Overview

Rotation relies on the port field in resource records to determine its connection method.

For example, in a PAM Machine record, port 22 tells the gateway to use SSH, port 5985 for WinRM (http) and port 5986 for WinRM (https).

The expected standard ports are listed in the following table.

Rotation Standard Ports

Using Port Mappings

To use a non-standard port, specify the alternative port in two places:

• In the PAM Configuration port mapping field, enter {port}={connection}, for example, 32636=ldaps.

• For {connection}: refer to the labels under Standard Port in the standard ports table.

• In the PAM Machine/Directory/Database record, enter the chosen port in the port field

For example, to connect to a MySQL database using port 3307, your PAM Configuration should have 3307=mysql under port mapping, and your PAM Database record should reference port 3307.

Multiple port mappings are newline-separated in the PAM Configuration.

Overview

Customers are responsible for the configuration of their servers and environments.

Secure Shell (SSH) allows confidential and authenticated remote access to a computer. SSH traffic is fully encrypted and, by default, runs on port 22. For reference and testing, see below for instructions and guidance on enabling SSH for your target operating system.

Linux

Linux requires the SSH daemon to be running in order to accept SSH connections. Most Linux distributions will have the OpenSSH server installed, but may not have the service enabled. The service needs to be enabled, started, and added to the list of services to be started upon reboot.

To verify that ssh is running on your Linux system, invoke the following command:

ps aux | grep sshd

If ssh is not running, you may need to install OpenSSH or/and enable ssh. The following commands demonstrate this in Ubuntu:

apt-get install openssh-server
systemctl enable ssh
systemctl start ssh

Note:

• you may need sudo permissions to install and enable ssh

• The installation command may be different based on your linux distribution

Windows

SSH is normally not installed on Windows. However, SSH can easily be installed via Windows capability packages which are maintained by Microsoft.

The following PowerShell script will:

• Install SSH

• Start the SSH service and makes sure it starts with each reboot

• Ensure the firewall allows SSH connections

# Install OpenSSH
Add-WindowsCapability -Online -Name OpenSSH.Server

# Start service and make sure it automatically starts after reboot.
Start-Service sshd
Set-Service -Name sshd -StartupType 'Automatic'

# Make sure the the firewall will allow SSH connections
if (!(Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue | Select-Object Name, Enabled)) {
    Write-Output "Firewall Rule 'OpenSSH-Server-In-TCP' does not exist, creating it..."
    New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
} else {
    Write-Output "Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists."
}

To connect through SSH, simply create a new PAM Machine record and set the connection protocol to SSH.

Once connected, PowerShell Commands can be executed by typing powershell.exe:

domain\admin@MACHINE C:\Users\Administrator\Desktop>powershell.exe

Windows\system32\conhost.exe - powershell.exeWindows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\Administrator\Desktop> 

Windows Shell

Windows SSH can either default to PowerShell or CMD. Keeper Rotation uses PowerShell commands. If the default shell is CMD, Keeper Rotation will invoke rotation commands via PowerShell Invoke-Command -ScriptBlock { COMMANDS }. To change the default shell to PowerShell, invoke the following PowerShell command:

# Enable PowerShell in SSH
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell `
  -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" `
  -PropertyType String -Force

MacOS

SSH is installed on macOS and usually not turned on for the user.

To enable it via the UI, enable Remote Login on the General->Sharing panel.

To enable it via the command line, invoke the following command:

$ sudo systemsetup -setremotelogin on

Note:

• you will require Full Disk Access privileges for this command line method.

Overview

Customers are responsible for the configuration of their servers and environments. For reference and testing, the below PowerShell script can be run on a target machine to enable WinRM with a self-signed certificate. We recommend creating a certificate with a public CA in your production environment.

