Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Defining alternative ports in PAM Configurations
Rotation relies on the port field in resource records to determine its connection method.
For example, in a PAM Machine record, port 22 tells the gateway to use SSH, port 5985 for WinRM (http) and port 5986 for WinRM (https).
The expected standard ports are listed in the following table.
To use a non-standard port, specify the alternative port in two places:
In the PAM Configuration port mapping field, enter {port}={connection}, for example, 32636=ldaps.
For {connection}: refer to the labels under Standard Port in the standard ports table.
In the PAM Machine/Directory/Database record, enter the chosen port in the port field
For example, to connect to a MySQL database using port 3307, your PAM Configuration should have 3307=mysql under port mapping, and your PAM Database record should reference port 3307.
Multiple port mappings are newline-separated in the PAM Configuration.
OpenLDAP
636=ldaps
PAM Database
Postgresql
5432=postgresql
PAM Database
MySQL
3306=mysql
PAM Database
MariaDB
3306=mariadb
PAM Database
Microsoft SQL
1433=mssql
PAM Database
Oracle
1521=oracle
PAM Database
MongoDB
27017=mongodb
PAM Machine
SSH
22=ssh
PAM Machine
WinRM
5986=winrm
PAM Directory
Active Directory
636=ldaps
PAM Directory
Steps to create a Keeper Secrets Manager application for rotation of passwords
Prior to working with Rotation, you need to create a KSM application. For more information on KSM, visit:
About KSMIn the Keeper Web Vault or Desktop App user interface, create a shared folder. This shared folder will contain the PAM records you will create as you are working through the guides.
Navigate to the "Secret Managers" tab on the left and click on "Create Application" to create a KSM application
In the prompted window:
Managing rotation with the Commander CLI / SDK interface
Keeper Commander commands have been created to automate and manage the Keeper PAM capabilities including:
Managing Gateways
Managing PAM Configurations
Managing Password Rotation and Discovery
Managing jobs
For more information see the KeeperPAM "pam" command documentation.
Choose the shared folder you have created in Step 1
Set the Record Permissions for Application to "Can Edit"
Click on "Generate Access Token" and then click on "OK"
Granting a service account the minimum permissions to rotate
When creating a PAM Directory Resource, it is recommended that you use a service account with the least required privileges to perform rotation.
The following steps show you how to enable a service account to rotate credentials using Active Directory's Delegation of Control feature.
Launch Active Directory Users and Computers
In the directory tree, select a node for which password rotation should be allowed.
Right-click on the node, then click Delegate Control.
In the Delegation of Control Wizard, click 'Add'.
Click 'Next' to advance to permission selection.
In 'Delegate the following common tasks', check the option for 'Reset user passwords and force password change at next logon', then click 'Next'.
Add the service account's login and password to the Resource Record for the AD instance.
Locate your chosen service account, then click 'OK'.
Import data from a file on your machine into the MySQL connection.
To import data from a csv file, is the LOAD DATA MySQL command:
Copy
In the example above, "<table>" should be replaced with the SQL table to import data into. The other parts of the command are required for CSV-formatted files. If your uploaded file uses different termination characters update the query accordingly.
After running the query, Keeper Connection Manager will prompt you to supply the data file. To upload the file, simply drag and drop it from your machine onto the browser window.
The file uploaded does not have to have the same name given in the query
Data from the connected MySQL database can be exported to a file on your machine. To do this, use the following query:
Copy
The result of the given <query> will be put into a CSV file with the given name and downloaded from the browser to your machine.
Import data from a file on your machine into the SQL Server connection.
To import data from a csv file, is the COPY command:
Copy
In the example above, "<table>" should be replaced with the SQL table to import data into. The other parts of the command are required for CSV-formatted files. If your uploaded file uses different termination characters update the query accordingly.
After running the query, Keeper Connection Manager will prompt you to supply the data file. To upload the file, simply drag and drop it from your machine onto the browser window.
The file uploaded does not have to have the same name given in the query
Data from the connected PostgreSQL database can be exported to a file on your machine. To do this, use the following query:
Copy
The result of the given <query> will be put into a CSV file with the given name and downloaded from the browser to your machine.
Import data from a file on your machine into the PostgreSQL connection.
To import data from a csv file, is the COPY command:
Copy
In the example above, "<table>" should be replaced with the SQL table to import data into. The other parts of the command are required for CSV-formatted files. If your uploaded file uses different termination characters update the query accordingly.
After running the query, Keeper Connection Manager will prompt you to supply the data file. To upload the file, simply drag and drop it from your machine onto the browser window.
The file uploaded does not have to have the same name given in the query
Data from the connected PostgreSQL database can be exported to a file on your machine. To do this, use the following query:
Copy
The result of the given <query> will be put into a CSV file with the given name and downloaded from the browser to your machine.
LOAD DATA LOCAL INFILE "input.csv" INTO TABLE <table> FIELDS
TERMINATED BY ',' ENCLOSED BY '"' LINES TERMINATED BY '\r\n' SELECT <query> INTO LOCAL OUTFILE "<name>.csv"BULK INSERT <table> FROM LOCAL FILE SELECT <query> INTO LOCAL OUTFILE "<name>.csv" \COPY <table> FROM "input.csv" With CSV \COPY (<query>) TO "<name>.csv" With CSV HEADERHow to access the Preview version of KeeperPAM
The KeeperPAM Preview offers customers early access to test and prepare for upcoming changes.
For Docker environments, you can reference the tag keeper/gateway:preview to get the preview version.
