credentials will not be shared. For example, if the PAM Machine is configured with a Linux Machine, the recipient can connect to the Linux Machine on the PAM Machine record without having direct access to the linked credentials.

  • Learn more about Sharing and Access Control

Example: Azure Windows VM

Configuring an Azure Windows VM as a PAM Machine Record

Overview

In this example, you'll learn how to configure a Azure Windows VM in your Keeper Vault as a PAM Machine record.

Prerequisites

Prior to proceeding with this guide, make sure you have

  1. Installed and configured the Keeper Gateway

  2. Set up a PAM Configuration for your target Environment

PAM Machine Record

Machines such as a Azure Virtual Machines can be configured on the PAM Machine record type.

Creating a PAM Machine

To create a PAM Database:

  • Click on Create New

  • Depending on your use case, click on "Rotation", "Tunnel", or "Connection"

  • On the prompted window:

    • Select "New Record"

    • Select the Shared Folder you want the record to be created in

    • Specify the Title

    • Select "Machine" for the Target

  • Click "Next" and complete all of the required information.

Example of Azure Windows VM

Configure a Windows Machine on the PAM Machine Record

Suppose I have a Azure Virtual Machine with the hostname "10.0.1.4", the following table lists all the configurable fields and their respective values:

Field
Description
Value

Title (Required)

Title of the PAM Machine Record

Windows VM

Hostname or IP Address (Required)

Address or RDP endpoint or Server name of the Machine Resource

10.0.1.4

Port (Required)

Port to connect to the Azure VM for rotation. 22 for SSH, 5986 for WinRM

5986

Operating System

The target's Operating System

Set to: Windows

Instance Name

Azure or AWS Instance Name

Required if AWS/Azure Machine webserver-prod-01

Instance ID

Azure or AWS Instance ID

Required if AWS/Azure Machine

Provider Group

Azure or AWS Provider Group

Required if a managed Azure Machine

Provider Region

Azure or AWS Provider Region

Required if a managed AWS Machine

Configuring PAM Settings on the PAM Machine

On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential. The following table lists all the configurable fields and their respective values for the Azure Virtual Machine:

Field
Description
Required

PAM Configuration

Associated PAM Configuration record which defines the environment

Required - This is the PAM configuration you created in the prerequisites

Administrative Credential Record

Linked PAM User credential used for connection and administrative operations

Required Visit this section for more details

Protocol

Native protocol used for connecting from the Gateway to the target

Required - for this example: "RDP"

Session Recording

Options for recording sessions and typescripts

See session recording

Connection Parameters

Connection-specific protocol settings which can vary based on the protocol type

See this section for RDP protocol settings We recommend specifying the Connection Port at a minimum. E.g. "3389" for RDP.

Administrative Credential Record

The Admin Credential Record in the PAM Machine links the admin user to the PAM Machine record in your Keeper Vault. This admin user is used for performing password rotations and authenticating connections.

User Accounts can be configured on the PAM User record. Visit this page for more information.

Setting a Non Admin User as the Administrative Credential Record

If you prefer not to authenticate a connection using the admin credential, you can optionally designate a regular user of the resource as the admin credential.

Sharing PAM Machine Records

PAM Machine records can be shared with other Keeper users within your organization. However, the recipient must have the appropriate PAM enforcement policies in place to utilize KeeperPAM features on the shared PAM records.

When sharing a PAM Machine record, the linked admin credentials will not be shared. For example, if the PAM Machine is configured with a Azure Virtual Machine, the recipient can connect to the Azure Virtual Machine on the PAM Machine record without having direct access to the linked credentials.

  • Learn more about Sharing and Access Control

PAM Database

KeeperPAM resource for managing databases either on-prem or in the cloud

Overview

In your Keeper Vault, the following assets can be configured on the PAM Database record type:

PAM Record Type
Supported Assets

PAM Database

MySQL, PostgreSQL, SQL Server, MongoDB, MariaDB, Oracle

This guide will cover the PAM Database Record type in more details.

Features Available

The PAM Database resource supports the following features:

  • Password rotation

  • Zero-trust Connections

  • TCP Tunnels

  • Graphical session recording

  • Text session recording (Typescript)

  • Sharing access without sharing credentials

Connecting to the PAM database requires only that the Keeper Gateway has access to the database either through native protocols or AWS/Azure APIs. The Keeper Vault operates independently and does not require direct connectivity to the database, leveraging Keeper's zero-trust network access model to securely manage access through the Gateway. See the network architecture diagram for more details.