# Enable WinRM
Set-NetConnectionProfile -NetworkCategory Private
winrm quickconfig -force
Enable-PSRemoting -force

# Allow non-SSL traffic (port 5985)
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/client/auth '@{Basic="true"}'

# Create a cert for SSL (port 5986)
$Hostname = [System.Net.Dns]::GetHostByName($env:computerName).HostName
$Thumbprint = (New-SelfSignedCertificate -Subject "CN=$Hostname" -TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1').Thumbprint
$A = '@{Hostname="'+$Hostname+'"; CertificateThumbprint="'+$Thumbprint+'"}'
winrm create winrm/config/Listener?Address=*+Transport=HTTPS $A

# Firewall Rules
New-NetFirewallRule -DisplayName "WinRM" -Group "Windows Remote Management" -Program "System" `
  -Protocol TCP -LocalPort "5985" -Profile Domain,Private
New-NetFirewallRule -DisplayName "WinRM" -Group "Windows Remote Management" -Program "System" `
  -Protocol TCP -LocalPort "5985" -Profile Public
New-NetFirewallRule -DisplayName "WinRM Secure" -Group "Windows Remote Management" -Program "System" `
  -Protocol TCP -LocalPort "5986" -Profile Domain,Private
New-NetFirewallRule -DisplayName "WinRM Secure" -Group "Windows Remote Management" -Program "System" `
  -Protocol TCP -LocalPort "5986" -Profile Public

Below is a breakdown of what this script performs to configure WinRM on a Windows machine:

1. Set the network connection profile to Private:

   Copy

   Set-NetConnectionProfile -NetworkCategory Private

2. Configure and enable WinRM:

   Copy

   winrm quickconfig -force
   Enable-PSRemoting -force

3. Allow non-SSL (unencrypted) traffic on port 5985:

   Copy

   winrm set winrm/config/service '@{AllowUnencrypted="true"}'
   winrm set winrm/config/service/auth '@{Basic="true"}'
   winrm set winrm/config/client/auth '@{Basic="true"}'

4. Create a self-signed SSL certificate for encrypted traffic on port 5986:

   Copy

   $Hostname = [System.Net.Dns]::GetHostByName($env:computerName).HostName
   $Thumbprint = (New-SelfSignedCertificate -Subject "CN=$Hostname" -TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1').Thumbprint
   $A = '@{Hostname="'+$Hostname+'"; CertificateThumbprint="'+$Thumbprint+'"}'
   winrm create winrm/config/Listener?Address=*+Transport=HTTPS $A

5. Create Windows Firewall rules to allow inbound traffic on ports 5985 (non-SSL) and 5986 (SSL):

   Copy

   New-NetFirewallRule -DisplayName "WinRM" -Group "Windows Remote Management" -Program "System" `
     -Protocol TCP -LocalPort "5985" -Profile Domain,Private
   New-NetFirewallRule -DisplayName "WinRM" -Group "Windows Remote Management" -Program "System" `
     -Protocol TCP -LocalPort "5985" -Profile Public
   New-NetFirewallRule -DisplayName "WinRM Secure" -Group "Windows Remote Management" -Program "System" `
     -Protocol TCP -LocalPort "5986" -Profile Domain,Private
   New-NetFirewallRule -DisplayName "WinRM Secure" -Group "Windows Remote Management" -Program "System" `
     -Protocol TCP -LocalPort "5986" -Profile Public

After running this script, WinRM will be configured to allow both unencrypted (port 5985) and encrypted (port 5986) remote connections. Additionally, Windows Firewall rules will be created to allow inbound traffic on these ports.

From a Windows server, you can test the connectivity to the target machine through PowerShell:

Test-NetConnection -ComputerName <host> -Port <port>

Network Configuration

The Keeper Gateway establishes outbound-only connections and does not require any inbound firewall rules. The following outbound connections must be allowed:

The Gateway preserves zero knowledge by performing all encryption and decryption of data locally. Keeper Secrets Manager APIs are used to communicate with the Keeper cloud.

Below is the PowerShell commands to open up port 1433 on the SQL Server instance.