To update an existing Gateway on Linux:
Executing the following command will uninstall the Keeper Gateway Preview:
Download the latest installer:
US:
EU:
AU:
CA:
Mac (.dmg) -
Mac (.pkg) -
Windows (.appx) -
Windows (.msix) -
Note: the Desktop App preview does not auto-update. On Windows computers, a new version of the preview version requires a full uninstall and re-install of Keeper. This does not affect stored data.
US:
EU:
AU:
CA:
Keeper rotation event reporting in the Advanced Reporting & Alerts module
Events related to Secrets Management and Privileged Access Management are included in the Advanced Reporting & Alerts module within the Keeper Admin Console.
To receive immediate feedback on any rotation related events, Keeper's "Alerts" capability can push these events to email, SMS, webhooks, Slack, Teams, etc.
To learn more about the Keeper Advanced Reporting & Alerts module .
Example guide for setting up WinRM on target machines
Customers are responsible for the configuration of their servers and environments. For reference and testing, the below PowerShell script can be run on a target machine to enable WinRM with a self-signed certificate. We recommend creating a certificate with a public CA in your production environment.
Below is a breakdown of what this script performs to configure WinRM on a Windows machine:
Windows (.msi) - Download
Linux (.rpm) - Download
Linux (.deb) - Download
GOV: Not available for preview, use commercial environment
Installing sqlcmd for accessing SQL Server from a Linux machine
Import the Microsoft GPG keys
sudo rpm --import https://packages.microsoft.com/keys/microsoft.ascAdd the Microsoft SQL Server Tools repository
sudo curl -o /etc/yum.repos.d/mssql-tools.repo https://packages.microsoft.com/config/rhel/7/prod.repoInstall Command
sudo yum update -y
sudo ACCEPT_EULA=Y yum install -y mssql-tools unixODBC-devel
echo 'export PATH="$PATH:/opt/mssql-tools/bin"' >> ~/.bash_profile
source ~/.bash_profileSet the network connection profile to Private:
Set-NetConnectionProfile -NetworkCategory PrivateConfigure and enable WinRM:
winrm quickconfig -force
Enable-PSRemoting -forceAllow non-SSL (unencrypted) traffic on port 5985:
Create a self-signed SSL certificate for encrypted traffic on port 5986:
Create Windows Firewall rules to allow inbound traffic on ports 5985 (non-SSL) and 5986 (SSL):
After running this script, WinRM will be configured to allow both unencrypted (port 5985) and encrypted (port 5986) remote connections. Additionally, Windows Firewall rules will be created to allow inbound traffic on these ports.
From a Windows server, you can test the connectivity to the target machine through PowerShell:
Test-NetConnection -ComputerName <host> -Port <port>services:
keeper-gateway:
platform: linux/amd64
image: keeper/gateway:previewcurl -fsSL https://keepersecurity.com/pam/beta/install | \
sudo bash -s -- --previewcurl -fsSL https://keepersecurity.com/pam/beta/uninstall | sudo bash -s -- --previewwinrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/client/auth '@{Basic="true"}'$Hostname = [System.Net.Dns]::GetHostByName($env:computerName).HostName
$Thumbprint = (New-SelfSignedCertificate -Subject "CN=$Hostname" -TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1').Thumbprint
$A = '@{Hostname="'+$Hostname+'"; CertificateThumbprint="'+$Thumbprint+'"}'
winrm create winrm/config/Listener?Address=*+Transport=HTTPS $ANew-NetFirewallRule -DisplayName "WinRM" -Group "Windows Remote Management" -Program "System" `
-Protocol TCP -LocalPort "5985" -Profile Domain,Private
New-NetFirewallRule -DisplayName "WinRM" -Group "Windows Remote Management" -Program "System" `
-Protocol TCP -LocalPort "5985" -Profile Public
New-NetFirewallRule -DisplayName "WinRM Secure" -Group "Windows Remote Management" -Program "System" `
-Protocol TCP -LocalPort "5986" -Profile Domain,Private
New-NetFirewallRule -DisplayName "WinRM Secure" -Group "Windows Remote Management" -Program "System" `
-Protocol TCP -LocalPort "5986" -Profile Public# Enable WinRM
Set-NetConnectionProfile -NetworkCategory Private
winrm quickconfig -force
Enable-PSRemoting -force
# Allow non-SSL traffic (port 5985)
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/client/auth '@{Basic="true"}'
# Create a cert for SSL (port 5986)
$Hostname = [System.Net.Dns]::GetHostByName($env:computerName).HostName
$Thumbprint = (New-SelfSignedCertificate -Subject "CN=$Hostname" -TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1').Thumbprint
$A = '@{Hostname="'+$Hostname+'"; CertificateThumbprint="'+$Thumbprint+'"}'
winrm create winrm/config/Listener?Address=*+Transport=HTTPS $A
# Firewall Rules
New-NetFirewallRule -DisplayName "WinRM" -Group "Windows Remote Management" -Program "System" `
-Protocol TCP -LocalPort "5985" -Profile Domain,Private
New-NetFirewallRule -DisplayName "WinRM" -Group "Windows Remote Management" -Program "System" `
-Protocol TCP -LocalPort "5985" -Profile Public
New-NetFirewallRule -DisplayName "WinRM Secure" -Group "Windows Remote Management" -Program "System" `
-Protocol TCP -LocalPort "5986" -Profile Domain,Private
New-NetFirewallRule -DisplayName "WinRM Secure" -Group "Windows Remote Management" -Program "System" `
-Protocol TCP -LocalPort "5986" -Profile Public
The Keeper Gateway establishes outbound-only connections and does not require any inbound firewall rules. The following outbound connections must be allowed:
Keeper Cloud (keepersecurity.[com|eu|com.au|jp|ca|us])
TLS Port 443
Communicates with Keeper Cloud to access target infrastructure via native protocols (e.g., SSH, RDP)
The Gateway preserves zero knowledge by performing all encryption and decryption of data locally. Keeper Secrets Manager APIs are used to communicate with the Keeper cloud.