Creating a PAM Database

Prior to creating a PAM Database, make sure you have already created a PAM Configuration. The PAM Configuration contains information of your target infrastructure while the PAM Database contains information about the target database, such as the hostname, type (MySQL, PostgreSQL, etc) and port number.

To create a PAM Database:

  • Click on Create New

  • Depending on your use case, click on "Rotation", "Tunnel", or "Connection"

  • On the prompted window:

    • Select "New Record"

    • Select the Shared Folder you want the record to be created in

    • Specify the Title

    • Select "Database" for the Target

  • Click "Next" and complete all of the required information.

Create a PAM Database

PAM Database Record Type Fields

The following table lists all the configurable fields on the PAM Database Record Type:

Field
Description
Notes

Hostname or IP Address

Address of the Database Resource

Required

Port

Port to connect to the Database Resource

Required Standard ports are: PostgreSQL: 5432 MySQL: 3306 Maria DB: 3306 Microsoft SQL: 1433 Oracle: 1521 Mongo DB: 27017

Use SSL

Use SSL when connecting

Connect Database

Database name to connect to

Required for connecting to PostgreSQL, MongoDB, and MS SQL Server

Database Id

Azure or AWS Resource ID

Required if a managed AWS or Azure Database

Database Type

Appropriate database type from supported databases.

If a non-standard port is provided, the Database Type will be used to determine connection method.

Provider Group

Azure or AWS Provider Group

Required if a managed AWS or Azure Database

Provider Region

Azure or AWS Provider Region

Required if a managed AWS or Azure Database

PAM Settings and Administrative Credentials

On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential.

PAM Settings and Administrative Credentials

PAM Settings

Field
Description
Required

PAM Configuration

Associated PAM Configuration record which defines the environment

Required

Administrative Credential Record

Linked PAM User credential used for connection and administrative operations

Required Visit this section for more details

Protocol

Native database protocol used for connecting from the Gateway to the target

Required

Session Recording

Options for recording sessions and typescripts

See session recording

Connection Parameters (multiple)

Connection-specific protocol settings which can vary based on the protocol type

Depends on protocol

PAM Settings on Database resource

Below is an example of a PAM Database record with Connections and Tunnels activated.

PAM Database with Connections and Tunnels activated

Examples

Visit the following pages to set up:

  • MySQL Database

  • PostgreSQL Database

  • Microsoft SQL Server Database

Example: MySQL Database

Configuring MySQL DB as a PAM Database Record

Overview

In this example, you'll learn how to configure a MySQL DB in your Keeper Vault as a PAM Database record.

Prerequisites

Prior to proceeding with this guide, make sure you have

  1. Installed and configured the Keeper Gateway

  2. Set up a PAM Configuration for your target Environment

PAM Database Record

Databases such as a MySQL DB can be configured on the PAM Database record type.

Creating a PAM Database

To create a PAM Database:

  • Click on Create New

  • Depending on your use case, click on "Rotation", "Tunnel", or "Connection"

  • On the prompted window:

    • Select "New Record"

    • Select the Shared Folder you want the record to be created in

    • Specify the Title

    • Select "Database" for the Target

  • Click "Next" and complete all of the required information.

PAM Database

Configure a MySQL Database on the PAM Database Record

Suppose I have a database with the hostname "db-mysql-1", the following table lists all the configurable fields and their respective values:

Field
Description
Value

Title (Required)

Title of the PAM Database Record

Local MySQL Database

Hostname or IP Address (Required)

Address or RDP endpoint or Server name of the Database Resource

db-mysql-1

Port (Required)

Port to connect to the Database Resource

3306

Use SSL (Required)

Check to perform SSL verification before connecting, if your database has SSL configured

Enabled

Database ID

Azure or AWS Resource ID (if applicable)

Required if a managed AWS or Azure Database

Database Type

Appropriate database type from supported databases.