# Define the SQL Server port (default is 1433 for TCP)
$SQLPort = 1433

# Create a firewall rule for inbound SQL Server traffic (TCP)
New-NetFirewallRule -DisplayName "Allow SQL Server TCP" `
    -Direction Inbound -Protocol TCP -LocalPort $SQLPort `
    -Action Allow

# Allow SQL Server traffic on UDP port 1434 for SQL Browser service (optional)
New-NetFirewallRule -DisplayName "Allow SQL Server UDP" `
    -Direction Inbound -Protocol UDP -LocalPort 1434 `
    -Action Allow

# Verify the rules were created
Get-NetFirewallRule -DisplayName "Allow SQL Server*"

Overview

In this guide, you will learn how to import and export a file for the following supported Database protocols:

• MySQL

• SQL Server

• PostgreSQL

SQL Import and Export

SQL Import

Import data from a file on your machine into the MySQL connection.

To import data from a csv file, is the LOAD DATA MySQL command:

Copy

LOAD DATA LOCAL INFILE "input.csv" INTO TABLE <table> FIELDS
  TERMINATED BY ',' ENCLOSED BY '"' LINES TERMINATED BY '\r\n'

In the example above, "<table>" should be replaced with the SQL table to import data into. The other parts of the command are required for CSV-formatted files. If your uploaded file uses different termination characters update the query accordingly.

After running the query, Keeper Connection Manager will prompt you to supply the data file. To upload the file, simply drag and drop it from your machine onto the browser window.

The file uploaded does not have to have the same name given in the query

SQL Export

Data from the connected MySQL database can be exported to a file on your machine. To do this, use the following query:

Copy

 SELECT <query> INTO LOCAL OUTFILE "<name>.csv"

The result of the given <query> will be put into a CSV file with the given name and downloaded from the browser to your machine.

SQL Server Import and Export

SQL Server Import

Import data from a file on your machine into the SQL Server connection.

To import data from a csv file, is the COPY command:

Copy

BULK INSERT <table> FROM LOCAL FILE

In the example above, "<table>" should be replaced with the SQL table to import data into. The other parts of the command are required for CSV-formatted files. If your uploaded file uses different termination characters update the query accordingly.

After running the query, Keeper Connection Manager will prompt you to supply the data file. To upload the file, simply drag and drop it from your machine onto the browser window.

The file uploaded does not have to have the same name given in the query

SQL Server Export

Data from the connected PostgreSQL database can be exported to a file on your machine. To do this, use the following query:

Copy

 SELECT <query> INTO LOCAL OUTFILE "<name>.csv"

The result of the given <query> will be put into a CSV file with the given name and downloaded from the browser to your machine.

PostgreSQL Import and Export

PostgreSQL Import

Import data from a file on your machine into the PostgreSQL connection.

To import data from a csv file, is the COPY command:

Copy

 \COPY <table> FROM "input.csv" With CSV

In the example above, "<table>" should be replaced with the SQL table to import data into. The other parts of the command are required for CSV-formatted files. If your uploaded file uses different termination characters update the query accordingly.

After running the query, Keeper Connection Manager will prompt you to supply the data file. To upload the file, simply drag and drop it from your machine onto the browser window.

The file uploaded does not have to have the same name given in the query

PostgreSQL Export

Data from the connected PostgreSQL database can be exported to a file on your machine. To do this, use the following query:

Copy

 \COPY (<query>) TO "<name>.csv" With CSV HEADER

The result of the given <query> will be put into a CSV file with the given name and downloaded from the browser to your machine.

Amazon Linux

Import the Microsoft GPG keys

sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc

Add the Microsoft SQL Server Tools repository

sudo curl -o /etc/yum.repos.d/mssql-tools.repo https://packages.microsoft.com/config/rhel/7/prod.repo

Install Command

sudo yum update -y

sudo ACCEPT_EULA=Y yum install -y mssql-tools unixODBC-devel

echo 'export PATH="$PATH:/opt/mssql-tools/bin"' >> ~/.bash_profile
source ~/.bash_profile

This page provides quick install instructions for setting up Docker on different flavors of Linux.