Managing rotation settings on individual and bulk records using Keeper Commander
Integrating KeeperPAM with ITSM platforms such as ServiceNow
Keeper Router (connect.keepersecurity.[com|eu|com.au|jp|ca|us])
TLS Port 443
Communicates with Keeper Router to establish secure, real-time WebSocket connections
Keeper KRelay Server (krelay.keepersecurity.[com|eu|com.au|jp|ca|us])
TCP and UDP opened on Port 3478 Outbound access to TCP and UDP ports 49152 through 65535
Facilitates secure and encrypted relay connections between end-user's vault and target systems via the Gateway
Target records are in place – all PAM Machine, PAM User and other privileged records you plan to rotate live in shared folders inside your Keeper Vault.
A Keeper Gateway is installed and online – see Step 1 below.
At least one PAM Configuration exists and points to the gateway – see Step 2.
You are signed in to Keeper Commander with an administrator or rotation‑manager role.
Commander’s pam gateway sub‑commands manage the Gateway service.
Task
Command
List existing gateways
pam gateway list
Create a new gateway and generate a one‑time token
pam gateway new --name "<Gateway_Name>" --application "<KSM_Application_UID>"
Generate the GATEWAY_CONFIG blob for Docker installs
pam gateway new -n "<Gateway_Name>" -a "<App_UID>" --config-init b64
Tip: Retrieve the UID for an existing gateway at any time with
pam gateway list --verbose.
pam config new (or pam config edit) assembles the rules that tie the gateway to rotation, discovery, tunnelling and connections.
--gateway binds the configuration to the Keeper Gateway you created in Step 1.
--rotation on enables the rotation feature for any records attached to this configuration.
--schedule sets a default CRON schedule that records can inherit (you can still override per record with pam rotation edit).
Use pam config list to obtain the configuration’s UID for later commands.
Command
What it actually does
rotate
Deprecated: legacy plugin‑based rotation run directly from Commander.
pam action rotate
Runs an immediate rotation job through the Keeper Gateway.
pam rotation edit
Configures rotation settings (schedule, resource, complexity) on one or many records. (Does not rotate immediately.)
pam rotation edit adjusts the KeeperPAM rotation metadata stored on a record.
Option
Purpose
--record / -r
Target an individual record by UID, name, or pattern.
--folder / -fd
Target every record in a folder (bulk update).
--force / -f
Skip confirmation prompts.
--config / -c
UID or path of the PAM Configuration to link.
--iam-aad-config / -iac
Alternative to --resource for IAM / Azure AD users.
--resource / -rs
UID or path of the resource record used to perform the change.
Full help: pam rotation edit --help
Replace angle‑bracket placeholders with real UIDs or paths.
1 – Daily rotation on a single machine (CRON)
2 – Weekly rotation using JSON
3 – Bulk‑enable rotation for every record in a folder (monthly)
4 – Change schedule only
Tip: Combine
-sowith--enableor--disableto quickly activate or pause existing schedules without touching other parameters.
5 – On‑demand rotation (no schedule)
6 – Set password complexity
Run a rotation right now (ignoring any schedule):
Commander sends the job to the Keeper Gateway, which executes the correct plugin or native driver for the resource.
pam action gateway-info --gateway <Gateway_UID> – check gateway health and version.
pam rotation list – verify which resources have rotation enabled.
pam action job-info --gateway <Gateway_UID> – view historical rotation job logs.
pam rotation script – manage post‑rotation scripts.
To run a large number of commands in a batch mode, see Keeper's Batch Mode command.
User provisioning and team/role assignments
Time-based access grants to servers and applications
Shared folder creation and user assignments
Compliance reporting and audit event retrieval
Below are the primary integration methods supported by KeeperPAM.
Keeper provides a native integration with ServiceNow MID Servers that allows secure retrieval of secrets from Keeper Secrets Manager.
Setup Overview:
Install Keeper Secrets Manager SDK and plugin on the ServiceNow MID Server
Use a configured Secrets Manager Application with scoped access
Authenticate the MID server using a One-Time Access Token (OTA) or application credentials
Use secrets in orchestration scripts and automation tasks
Benefits:
Secrets are never stored in ServiceNow
Zero-trust access to secrets using Keeper’s cloud vault
Supports audit logging, fine-grained access, and secret rotation
For more details, see the ServiceNow integration for Keeper Secrets Manager
ITSM platforms like ServiceNow can assign access to privileged resources or perform password rotation using Keeper Commander CLI, executed from a MID Server.
Setup Steps:
Install a ServiceNow MID Server on a Windows or Linux machine
Install Keeper Commander
Authenticate Keeper Commander with a persistent session
In ServiceNow Flow Designer, use a Run PowerShell or Run Command activity.
To grant a user with 1-hour access to a Linux server:
Rotate a specific password:
Invite a user to Keeper
Create a Shared Folder and Add User
Benefits:
Automates just-in-time access provisioning
No secrets stored in ServiceNow
Integrates with approval flows and service catalog items
This method offers the most flexibility. Any Keeper Commander action can be scripted and triggered via the MID Server.
For more information on this method, see the Keeper Commander setup guide and see the list of available commands.