mysql

Provider Group

Azure or AWS Provider Group

Required if a managed AWS or Azure Database

Provider Region

Azure or AWS Provider Region

Required if a managed AWS or Azure Database

Configuring PAM Settings on the PAM Database

On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential. The following table lists all the configurable fields and their respective values for the MySQL Database:

Field
Description
Required

PAM Configuration

Associated PAM Configuration record which defines the environment

Required - This is the PAM configuration you created in the prerequisites

Administrative Credential Record

Linked PAM User credential used for connection and administrative operations

Required Visit this section for more details

Protocol

Native database protocol used for connecting from the Gateway to the target

Required - for this example: "MySQL"

Session Recording

Options for recording sessions and typescripts

See session recording

Connection Parameters

Connection-specific protocol settings which can vary based on the protocol type

See this section for MySQL protocol settings We recommend specifying the Connection Port at a minimum. E.g. "3306" for MySQL.

Administrative Credential Record

The Admin Credential Record in the PAM Database links a user to the PAM Database record in your Keeper Vault. This linked user is used for authenticating the connection when clicking "Launch".

User Accounts are configured on the PAM User record. Visit this page for more information.

Administrative Credential Record

Setting a Non Admin User as the Administrative Credential Record

If you prefer not to authenticate a connection using the admin credential, you can optionally designate a regular user of the resource as the admin credential.

Sharing PAM Database Records

PAM Database records can be shared with other Keeper users within your organization. However, the recipient must be assigned to a role with the appropriate PAM enforcement policies in place to utilize KeeperPAM features.

When sharing a PAM Database record, the linked admin credentials will not be shared. For example, if the PAM Database is configured with a MySQL Database, the recipient can connect to the database without having direct access to the linked credentials.

  • Learn more about Sharing and Access Control

Sharing PAM Database Records

Setup Complete

The MySQL Database record is set up. The user with the ability to launch connections can now launch an interactive MySQL connection or tunnel to the target database.

MySQL Database Record
Connection to MySQL Database
MySQL Interactive Session

Example: PostgreSQL Database

Configuring PostgreSQL DB as a PAM Database Record

Overview

In this example, you'll learn how to configure a PostgreSQL DB in your Keeper Vault as a PAM Database record.

Prerequisites

Prior to proceeding with this guide, make sure you have

  1. Installed and configured the Keeper Gateway

  2. Set up a PAM Configuration for your target Environment

PAM Database Record

Databases such as a PostgreSQL DB can be configured on the PAM Database record type.

Creating a PAM Database

To create a PAM Database:

  • Click on Create New

  • Depending on your use case, click on "Rotation", "Tunnel", or "Connection"

  • On the prompted window:

    • Select "New Record"

    • Select the Shared Folder you want the record to be created in

    • Specify the Title

    • Select "Database" for the Target

  • Click "Next" and complete all of the required information.

PostgreSQL PAM Database Record

Configure a PostgreSQL Database on the PAM Database Record

Suppose I have a database with the hostname "db-postgres-1", the following table lists all the configurable fields and their respective values:

Field
Description
Value

Title (Required)

Title of the PAM Database Record

PostgreSQL Database - postgresuser

Hostname or IP Address (Required)

Address or RDP endpoint or Server name of the Database Resource

db-postgres-1

Port (Required)

Port to connect to the PostgreSQL DB Resource

5432

Use SSL (Required)

Check to perform SSL verification before connecting, if your database has SSL configured

Enabled

Database ID

Azure or AWS Resource ID (if applicable)

Required if a managed AWS or Azure Database

Database Type

Appropriate database type from supported databases.

postgresql

Provider Group

Azure or AWS Provider Group

Required if a managed AWS or Azure Database

Provider Region

Azure or AWS Provider Region

Required if a managed AWS or Azure Database

Configuring PAM Settings on the PAM Database

On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential. The following table lists all the configurable fields and their respective values for the PostgreSQL Database:

Field
Description
Required

PAM Configuration

Associated PAM Configuration record which defines the environment

Required - This is the PAM configuration you created in the prerequisites

Administrative Credential Record

Linked PAM User credential used for connection and administrative operations

Required Visit this section for more details

Protocol

Native database protocol used for connecting from the Gateway to the target

Required - for this example: "PostgreSQL"

Session Recording

Options for recording sessions and typescripts

See session recording

Connection Parameters

Connection-specific protocol settings which can vary based on the protocol type

See this section for PostgreSQL protocol settings We recommend specifying the Connection Port at a minimum. E.g. "5432" for PostgreSQL.