• Amazon Linux

• Ubuntu

Amazon Linux

Ensure all packages up to date

sudo yum update -y

Install Docker

sudo yum install -y docker

Start the service

sudo service docker start

Add the ec2-user to the docker group so that you can run Docker commands without using sudo.

sudo usermod -a -G docker ec2-user
newgrp docker

Start automatically at boot

sudo chkconfig docker on

Install Docker Compose

sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
docker-compose --version

Ubuntu

Update the instance

apt update -y
apt upgrade -y

Install Docker

sudo apt install docker.io

Install Docker Compose

sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

Ensure docker-compose is executable

sudo chmod +x /usr/local/bin/docker-compose

Activate Docker

sudo systemctl enable docker
sudo systemctl start docker

Add the current user to the docker group so that you can run Docker commands without using sudo.

sudo usermod -aG docker $USER
newgrp docker

Overview

Prior to working with Rotation, you need to create a KSM application. For more information on KSM, visit:

Setup KSM

1. In the Keeper Web Vault or Desktop App user interface, create a shared folder. This shared folder will contain the PAM records you will create as you are working through the use-case guides.

2. Navigate to the "Secret Managers" tab on the left and click on "Create Application" to create a KSM application

3. In the prompted window:

   • Enter the name of your KSM application

   • Choose the shared folder you have created in Step 1

   • Set the Record Permissions for Application to "Can Edit"

4. Click on "Generate Access Token" and then click on "OK"

Overview

When creating a PAM Directory Resource, it is recommended that you use a service account with the least required privileges to perform rotation.

The following steps show you how to enable a service account to rotate credentials using Active Directory's Delegation of Control feature.

Procedure

1. Launch Active Directory Users and Computers

2. In the directory tree, select a node for which password rotation should be allowed.

3. Right-click on the node, then click Delegate Control.

4. In the Delegation of Control Wizard, click 'Add'.

5. Locate your chosen service account, then click 'OK'.

1. Click 'Next' to advance to permission selection.

2. In 'Delegate the following common tasks', check the option for 'Reset user passwords and force password change at next logon', then click 'Next'.

1. Add the service account's login and password to the Resource Record for the AD instance.

Overview

Events related to Secrets Management and Privileged Access Management are included in the Advanced Reporting & Alerts module within the Keeper Admin Console.

SIEM Events

Secrets Manager Events

Keeper Connection Manager (KCM) Cloud Events

Alerts

To receive immediate feedback on any rotation related events, Keeper's "Alerts" capability can push these events to email, SMS, webhooks, Slack, Teams, etc.

To learn more about the Keeper Advanced Reporting & Alerts module at this link.

Reporting, Alerts & SIEMEnterprise Guide

Keeper supports importing of PAM records through the Keeper Commander CLI.

Record Types Supported:

• pamDatabase

• pamDirectory

• pamMachine

• pamUser

Below is an example template in JSON format which imports 2 PAM Machine records, 2 PAM User records and adds then to a shared folder called "My Shared Folder".

{
  "shared_folders": [],
  "records": [
  {
      "title": "Test Machine 1",
      "$type": "pamMachine",
        "custom_fields": {
        "$pamHostname": {
          "hostName": "207.148.1.154",
          "port": "22"
        },
        "$checkbox:sslVerification": true
      },
      "login": "some-username",
      "password": "some-password",
      "folders": [
        {
          "shared_folder": "My Shared Folder",
          "can_edit": true,
          "can_share": true
        }
      ]
  },
  {
      "title": "Test Machine 2",
      "$type": "pamMachine",
        "custom_fields": {
        "$pamHostname": {
          "hostName": "207.148.1.155",
          "port": "22"
        },
        "$checkbox:sslVerification": true
      },
      "login": "some-username",
      "password": "some-password",
      "folders": [
        {
          "shared_folder": "My Shared Folder",
          "can_edit": true,
          "can_share": true
        }
      ]
    },
    {
      "title": "Test User 1",
      "login": "some-user",
      "password": "some-password",
      "$type": "pamUser",
      "folders": [
        {
          "shared_folder": "My Shared Folder",
          "can_edit": true,
          "can_share": true
        }
      ]
    },
    {
      "title": "Test User 2",
      "login": "some-other-user",
      "password": "some-other-password",
      "$type": "pamUser",
      "folders": [
        {
          "shared_folder": "My Shared Folder",
          "can_edit": true,
          "can_share": true
        }
      ]
    }
  ]
}

To import this file, run the command:

import "c:\path\to\myfile.json" --format json

To see all import options:

 import -h

See the Keeper Commander options for additional PAM automation capabilities.