Customers can enable Commander Service Mode to expose a secure internal REST API that accepts HTTP commands for executing Keeper actions.
Setup Summary:
Install Keeper Commander and run in Service Mode
Restrict access to the API on internal networks only
Create a Service Mode configuration that defines which commands are allowed
Use HTTPS requests to trigger actions like:
Inviting users to Keeper
Adding or removing users from teams
Rotating passwords
Initiating BreachWatch scans
Sharing access to vault records
Benefits:
REST API for ITSM, ticketing, and custom automation platforms
Full command support via HTTPS
Flexible and platform-agnostic
Security note: This API is self-hosted by the customer and should be secured with internal-only access and firewall restrictions.
For more information, see the Commander Service Mode setup guide.
Secrets Manager MID Server
Securely retrieve secrets
ServiceNow
MID Server
Zero-trust vault access
Commander CLI via Flow Designer
Access assignment, password rotation
Any ITSM platform.
MID Server
CLI-based automation
How KeeperPAM provides Vendor Privileged Access (VPAM)
Secure third-party access to internal resources with KeeperPAM’s zero-trust architecture. This guide outlines how KeeperPAM enables secure, auditable, and time-limited access for external users like contractors, technicians, and vendors—without the need for VPNs or exposing credentials.
pam config new --title "Prod Rotation" \
--gateway "<Gateway_UID>" \
--shared-folder "<Shared_Folder_UID>" \
--rotation on \
--schedule "0 2 * * *"pam rotation edit --record "<Machine_UID>" \
--config "<PAM_Config_UID>" \
--resource "<Machine_UID>" \
--schedulecron "0 2 * * *" \
--enablepam rotation edit --record "<Machine_UID>" \
--config "<PAM_Config_UID>" \
--resource "<Machine_UID>" \
-sj '{"type":"WEEKLY","weekday":"SATURDAY","time":"22:00","tz":"America/New_York"}' \
--enablepam rotation edit --folder "/Shared/Prod" \
--config "<PAM_Config_UID>" \
--resource "<Gateway_Proxy_User_UID>" \
--schedulecron "0 3 1 * *" \
--enable --forcepam rotation edit --folder "/Shared/Prod" \
--schedulecron "0 1 * * *" \
--schedule-only --forcepam rotation edit --record "<Machine_UID>" --on-demand --enablepam rotation edit --record "<PAM_User_UID>" \
--complexity 20,1,4,2,2,.=+- \
--enablepam action rotate --record "<Machine_UID>"share-record --expire-in 1h -e [email protected] servers/Linux001pam action rotate --record-uid <RECORD_UID>enterprise-user --add [email protected]mkdir some_team_folder -sf -s
share-folder some_team_folder -e [email protected] -p off--schedulejson / -sj
Supply a JSON scheduler object.
--schedulecron / -sc
Supply a CRON‑formatted schedule string.
--on-demand / -od
Mark rotation as on‑demand (no schedule).
--schedule-config / -sf
Inherit schedule from the linked PAM Configuration.
--complexity / -x
Password complexity spec (length,upper,lower,digits,symbols[,symbol_set]).
--admin-user / -a
UID/path of a PAM User to act as admin for rotation.
--enable / -e
Enable rotation on the targeted record(s).
--disable / -d
Disable rotation on the targeted record(s).
--schedule-only / -so
Update only the schedule on the targeted record(s). Leaves config, resource, complexity untouched. .
Commander Service Mode API
REST-based command execution
Any ITSM platform.
Internal server
Internal-only REST interface
Allowing the Keeper Gateway to access Microsoft SQL Server on port 1433
Below is the PowerShell commands to open up port 1433 on the SQL Server instance.
# Define the SQL Server port (default is 1433 for TCP)
$SQLPort = 1433
# Create a firewall rule for inbound SQL Server traffic (TCP)
New-NetFirewallRule -DisplayName "Allow SQL Server TCP" `
-Direction Inbound -Protocol TCP -LocalPort $SQLPort `
-Action Allow
# Allow SQL Server traffic on UDP port 1434 for SQL Browser service (optional)
New-NetFirewallRule -DisplayName "Allow SQL Server UDP" `
-Direction Inbound -Protocol UDP -LocalPort 1434 `
-Action Allow
# Verify the rules were created
Get-NetFirewallRule -DisplayName "Allow SQL Server*"KeeperPAM provides native support for remote privileged access scenarios involving external users such as vendors, partners, and third-party technicians. The system enables secure access through a browser-based interface with full control, auditability, and session recording—no local agents or VPNs required.
Vendors are granted time-limited access to specific systems only when needed. Access can be subject to approval workflows, expiration, and session recording.
Vendors never see or handle passwords. Keeper injects credentials directly into RDP, SSH, database, or web sessions via the Keeper Gateway.
All access occurs through a web browser or desktop app—no client software or VPN setup is required. This ensures fast onboarding and secure connectivity.
Every vendor session is fully recorded, including screen activity, keystrokes, and command logs. Sessions are viewable in the Vault UI and can be streamed to your SIEM.
KeeperAI monitors vendor sessions for suspicious activity and can terminate connections automatically based on risk thresholds and pattern detection.
Admins can define access rules based on vendor role, project, or department. Sessions can be isolated, time-bound, and protocol-specific.
All third-party access is auditable to meet GDPR, HIPAA, PCI-DSS, SOX, NIST, and other compliance standards. Detailed logs are retained and can be pushed to external SIEM tools.
Configure Vendor Access
In the Keeper Vault UI, create a record for the resource the vendor needs (e.g., SSH, RDP).