Administrative Credential Record

The Admin Credential Record in the PAM Database links a user to the PAM Database record in your Keeper Vault. This linked user is used for authenticating the connection when clicking "Launch".

User Accounts are configured on the PAM User record. Visit this page for more information.

Administrative Credential Record

Setting a Non Admin User as the Administrative Credential Record

If you prefer not to authenticate a connection using the admin credential, you can optionally designate a regular user of the resource as the admin credential.

Sharing PAM Database Records

PAM Database records can be shared with other Keeper users within your organization. However, the recipient must be assigned to a role with the appropriate PAM enforcement policies in place to utilize KeeperPAM features.

When sharing a PAM Database record, the linked admin credentials will not be shared. For example, if the PAM Database is configured with a PostgreSQL Database, the recipient can connect to the database without having direct access to the linked credentials.

  • Learn more about Sharing and Access Control

Sharing a PostgreSQL Database Record

Setup Complete

The PostgreSQL Database record is set up. The user with the ability to launch connections can now launch an interactive PostgreSQL connection or tunnel to the target database.

Launching interactive CLI session to PostgreSQL
Interactive Connection to PostgreSQL Database

Example: Microsoft SQL Server Database

Configuring Microsoft SQL Server DB as a PAM Database Record

Overview

In this example, you'll learn how to configure a Microsoft SQL Server DB in your Keeper Vault as a PAM Database record.

Prerequisites

Prior to proceeding with this guide, make sure you have

  1. Installed and configured the Keeper Gateway

  2. Set up a PAM Configuration for your target Environment

PAM Database Record

Databases such as a Microsoft SQL Server DB can be configured on the PAM Database record type.

Creating a PAM Database

To create a PAM Database:

  • Click on Create New

  • Depending on your use case, click on "Rotation", "Tunnel", or "Connection"

  • On the prompted window:

    • Select "New Record"

    • Select the Shared Folder you want the record to be created in

    • Specify the Title

    • Select "Database" for the Target

  • Click "Next" and complete all of the required information.

SQL Server PAM Database Record

Configure a Microsoft SQL Server Database on the PAM Database Record

Suppose I have a database with the hostname "db-mssql-1", the following table lists all the configurable fields and their respective values:

Field
Description
Value

Title (Required)

Title of the PAM Database Record

Local SQL Database

Hostname or IP Address (Required)

Address or RDP endpoint or Server name of the Database Resource

db-mssql-1

Port (Required)

Port to connect to the Database Resource

1433

Use SSL (Required)

Check to perform SSL verification before connecting, if your database has SSL configured

Enabled

Database ID

Azure or AWS Resource ID (if applicable)

Required if a managed AWS or Azure Database

Database Type

Appropriate database type from supported databases.

mssql

Provider Group

Azure or AWS Provider Group

Required if a managed AWS or Azure Database

Provider Region

Azure or AWS Provider Region

Required if a managed AWS or Azure Database

Configuring PAM Settings on the PAM Database

On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential. The following table lists all the configurable fields and their respective values for the Microsoft SQL Database:

Field
Description
Required

PAM Configuration

Associated PAM Configuration record which defines the environment

Required - This is the PAM configuration you created in the prerequisites

Administrative Credential Record

Linked PAM User credential used for connection and administrative operations

Required Visit this section for more details

Protocol

Native database protocol used for connecting from the Gateway to the target

Required - for this example: "SQL Server"

Session Recording

Options for recording sessions and typescripts

See session recording

Connection Parameters

Connection-specific protocol settings which can vary based on the protocol type

See this section for SQL Server protocol settings We recommend specifying the Connection Port at a minimum. E.g. "1433" for SQL Server.

Administrative Credential Record

The Admin Credential Record in the PAM Database links a user to the PAM Database record in your Keeper Vault. This linked user is used for authenticating the connection when clicking "Launch".

User Accounts are configured on the PAM User record. Visit this page for more information.

Administrative Credential Record

Setting a Non Admin User as the Administrative Credential Record

If you prefer not to authenticate a connection using the admin credential, you can optionally designate a regular user of the resource as the admin credential.