Keeper Commander can perform individual or bulk updates on PAM resource records, such as adding rotation to a whole set of records in a folder.

Prerequisites:

• All of your rotation records are imported to the appropriate folders

• You have at least one Keeper Gateway installed and running

• You have at least one active PAM Configuration

Example 1: Adding PAM Resources to a PAM Configuration

To attach a PAM Machine resource record to an existing PAM Configuration, and to assign a default rotation schedule, use the sample Commander CLI commands below:

sync-down
pam config edit -c "<PAM_Config_UID>" --resource-record "<Machine1_UID>" --schedule Daily
pam config edit -c "<PAM_Config_UID>" --resource-record "<Machine2_UID>" --schedule Daily

Note 1: The PAM Configuration UID can be found by typing: pam config list

Note 2: Machine UIDs can be found by navigating to the folder and using ls -l

My Vault> cd "My Folder"
My Vault> ls -l

Example 2: Assign Rotation Settings to PAM Machine records

The commands below will assign a scheduled rotation to the specific PAM Machine records, and it also sets the resource record to

sync-down
pam rotation set --record="<Machine1_UID>" --config="<PAM_Config_UID>" --resource="<Machine1_UID>" --schedulecron "0 3 * * 2" --enable --force
pam rotation set --record="<Machine2_UID>" --config="<PAM_Config_UID>" --resource="<Machine2_UID>" --schedulecron "0 3 * * 2" --enable --force

Example 3: Assign Rotation Settings in JSON Notation

The below command will assign a resource and set up a rotation schedule using JSON notation:

pam rotation set --record="<Machine1_UID>" --config="<PAM_Config_UID>" --resource="<Machine1_UID>" -sj '{"type":"DAILY","tz":"Etc/UTC","time":"03:00:00","intervalCount":60}' --enable --force

Example 4: Assign Rotation Settings for All Records

The below command will assign rotation capabilities in bulk for all records within a specific folder. In this case the folder is a sub-folder beneath a Shared Folder.

pam rotation set --folder="/ShareFolder1/PrivateFolder2" --config="<PAM_CONFIG_UID>" --resource="<PAM_Machine_UID>" --schedulecron "0 3 * * 2" --enable --force

Batch Mode

To run a large number of commands in a batch mode, see Keeper's Batch Mode command.

Overview

KeeperPAM integrates seamlessly with ITSM platforms (such as ServiceNow) to automate privileged access management within IT service workflows, eliminating manual credential handling and reducing security risks.

Examples include:

• Automated secret retrieval and credential rotation

• User provisioning and team/role assignments

• Time-based access grants to servers and applications

• Shared folder creation and user assignments

• Compliance reporting and audit event retrieval

Below are the primary integration methods supported by KeeperPAM.

1. Secret Retrieval via Keeper Secrets Manager

Keeper provides a native integration with ServiceNow MID Servers that allows secure retrieval of secrets from Keeper Secrets Manager.

Setup Overview:

• Install Keeper Secrets Manager SDK and plugin on the ServiceNow MID Server

• Use a configured Secrets Manager Application with scoped access

• Authenticate the MID server using a One-Time Access Token (OTA) or application credentials

• Use secrets in orchestration scripts and automation tasks

Benefits:

• Secrets are never stored in ServiceNow

• Zero-trust access to secrets using Keeper’s cloud vault

• Supports audit logging, fine-grained access, and secret rotation

For more details, see the ServiceNow integration for Keeper Secrets Manager

2. Access Assignment via Keeper Commander CLI

ITSM platforms like ServiceNow can assign access to privileged resources or perform password rotation using Keeper Commander CLI, executed from a MID Server.