Place it in a shared folder with time-based permissions.
Apply RBAC policies as needed.
Vendor Authentication
Invite the vendor to join your Keeper tenant using SSO or email/password/MFA
Assign the vendor to a role
Enforce MFA and other access policies
The vendor logs in via the Keeper web vault or desktop app.
Session Launch
The vendor selects the resource and initiates the connection.
Keeper Gateway injects credentials and brokers the session.
No credentials are revealed or copied to the vendor’s device.
Session Monitoring
Keeper records screen activity, keystrokes, and command logs.
KeeperAI scans the session for anomalies and can terminate high-risk activity automatically.
Access Expiration
Sessions are automatically terminated at the scheduled end time.
Shared folder permissions expire based on policy.
An MSP or hardware vendor remotely troubleshooting a server
A compliance auditor reviewing system logs
A database consultant with short-term access to production
Vendor PAM is included in the standard KeeperPAM licensing model.
through your identity provider
Assign to the vendor
Deploy a Keeper Gateway
Create in the Keeper Vault
Activate PAM settings on the resource such as , and
to the resource through time-limited access without sharing the credentials
The below screenshots walk through the basic process of provisioning resources to a third-party vendor or contractor.
Invite the Vendor through your identity provider, AD, SSO or SCIM connection. Alternatively, you can create a Node in your Keeper tenant that is associated to a different directory.
Vendors can be provisioned through AD/LDAP, SSO, SCIM or manual method.
RBAC is applied to vendors through Role Enforcement policies:
Role policies can be configured to enforce MFA on every login, with a hardware-based FIDO2 security key, TOTP or other methods.
Typically, the vendor will have limited ability to create records or folders - in this case, they can only receive shared items.
Privileged Access Manager enforcement policies can then be limited to allow only launching connections and tunnels.
From the vault, the admin can assign the contractor to a Shared Folder with no permissions, or to individual resources as needed.
Within each resource, session recording, JIT and other capabilities are configured.
The vendor then logs in to their vault with MFA and can launch into the session. Credentials are not exposed. In this example, they have been provided access to a MySQL database.
Vendor launches the connection to the resource (in this case, a database), with one click. All session activity is recorded and logged.
Admin Console event logs are generated for session launch activity.
Vendor Privileged Access Management (VPAM) is included by default in all KeeperPAM environments—no separate license is required. External vendor accounts are treated the same as internal users in terms of licensing.
Depending on your organization’s policies, external vendors can also benefit from additional Keeper capabilities, including:
Accessing target systems from their own device using Keeper Tunnels
Federated identity support, allowing with the vendor’s identity provider
Delegated Administration to designated to specific nodes
Deploying Keeper Connection Manager (self-hosted) for remote access with a custom interface, session joining and methods.
It is typically recommended to remove any existing Docker or docker-compose that is installed on the Debian machine, and install the official Docker packages (instead of the Debian packages).
The commands to delete the existing Docker version is below:
Don't run this unless you're sure that you want to remove all existing docker installation files, images, containers, etc. This will delete everything.
After removing Docker, it would be a good idea to reboot the device.
Now, install the official Docker packages using the commands below.
sudo systemctl stop docker docker.socket containerd 2>/dev/null
sudo apt remove --purge -y docker-ce docker-ce-cli containerd.io docker-compose-plugin docker-buildx-plugin docker.io podman-docker runc
sudo apt remove docker-compose
sudo apt autoremove --purge -y
sudo rm -rf /var/lib/docker /var/lib/containerd /etc/docker
sudo rm -f /etc/apt/sources.list.d/docker.list /etc/apt/keyrings/docker.gpg# Engine from amazon-linux-extras
sudo yum update -y
sudo amazon-linux-extras install -y docker
sudo systemctl enable --now docker
sudo usermod -aG docker $USER
newgrp docker
# Install Compose v2 plugin so `docker compose` works
sudo mkdir -p /usr/local/lib/docker/cli-plugins
sudo curl -SL "https://github.com/docker/compose/releases/download/v2.27.0/docker-compose-linux-x86_64" \
-o /usr/local/lib/docker/cli-plugins/docker-compose
sudo chmod +x /usr/local/lib/docker/cli-plugins/docker-compose
# Verify
docker --version
docker compose version
# Start the service and set to run on reboot
sudo service docker start
sudo chkconfig docker onsudo dnf -y install dnf-plugins-core
sudo dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo sed -i 's|\$releasever|9|g' /etc/yum.repos.d/docker-ce.repo
sudo dnf -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
sudo systemctl enable --now docker
sudo usermod -aG docker $USER
newgrp docker
sudo service docker start
sudo chkconfig docker on
# Verify
docker --version
docker compose versionsudo reboot# 1. Install prerequisites
sudo apt update && sudo apt install -y ca-certificates curl gnupg lsb-release
# 2. Add Docker’s GPG key
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
# 3. Add Docker’s official repo
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] \
https://download.docker.com/linux/debian $(lsb_release -cs) stable" \
| sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# 4. Install Docker CE, CLI, Containerd, and Compose plugin
sudo apt update && sudo apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin docker-buildx-plugin
# 5. Enable and start Docker
sudo systemctl enable --now docker
# 6. Verify install
docker --version
docker compose version
# to run docker without sudo
sudo usermod -aG docker $USER
newgrp docker# Install prerequisites
sudo apt update && sudo apt install -y ca-certificates curl gnupg lsb-release
# Add Docker’s GPG key
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
# Add Docker’s official Ubuntu repo
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] \
https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" \
| sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# Install Docker CE, CLI, Containerd, and Compose plugin
sudo apt update && sudo apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin docker-buildx-plugin
# Enable and start Docker
sudo systemctl enable --now docker
# Allow running Docker without sudo
sudo usermod -aG docker $USER
newgrp docker
# Verify install
docker --version
docker compose versionMFA is enforced even if the target resource lacks native MFA.