Sharing PAM Database Records

PAM Database records can be shared with other Keeper users within your organization. However, the recipient must be assigned to a role with the appropriate PAM enforcement policies in place to utilize KeeperPAM features.

When sharing a PAM Database record, the linked admin credentials will not be shared. For example, if the PAM Database is configured with a Microsoft SQL Database, the recipient can connect to the database without having direct access to the linked credentials.

  • Learn more about Sharing and Access Control

Sharing PAM Database Records

Setup Complete

The Microsoft SQL Database record is set up. The user with the ability to launch connections can now launch an interactive SQL connection or tunnel to the target database.

Microsoft SQL Server Database
Connection to a Microsoft SQL Database
Interactive Session with Microsoft SQL Database

PAM Directory

KeeperPAM resource for managing directory services, either on-prem or in the cloud

Overview

A PAM Directory record is a type of KeeperPAM resource that represents an Active Directory or OpenLDAP service, either on-prem or hosted in the cloud.

PAM Record Type
Supported Assets

PAM Directory

Active Directory, OpenLDAP

Features Available

The PAM Machine resource supports the following features:

  • Password rotation using either LDAP, LDAPS or WinRM

  • Connections using RDP

  • TCP Tunnels over any protocol

  • Session recording and playback

  • Sharing access without sharing credentials

Connecting to the PAM Directory requires only that the Keeper Gateway has access to the target directory service. The Keeper Vault operates independently and does not require direct connectivity to the service, leveraging Keeper's zero-trust network access model to securely manage access through the Gateway. See the network architecture diagram for more details.

Creating a PAM Directory

Prior to creating a PAM Directory Record type, make sure you have already created a PAM Configuration. The PAM Configuration contains information of your target infrastructure while the PAM Directory contains information of an asset, such as a Active Directory server, within that target infrastructure.

To create a PAM Directory:

  • Click on Create New

  • Depending on your use case, click on "Rotation", "Tunnel", or "Connection"

  • On the prompted window:

    • Select "New Record"

    • Select the Shared Folder you want the record to be created in

    • Specify the Title

    • Select "Directory" for the Target

  • Click "Next" and complete all of the required information.

Creating a PAM Directory

PAM Directory Record Type Fields

The following table lists all the configurable fields on the PAM Directory Record Type:

Field
Description
Notes

Hostname or IP Address

Address of the directory resource

Required

Port

Port to connect on

Required Typically 389 or 636 (LDAP/LDAPS) Active Directory only supports 636

Use SSL

Use SSL when connecting

Required for Active Directory

Alternative IPs

List of failover IPs for the directory, used for Discovery

Newline separated

Directory ID

Instance ID for AD resource in Azure and AWS hosted environments

Required if Azure Active Directory or AWS Directory Service AWS Example: "d-9a423d0d3b'

Directory Type

Directory type, used for formatting of messaging

Required Must be Active Directory or OpenLDAP

User Match

Match on OU to filter found users during Discovery

Domain Name

domain managed by the directory

Required Example: some.company.com

Provider Group

Provider Group for directories hosted in Azure

Required for directories hosted in Azure

Provider Region

AWS region of hosted directory

Required for directories hosted in AWS Example: us-east-2

PAM Settings and Administrative Credentials

On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential.

PAM Settings

PAM Settings

Field
Description
Required

PAM Configuration

Associated PAM Configuration record which defines the environment

Required

Administrative Credential Record

Linked PAM User credential used for connection and administrative operations

Required

Protocol

Native protocol used for connecting the session from the Gateway to the target

Required

Session Recording

Options for recording sessions and typescripts

See session recording

Connection Parameters (multiple)

Connection-specific protocol settings which can vary based on the protocol type

Depends on protocol. We recommend specifying the Connection Port at a minimum.

PAM Settings

Note: PAM User is only required to successfully configure connections and rotation, and not required for Tunnels.