Setup Steps:

1. Install a ServiceNow MID Server on a Windows or Linux machine

2. Install Keeper Commander

3. Authenticate Keeper Commander with a persistent session

4. In ServiceNow Flow Designer, use a Run PowerShell or Run Command activity.

Example Commands:

To grant a user with 1-hour access to a Linux server:

share-record --expire-in 1h -e user@company.com servers/Linux001

Rotate a specific password:

pam action rotate --record-uid <RECORD_UID>

Invite a user to Keeper

enterprise-user --add user@example.com

Create a Shared Folder and Add User

mkdir some_team_folder -sf -s
share-folder some_team_folder -e user@example.com -p off

Benefits:

• Automates just-in-time access provisioning

• No secrets stored in ServiceNow

• Integrates with approval flows and service catalog items

This method offers the most flexibility. Any Keeper Commander action can be scripted and triggered via the MID Server.

For more information on this method, see the Keeper Commander setup guide and see the list of available commands.

3. Commander Service Mode REST API

Customers can enable Commander Service Mode to expose a secure internal REST API that accepts HTTP commands for executing Keeper actions.

Setup Summary:

• Install Keeper Commander and run in Service Mode

• Restrict access to the API on internal networks only

• Create a Service Mode configuration that defines which commands are allowed

• Use HTTPS requests to trigger actions like:

  • Inviting users to Keeper

  • Adding or removing users from teams

  • Rotating passwords

  • Initiating BreachWatch scans

  • Sharing access to vault records

Benefits:

• REST API for ITSM, ticketing, and custom automation platforms

• Full command support via HTTPS

• Flexible and platform-agnostic

Security note: This API is self-hosted by the customer and should be secured with internal-only access and firewall restrictions.

For more information, see the Commander Service Mode setup guide.

Integration Summary

Vendor Privileged Access Management (VPAM)

Secure third-party access to internal resources with KeeperPAM’s zero-trust architecture. This guide outlines how KeeperPAM enables secure, auditable, and time-limited access for external users like contractors, technicians, and vendors—without the need for VPNs or exposing credentials.

Overview

KeeperPAM provides native support for remote privileged access scenarios involving external users such as vendors, partners, and third-party technicians. The system enables secure access through a browser-based interface with full control, auditability, and session recording—no local agents or VPNs required.

Key Capabilities

Just-in-Time (JIT) Access

Vendors are granted time-limited access to specific systems only when needed. Access can be subject to approval workflows, expiration, and session recording.

Credential Injection (Zero Exposure)

Vendors never see or handle passwords. Keeper injects credentials directly into RDP, SSH, database, or web sessions via the Keeper Gateway.

Agentless, VPN-Free Access

All access occurs through a web browser or desktop app—no client software or VPN setup is required. This ensures fast onboarding and secure connectivity.

Session Recording and Monitoring

Every vendor session is fully recorded, including screen activity, keystrokes, and command logs. Sessions are viewable in the Vault UI and can be streamed to your SIEM.

Real-Time Threat Detection (KeeperAI)

KeeperAI monitors vendor sessions for suspicious activity and can terminate connections automatically based on risk thresholds and pattern detection.

Role-Based Access Controls (RBAC)

Admins can define access rules based on vendor role, project, or department. Sessions can be isolated, time-bound, and protocol-specific.

Compliance Support

All third-party access is auditable to meet GDPR, HIPAA, PCI-DSS, SOX, NIST, and other compliance standards. Detailed logs are retained and can be pushed to external SIEM tools.

How It Works

1. Configure Vendor Access

   • In the Keeper Vault UI, create a record for the resource the vendor needs (e.g., SSH, RDP).

   • Place it in a shared folder with time-based permissions.

   • Apply RBAC policies as needed.

2. Vendor Authentication

   • Invite the vendor to join your Keeper tenant using SSO or email/password/MFA

   • Assign the vendor to a role

   • Enforce MFA and other access policies

   • The vendor logs in via the Keeper web vault or desktop app.

   • MFA is enforced even if the target resource lacks native MFA.

3. Session Launch

   • The vendor selects the resource and initiates the connection.

   • Keeper Gateway injects credentials and brokers the session.

   • No credentials are revealed or copied to the vendor’s device.

4. Session Monitoring

   • Keeper records screen activity, keystrokes, and command logs.

   • KeeperAI scans the session for anomalies and can terminate high-risk activity automatically.