Example guide for setting up SSH on target machines
Customers are responsible for the configuration of their servers and environments.
Secure Shell (SSH) allows confidential and authenticated remote access to a computer. SSH traffic is fully encrypted and, by default, runs on port 22. For reference and testing, see below for instructions and guidance on enabling SSH for your target operating system.
Linux requires the SSH daemon to be running in order to accept SSH connections. Most Linux distributions will have the OpenSSH server installed, but may not have the service enabled. The service needs to be enabled, started, and added to the list of services to be started upon reboot.
To verify that ssh is running on your Linux system, invoke the following command:
If ssh is not running, you may need to install OpenSSH or/and enable ssh. The following commands demonstrate this in Ubuntu:
Note:
you may need sudo permissions to install and enable ssh
The installation command may be different based on your linux distribution
SSH is normally not installed on Windows. However, SSH can easily be installed via Windows capability packages which are maintained by Microsoft.
The following PowerShell script will:
Install SSH
Start the SSH service and makes sure it starts with each reboot
Ensure the firewall allows SSH connections
To connect through SSH, simply create a new PAM Machine record and set the connection protocol to SSH.
Once connected, PowerShell Commands can be executed by typing powershell.exe:
Windows SSH can either default to PowerShell or CMD. Keeper Rotation uses PowerShell commands. If the default shell is CMD, Keeper Rotation will invoke rotation commands via PowerShell Invoke-Command -ScriptBlock { COMMANDS }. To change the default shell to PowerShell, invoke the following PowerShell command:
SSH is installed on macOS and usually not turned on for the user.
To enable it via the UI, enable Remote Login on the General->Sharing panel.
To enable it via the command line, invoke the following command:
Note:
you will require Full Disk Access privileges for this command line method.
Automated password rotation using Cron Specification
In the Keeper Vault, users can configure rotation using a standardized UNIX Cron specification.
The Keeper backend scheduler uses the open source Quartz Job Scheduler for executing rotations. The content below is based on the Quartz public documentation.
In the example below, the Cron Spec is set to 0 28 17 ? * * which means every day at 5:28PM PST.
A cron expression is a string comprised of 6 or 7 fields separated by white space. Fields can contain any of the allowed values, along with various combinations of the allowed special characters for that field. The fields are as follows:
Cron expressions can be as simple as this: * * * * ? *
or more complex, like this:
0/5 14,18,3-39,52 * ? JAN,MAR,SEP MON-FRI 2002-2010
* (“all values”) - used to select all values within a field. For example, “*” in the minute field means “every minute”.
? (“no specific value”) - useful when you need to specify something in one of the two fields in which the character is allowed, but not the other. For example, if I want my trigger to fire on a particular day of the month (say, the 10th), but don’t care what day of the week that happens to be, I would put “10” in the day-of-month field, and “?” in the day-of-week field. See the examples below for clarification.
- - used to specify ranges. For example, “10-12” in the hour field means “the hours 10, 11 and 12”.
The 'L' and 'W' characters can also be combined in the day-of-month field to yield 'LW', which translates to *"last weekday of the month"*.
# - used to specify “the nth” XXX day of the month. For example, the value of “6#3” in the day-of-week field means “the third Friday of the month” (day 6 = Friday and “#3” = the 3rd one in the month). Other examples: “2#1” = the first Monday of the month and “4#5” = the fifth Wednesday of the month. Note that if you specify “#5” and there is not 5 of the given day-of-week in the month, then no firing will occur that month.
The legal characters and the names of months and days of the week are not case sensitive. MON is the same as mon.
Here are some full examples:
ps aux | grep sshdapt-get install openssh-server
systemctl enable ssh
systemctl start ssh# Install OpenSSH
Add-WindowsCapability -Online -Name OpenSSH.Server
# Start service and make sure it automatically starts after reboot.
Start-Service sshd
Set-Service -Name sshd -StartupType 'Automatic'
# Make sure the the firewall will allow SSH connections
if (!(Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue | Select-Object Name, Enabled)) {
Write-Output "Firewall Rule 'OpenSSH-Server-In-TCP' does not exist, creating it..."
New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
} else {
Write-Output "Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists."
}domain\admin@MACHINE C:\Users\Administrator\Desktop>powershell.exe
Windows\system32\conhost.exe - powershell.exeWindows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\Administrator\Desktop> # Enable PowerShell in SSH
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell `
-Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" `
-PropertyType String -Force$ sudo systemsetup -setremotelogin on
, - * /
Day of month
YES
1-31
, - * ? / L W
Month
YES
1-12 or JAN-DEC
, - * /
Day of week
YES
1-7 or SUN-SAT
, - * ? / L #
Year
NO
empty, 1970-2099
, - * /
, - used to specify additional values. For example, “MON,WED,FRI” in the day-of-week field means “the days Monday, Wednesday, and Friday”.
/ - used to specify increments. For example, “0/15” in the seconds field means “the seconds 0, 15, 30, and 45”. And “5/15” in the seconds field means “the seconds 5, 20, 35, and 50”. You can also specify ‘/’ after the ‘’ character - in this case ‘’ is equivalent to having ‘0’ before the ‘/’. ‘1/3’ in the day-of-month field means “fire every 3 days starting on the first day of the month”.