Configuration Steps:

  1. On the PAM Database record, navigate to the PAM Settings section

  2. Select the PAM Configuration and Administrative Credential Record

  3. To configure Keeper Connections and Keeper Tunnels settings, visit the following page:

    1. Keeper Connections

    2. Keeper Tunnels

The following screenshot is a PAM Directory Record with LDAPS rotation, RDP connections and LDAPS tunnels enabled:

PAM Directory with Connection, Rotation and Tunnel Enabled

PAM Remote Browser

KeeperPAM resource for managing remote browser isolation access to a protected web application

Overview

A PAM Remote Browser is a type of KeeperPAM resource that represents a remote browser isolation target, such as a protected internal application or cloud-based web app.

PAM Record Type
Supported Assets

PAM Remote Browser

Any http:// or https:// web application, on-prem or in the cloud

What is Remote Browser Isolation

KeeperPAM remote browser isolation records provide secure access to internal and cloud-based web applications through a protected browser, embedded within the vault. This browser is projected visually from the Keeper Gateway through the Keeper Vault, isolating the session and providing zero-trust access.

Features Available

The PAM Remote Browser resource supports the following features:

  • Zero-trust Connections over http:// and https:// websites

  • Session recording

  • Sharing access without sharing credentials

  • Autofill of linked credentials and 2FA codes

  • URL AllowList patterns

  • Navigation bar

Connecting to the protected web application requires only that the Keeper Gateway has access to the target website. The Keeper Vault operates independently and does not require direct connectivity to the website, leveraging Keeper's zero-trust network access model to securely manage access through the Gateway. See the network architecture diagram for more details.

Creating a Remote Browser Isolation Record

Prior to creating a PAM Remote Browser, make sure you have already created a PAM Configuration. The PAM Configuration contains information of your target infrastructure while the PAM Remote Browser contains information about the target web application and associated access rules.

To create a PAM Remote Browser:

  • Click on Create New

  • Select "Connection"

  • On the prompted window:

    • Select "New Record"

    • Select the Shared Folder you want the record to be created in

    • Specify the Title

    • Select "Browser" for the Target

  • Click "Next" and complete all of the required information.

Creating a Browser Isolation Record

PAM Remote Browser Record Type Fields

The following table lists all the configurable fields on the PAM Remote Browser Record Type:

Field
Description
Notes

URL

IP or Website address

Required The target URL only needs to be accessible from the Keeper Gateway

PAM Settings and Administrative Credentials

On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and link a PAM User credential for performing autofill.

PAM Settings on a Remote Browser Isolation resource
PAM Settings for Remote Browser Isolation
Autofill Credentials for Remote Browser Isolation

PAM Settings

Field
Description
Required

PAM Configuration

Associated PAM Configuration record which defines the environment

Required

Browser Autofill Credentials

Linked PAM User credential used for autofill

Protocol

Native protocol used for connecting from the Gateway to the target

Required

Session Recording

Options for recording sessions and typescripts

See session recording

Browser Settings (multiple)

Browser-specific protocol settings

See RBI page

PAM Remote Browser resource

Additional information on Remote Browser Isolation is available at this page.

PAM User

Record Type Details for PAM User Record Type

Overview

A PAM User is a type of KeeperPAM resource that represents an account credential. The PAM User is typically linked from other resources.

PAM Record Type
Supported Assets

PAM User

Account credential, IAM user, password or SSH Private Key

What is a PAM User

KeeperPAM User records define a specific account inside another PAM resource. PAM Machines, PAM Databases, PAM Directories and PAM Remote Browser records link to a PAM User.

Features Available

The PAM User resource supports the following features:

  • On-demand and scheduled password rotation

  • PAM Scripts for privilege automation

  • Sharing with time-limited access

Creating a PAM User

Prior to creating a PAM User, make sure you have already created a PAM Configuration and a PAM Resource such as a Machine, Database, Directory or Browser.

To create a PAM User:

  • Click on Create New

  • Depending on your use case, click on "Rotation", "Tunnel", or "Connection"

  • On the prompted window:

    • Select "New Record"

    • Select the Shared Folder you want the record to be created in

    • Specify the Title

    • Select "User" for the Target

  • Click "Next" and complete all of the required information.

Creating a PAM User

PAM User Record Type Fields

The following table lists all the configurable fields on the PAM Remote Browser Record Type:

Field
Description
Notes

Login

Username; exact context and format depends on the associated resource. See Note (1) below.

Required Examples: username username@domain DOMAIN\username

Password

Password of the user

Can be rotated

Private Key

PEM-encoded SSH Private Key associated with user.