5. Access Expiration

   • Sessions are automatically terminated at the scheduled end time.

   • Shared folder permissions expire based on policy.

Example Use Cases

• An MSP or hardware vendor remotely troubleshooting a server

• A compliance auditor reviewing system logs

• A database consultant with short-term access to production

Get Started

Vendor PAM is included in the standard KeeperPAM licensing model.

• Activate KeeperPAM

• Provision the vendor through your identity provider

• Assign role policies to the vendor

• Deploy a Keeper Gateway

• Create PAM resource records in the Keeper Vault

• Activate PAM settings on the resource such as connections, tunnels and session recording

• Share access to the resource through time-limited access without sharing the credentials

Screenshots

The below screenshots walk through the basic process of provisioning resources to a third-party vendor or contractor.

Invite the Vendor through your identity provider, AD, SSO or SCIM connection. Alternatively, you can create a Node in your Keeper tenant that is associated to a different directory.

Vendors can be provisioned through AD/LDAP, SSO, SCIM or manual method.

RBAC is applied to vendors through Role Enforcement policies:

Role policies can be configured to enforce MFA on every login, with a hardware-based FIDO2 security key, TOTP or other methods.

Typically, the vendor will have limited ability to create records or folders - in this case, they can only receive shared items.

Privileged Access Manager enforcement policies can then be limited to allow only launching connections and tunnels.

From the vault, the admin can assign the contractor to a Shared Folder with no permissions, or to individual resources as needed.

Within each resource, session recording, JIT and other capabilities are configured.

The vendor then logs in to their vault with MFA and can launch into the session. Credentials are not exposed. In this example, they have been provided access to a MySQL database.

Vendor launches the connection to the resource (in this case, a database), with one click. All session activity is recorded and logged.

Admin Console event logs are generated for session launch activity.

Additional Info

Vendor Privileged Access Management (VPAM) is included by default in all KeeperPAM environments—no separate license is required. External vendor accounts are treated the same as internal users in terms of licensing.

Depending on your organization’s policies, external vendors can also benefit from additional Keeper capabilities, including:

• Accessing target systems from their own device using Keeper Tunnels

• Federated identity support, allowing SSO integration with the vendor’s identity provider

• Delegated Administration to designated limited admin rights to specific nodes

• Deploying Keeper Connection Manager (self-hosted) for remote access with a custom interface, session joining and advanced integration methods.

Keeper Commander commands have been created to automate and manage the Keeper PAM capabilities including:

• Managing Gateways

• Managing PAM Configurations

• Managing Password Rotation and Discovery

• Managing jobs

For more information see the KeeperPAM "pam" command documentation.

In the Keeper Vault, users can configure rotation using a standardized UNIX Cron specification.

The Keeper backend scheduler uses the open source Quartz Job Scheduler for executing rotations. The content below is based on the Quartz public documentation.

In the example below, the Cron Spec is set to 0 28 17 ? * * which means every day at 5:28PM PST.

Format

A cron expression is a string comprised of 6 or 7 fields separated by white space. Fields can contain any of the allowed values, along with various combinations of the allowed special characters for that field. The fields are as follows:

Cron expressions can be as simple as this: * * * * ? *

or more complex, like this:

0/5 14,18,3-39,52 * ? JAN,MAR,SEP MON-FRI 2002-2010

Special characters

• * (“all values”) - used to select all values within a field. For example, “*” in the minute field means “every minute”.

• ? (“no specific value”) - useful when you need to specify something in one of the two fields in which the character is allowed, but not the other. For example, if I want my trigger to fire on a particular day of the month (say, the 10th), but don’t care what day of the week that happens to be, I would put “10” in the day-of-month field, and “?” in the day-of-week field. See the examples below for clarification.

• - - used to specify ranges. For example, “10-12” in the hour field means “the hours 10, 11 and 12”.

• , - used to specify additional values. For example, “MON,WED,FRI” in the day-of-week field means “the days Monday, Wednesday, and Friday”.