L (“last”) - has different meaning in each of the two fields in which it is allowed. For example, the value “L” in the day-of-month field means “the last day of the month” - day 31 for January, day 28 for February on non-leap years. If used in the day-of-week field by itself, it simply means “7” or “SAT”. But if used in the day-of-week field after another value, it means “the last xxx day of the month” - for example “6L” means “the last friday of the month”. You can also specify an offset from the last day of the month, such as “L-3” which would mean the third-to-last day of the calendar month. When using the ‘L’ option, it is important not to specify lists, or ranges of values, as you’ll get confusing/unexpected results.
W (“weekday”) - used to specify the weekday (Monday-Friday) nearest the given day. As an example, if you were to specify “15W” as the value for the day-of-month field, the meaning is: “the nearest weekday to the 15th of the month”. So if the 15th is a Saturday, the trigger will fire on Friday the 14th. If the 15th is a Sunday, the trigger will fire on Monday the 16th. If the 15th is a Tuesday, then it will fire on Tuesday the 15th. However if you specify “1W” as the value for day-of-month, and the 1st is a Saturday, the trigger will fire on Monday the 3rd, as it will not ‘jump’ over the boundary of a month’s days. The ‘W’ character can only be specified when the day-of-month is a single day, not a range or list of days.
0 15 10 ? * MON-FRI
Fire at 10:15am every Monday, Tuesday, Wednesday, Thursday and Friday
0 15 10 15 * ?
Fire at 10:15am on the 15th day of every month
0 15 10 L * ?
Fire at 10:15am on the last day of every month
0 15 10 L-2 * ?
Fire at 10:15am on the 2nd-to-last last day of every month
0 15 10 ? * 6L
Fire at 10:15am on the last Friday of every month
0 15 10 ? * 6L
Fire at 10:15am on the last Friday of every month
0 15 10 ? * 6L 2002-2005
Fire at 10:15am on every last friday of every month during the years 2002, 2003, 2004 and 2005
0 15 10 ? * 6#3
Fire at 10:15am on the third Friday of every month
0 0 12 1/5 * ?
Fire at 12pm (noon) every 5 days every month, starting on the first day of the month.
0 11 11 11 11 ?
Fire every November 11th at 11:11am.
Seconds
YES
0-59
, - * /
Minutes
YES
0-59
, - * /
Hours
YES
0-23
0 0 12 * * ?
Fire at 12pm (noon) every day
0 15 10 ? * *
Fire at 10:15am every day
0 15 10 * * ?
Fire at 10:15am every day
0 15 10 * * ? *
Fire at 10:15am every day
0 15 10 * * ? 2005
Fire at 10:15am every day during the year 2005
0 10,44 14 ? 3 WED
Fire at 2:10pm and at 2:44pm every Wednesday in the month of March.
How to bulk import KeeperPAM resources
Keeper supports importing of PAM resources in bulk through the Keeper Commander CLI. This allows you to import a large number of resources, along with a PAM Configuration, Gateway and project folders.
We have created a simple and advanced import method. The simple method described in this page converts a basic CSV list of Windows hosts into a JSON import file that Keeper Commander can ingest. Use this method when onboarding large numbers of PAM Machines.
In this page, we will demonstrate importing a large number of domain-joined Windows servers and local admin accounts.
Prepare a CSV that contains the target servers and credentials.
Create or edit a JSON template that describes the project, policies and directory binding.
Run the helper script to merge the CSV data with the template and produce pam_import.json.
We will convert a basic 3-column CSV file into a JSON import file using a Python script. The script expects a comma‑separated file named servers_to_import.csv by default. Each row must contain exactly three fields, as seen by the example below:
Tip: The first line is treated as a header if it matches the column names above. Replace the Administrator and LocalAdminPassword123 with the local admin username/password for each server.
Download the below JSON Template file and save it as import_template.json.
Replace every value beginning with capital XXX: with a value
Leave placeholders beginning with xxx: untouched—these are overwritten by the script
For our simple example, we'll modify the XXX fields with the below:
The CSV will be converted to a properly formatted JSON file for all of the servers.
Download the script and save it to the same working folder.
At this point, you have 3 files in the current folder:
pam_import_generator.py
import_template.json
This creates a file called pam_import.json which contains all of the resources which will be imported into Keeper.
The file pam_import.json will now be imported into Keeper from the Commander CLI. Start your Keeper Commander session. If you haven't set up Commander, .
Run the import with this command (assumes that the pam_import.json file is in the Commander working directory. It can also have an absolute path).
When the import is complete, the response output in Commander will contain an access token:
Save the value inside the quotes (XXXXX.....) for initializing the Gateway in the next step below.
Note: After the import is complete, the vault will be updated with the resources. If your vault is currently open, it's probably a good idea to click Full Sync or refresh the page.
This document doesn't cover the installation of a Keeper Gateway, so let's assume that you have already done this. If you haven't created a Gateway, for your preferred method.
In the Gateway's configuration, update the GATEWAY_CONFIG with the access token value provided in Step 4 above. For Docker installations, this will be in the docker-compose.yaml file. For Windows installations, it will be in the C:\ProgramData\KeeperGateway\config\gateway-config.json file
Restart the Gateway
At this point, the Gateway is running and has been associated to all of your imported resources. By default, the import will add all PAM projects to a folder called "PAM Environments".
Based on this example, below are some screenshots of the resources created:
Secrets Manager Application
Keeper Gateway
PAM Configuration
PAM Directory (Active Directory Service)
This document demonstrated the basic example of importing a series of Windows servers for the purpose of establishing connections, tunnels and automated password rotation. The configuration of the connections and resources was set up to be simple.