Can be rotated

Distinguished Name

Distinguished name; used if associated with a PAM Directory

Required only when the User is managed by a directory Example: CN=Jeff Smith,OU=Sales,DC=demo,DC=COM

If left blank, defaults are attempted depending on the provider type

Managed User

Flag for accounts that are managed by the AWS or Azure IAM systems

Set by Keeper Discovery to indicate that the password cannot be rotated. For example, AWS token-based auth.

Connect Database

Used in certain scenarios if a database name is needed

Edge cases, e.g. using LDAP to connect to a MySQL database

Note(1)

When connecting to Windows machines that are domain-joined:

  • For domain-joined systems, always use the UPN format (user@domain.local) as it is more modern, DNS-reliant, and avoids NetBIOS issues.

  • Reserve DOMAIN\user for older systems or mixed environments where UPN isn't supported.

SSH Key Passphrase

When the PAM User record is storing an SSH key, the PEM-encoded private key is added to the "Private Key" field. If the SSH key file is encrypted, you can create a custom field with the title of "Passphrase" which stores the SSH key passphrase.

Field
Description
Notes

Passphrase

Used to decrypt the SSH Private Key for use in connections.

Required if the SSH key is encrypted

Configure rotation settings

On the "Rotation Settings" section of the PAM User vault record, you can configure how credential rotation is managed.

PAM User record editing

Password Rotation Settings

Field
Description
Required

Rotation Type

Specifies which type of rotation is being performed (and which protocol is utilized).

Required "General", "IAM User" or "Run PAM Scripts Only". See below for details.

PAM Resource

For General rotation type, specifies the PAM Resource record which can provide the necessary privilege. For IAM User rotation type, specifies the PAM Configuration utilizing cloud APIs.

Required only for "General" and "IAM User" rotation types

Rotation Schedule

Rotation can be performed on-demand or on a specific schedule.

For advanced scheduling, see the cron spec.

Password Complexity

Applies to password-based rotations, not PEM keys.

Select "Show More" to control special characters and symbols.

Rotation Type

Keeper supports 3 different types of rotation:

  • General: Uses native protocols for performing the rotation, such as LDAP, Databases, SSH keys, etc.

  • IAM User: Uses the cloud-specific APIs for performing rotation, such as AWS IAM users and Azure managed resources. In this case, only the PAM Configuration is required since it contains the necessary

  • Run PAM scripts only: Skips the standard rotation and only executes the attached PAM Scripts.

Password Rotation Settings

The rotation schedule can be set on a specific interval, or using a cron spec.

Custom Schedule
Calendar Settings
Cron Spec

PAM Resource

To complete the Rotation setup, you need to select a resource, which depends on the rotation type.

For a "General" rotation, the Keeper Gateway uses a native protocol for performing the necessary rotation, and the rotation will be executed on the associated PAM Resource supplied. If necessary, the rotation will use the associated administrative credential on the PAM Resource.

In the example below, a Windows service account password is going to be rotated on the associated Windows Server.

Rotation Resource

For an "IAM User" rotation type, the Keeper Gateway will use the referenced PAM Configuration to determine which APIs and methods are used to perform the rotation. In the example below, an IAM user in AWS will use the "AWS (US-WEST-1)" configuration.

When using the IAM User rotation method, it is assumed that the Keeper Gateway either inherits its privilege from the instance role policy, or through explicit access keys that are provided on the PAM Configuration record.

IAM User rotation type

In Summary:

  • The PAM User record holds the credential that is being rotated.

  • The Rotation Settings of the PAM User record references a specific PAM Machine, PAM Database or PAM Directory resource. This is the target resource where the rotation is performed.

  • The Keeper Gateway uses the Admin Credential associated to the PAM Machine, PAM Database or PAM Directory resource to perform the rotation with native protocols.

  • For AWS and Azure managed resources, Keeper uses Instance Role permission of the Gateway, or specific PAM Configuration secrets to perform the rotation with APIs.

Examples

Below are some examples of PAM User records.

  • Windows Domain Admin

Windows Domain Admin User
  • Windows Domain User with post-rotation scripts

Windows Domain User with post-rotation scripts
  • AWS IAM User

AWS IAM User
  • Database user

Database user
  • Azure AD User

Azure AD User