• / - used to specify increments. For example, “0/15” in the seconds field means “the seconds 0, 15, 30, and 45”. And “5/15” in the seconds field means “the seconds 5, 20, 35, and 50”. You can also specify ‘/’ after the ‘’ character - in this case ‘’ is equivalent to having ‘0’ before the ‘/’. ‘1/3’ in the day-of-month field means “fire every 3 days starting on the first day of the month”.

• L (“last”) - has different meaning in each of the two fields in which it is allowed. For example, the value “L” in the day-of-month field means “the last day of the month” - day 31 for January, day 28 for February on non-leap years. If used in the day-of-week field by itself, it simply means “7” or “SAT”. But if used in the day-of-week field after another value, it means “the last xxx day of the month” - for example “6L” means “the last friday of the month”. You can also specify an offset from the last day of the month, such as “L-3” which would mean the third-to-last day of the calendar month. When using the ‘L’ option, it is important not to specify lists, or ranges of values, as you’ll get confusing/unexpected results.

• W (“weekday”) - used to specify the weekday (Monday-Friday) nearest the given day. As an example, if you were to specify “15W” as the value for the day-of-month field, the meaning is: “the nearest weekday to the 15th of the month”. So if the 15th is a Saturday, the trigger will fire on Friday the 14th. If the 15th is a Sunday, the trigger will fire on Monday the 16th. If the 15th is a Tuesday, then it will fire on Tuesday the 15th. However if you specify “1W” as the value for day-of-month, and the 1st is a Saturday, the trigger will fire on Monday the 3rd, as it will not ‘jump’ over the boundary of a month’s days. The ‘W’ character can only be specified when the day-of-month is a single day, not a range or list of days.

The 'L' and 'W' characters can also be combined in the day-of-month field to yield 'LW', which translates to *"last weekday of the month"*.

• # - used to specify “the nth” XXX day of the month. For example, the value of “6#3” in the day-of-week field means “the third Friday of the month” (day 6 = Friday and “#3” = the 3rd one in the month). Other examples: “2#1” = the first Monday of the month and “4#5” = the fifth Wednesday of the month. Note that if you specify “#5” and there is not 5 of the given day-of-week in the month, then no firing will occur that month.

The legal characters and the names of months and days of the week are not case sensitive. MON is the same as mon.

Examples

Here are some full examples:

Pay attention to the effects of '?' and '*' in the day-of-week and day-of-month fields!

Preview Updates

The KeeperPAM Preview offers customers early access to test and prepare for upcoming changes.

Gateway Preview

Docker Installation

For Docker environments, you can reference the tag keeper/gateway:preview to get the preview version.

services:
      keeper-gateway:
        platform: linux/amd64
        image: keeper/gateway:preview

Linux Binary Preview

To update an existing Gateway on Linux:

curl -fsSL https://keepersecurity.com/pam/beta/install | \
  sudo bash -s -- --preview

Executing the following command will uninstall the Keeper Gateway Preview:

curl -fsSL https://keepersecurity.com/pam/beta/uninstall | sudo bash -s -- --preview

Windows Binary Preview Installers

Download the latest installer: 64-bit Installer

Vault Preview

Web Vault

• US: https://keepersecurity.com/vault/preview

• EU: https://keepersecurity.eu/vault/preview

• AU: https://keepersecurity.com.au/vault/preview

• CA: https://keepersecurity.ca/vault/preview

• JP: https://keepersecurity.jp/vault/preview

Desktop App

• Mac (.dmg) - Download

• Mac (.pkg) - Download

• Windows (.appx) - Download

• Windows (.msix) - Download

• Windows (.msi) - Download

• Linux (.rpm) - Download

• Linux (.deb) - Download

Note: the Desktop App preview does not auto-update. On Windows computers, a new version of the preview version requires a full uninstall and re-install of Keeper. This does not affect stored data.

Admin Console Preview

• US: https://keepersecurity.com/console/preview

• EU: https://keepersecurity.eu/console/preview

• AU: https://keepersecurity.com.au/console/preview

• CA: https://keepersecurity.ca/console/preview

• JP: https://keepersecurity.jp/console/preview

• GOV: Not available for preview, use commercial environment