More advanced import options including full JSON template capabilities are documented on . This page provides all of the possible settings that can be modified as part of the import process. If you need to re-run this process, it's no big deal - just delete the Folders, PAM Configuration and Gateway from the vault and start over.
If you have any questions on the import process, contact your account team or email [email protected].
See the options for additional PAM automation capabilities.
pam project importservers_to_import.csv
Run the pam_import_generator.py script to generate the full JSON import file:
PAM Machine Resources (Windows Servers)
PAM Users for each PAM Machine (Local Admins)
Keeper Commander v17.1.2 or newer
Verify with keeper version
Python 3.8+
Required to execute the conversion script
KeeperPAM License
Enabled in the Keeper Admin Console
Admin role with Manage PAM permission
Enabled in the Keeper Admin Console
hostname,username,password
srv‑01,Administrator,LocalAdminPassword123
srv‑02,Administrator,LocalAdminPassword123
srv‑03,Administrator,LocalAdminPassword123
srv‑04,Administrator,LocalAdminPassword123
srv‑05,Administrator,LocalAdminPassword123{
"project": "XXX:Project1",
"shared_folder_users": {
"manage_users": true,
"manage_records": true,
"can_edit": true,
"can_share": true
},
"shared_folder_resources": {
"manage_users": true,
"manage_records": true,
"can_edit": true,
"can_share": true
},
"pam_configuration": {
"environment": "local",
"connections": "on",
"rotation": "on",
"graphical_session_recording": "on"
},
"pam_data": {
"resources": [
{
"_comment1": "Every key that starts with '_' is a comment and can be ignored or deleted",
"_comment2": "Every value that starts with uppercase 'XXX:' must be replaced with actual value (removed if not required)",
"_comment3": "Every value that starts with lowercase 'xxx:' is just a placeholder - can be replaced with anything but must be present",
"type": "pamDirectory",
"title": "XXX:Project1 AD",
"directory_type": "XXX:active_directory|ldap",
"host": "XXX:demo.local",
"port": "XXX:636",
"use_ssl": true,
"domain_name": "XXX:demo.local",
"pam_settings": {
"options": {
"rotation": "on",
"connections": "on",
"tunneling": "on",
"graphical_session_recording": "on"
},
"connection": {
"protocol": "rdp",
"port": "XXX:3389",
"security": "XXX:any",
"ignore_server_cert": true,
"_comment_administrative_credentials": "Must match the unique title of one of the users below",
"administrative_credentials": "XXX:DomainAdmin"
}
},
"users": [
{
"type": "pamUser",
"_comment_title": "Must match administrative_credentials above if this is the admin user",
"title": "XXX:DomainAdmin",
"_comment_login_password": "Must provide valid credentials but delete sensitive data/json after import",
"login": "XXX:[email protected]",
"password": "XXX:P4ssw0rd_123",
"rotation_settings": {
"rotation": "general",
"enabled": "on",
"schedule": {
"type": "on-demand"
}
}
}
]
},
{
"_comment4": "While pamDirectory section above is static, the pamMachine section below is dynamicly generated",
"_comment5": "One pamMachine with one pamUser will be generated per each line from the CSV file",
"_comment6": "Only one pamMachine is needed and it will be used as a template for all CSV rows",
"_comment7": "Please do NOT edit lines with xxx: in them - these are placeholders",
"_comment8": "Any other line that don't contain xxx: can be altered/added/deleted in the template",
"_comment9": "CSV Format: server_name,username,password",
"type": "pamMachine",
"_comment_title_and_host": "server value from CSV",
"title": "xxx:server1",
"host": "xxx:server1",
"port": "5986",
"ssl_verification": true,
"operating_system": "Windows",
"pam_settings": {
"options": {
"rotation": "on",
"connections": "on",
"tunneling": "on",
"graphical_session_recording": "on"
},
"connection": {
"protocol": "rdp",
"port": "3389",
"security": "any",
"ignore_server_cert": true,
"_comment_administrative_credentials": "Format: pamDirectory#title.pamDirectory#administrative_credentials - exact match needed",
"administrative_credentials": "XXX:Project1 AD.DomainAdmin"
}
},
"users": [
{
"type": "pamUser",
"_comment_title": "username value from CSV or server-username if --prefix-names option is used",
"title": "xxx:admin",
"_comment_login": "username value from CSV",
"login": "xxx:Administrator",
"_comment_password": "password value from CSV",
"password": "xxx:P4ssw0rd_123",
"rotation_settings": {
"rotation": "general",
"enabled": "on",
"schedule": {
"type": "on-demand"
}
}
}
]
}
]
}
}Top section:
"project": "Import Demo Project"
pam_data.resources:
"title": "My Domain Controller"
"directory_type": "active_directory"
"host": "lureydemo.local"
"port": "636"
"domain_name": "lureydemo.local"
pam_data.resources.pamDirectory.pam_settings.connection:
"port": "3389"
"security": "any"
"administrative_credentials": "My Domain Admin"
pam_data.resources.pamDirectory.users:
"title": "My Domain Admin"
"login": "[email protected]"
"password": "YourExistingDomainPassword"
pam_data.resources.pamMachine.users:
"administrative_credentials": "My Domain Controller.My Domain Admin"
(note: this is named to reference the directory title and directory admin)python3 pam_import_generator.py --prefix-nameskeeper shellpam project import -f pam_import.json"access_token": "XXXXXXXX...."
