All pages
Powered by GitBook
1 of 5

Examples

Example connection records

A few example guides explain how to set up Connections:

SSH Protocol - Linux Machine

Establish a connection to a Linux Machine directly from your Vault

Overview

In this guide, you will learn how to configure a Linux Machine on your PAM Machine and configure the SSH protocol to successfully launch a zero-trust connection to the Linux Machine — directly from your Keeper Vault.

Summary

For this setup, you need to do the following:

  1. Enable the Connection Enforcement Policies

  2. Install and Configure the Keeper Gateway

  3. Create and configure the PAM Configuration File

  4. Create the PAM Machine and PAM User record types

  5. Configure PAM Settings and the SSH Connection Protocol

After completing the above, you can launch zero-trust connections to the Linux Machine directly from your Keeper Vault.

Step 1 - Enable Connection Enforcement Policies

From the Admin Console, enable the corresponding PAM Enforcement Policies for connections:

Policy
Definition
Commander CLI

Can configure connection and session recording

Allow users to configure Connection and Session Recordings settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Record Types

ALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGS

Can launch connections

Allow users to launch connections on PAM Machine, PAM Directory, PAM Database Record Types

ALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTION

Can view session recordings

Allow users to view Session Recordings

ALLOW_VIEW_KCM_RECORDINGS

Step 2 - Install and configure the Keeper Gateway

Prior to creating the PAM Record types in your Vault, the Keeper Gateway needs to be installed in your infrastructure. Visit the following guides based on your needs:

Additionally, the Keeper Gateways needs to be configured with the Gateway token. For more information, visit this page.

Steps 3 and Step 4 can be automated with the Gateway Wizard. For more information, visit this page.

Step 3 - Configuring the PAM Configuration

The PAM Configuration contains critical information on your infrastructure, settings and associated Keeper Gateway. Visit the following pages for more details based on your target infrastructure:

Step 4 - Create and Configure PAM Machine and PAM User(s) Records

After setting up your Gateway and PAM Configuration Record, the Linux Machine and its users need to be configured on PAM Record types in your Vault:

  • PAM Machine - The Linux machine is configured on this record type

  • PAM User - The Linux User is configured on this record type

Refer to this example on how to configure Linux Machine on a PAM Machine record type:

Example: Linux Machine

Step 5 - Configuring PAM Settings and SSH Protocol

The PAM Machine record type contains the necessary information required for the Keeper Gateway to locate and establish a connection with the machine, while the PAM User record type contains the necessary information to authenticate the connection.

The PAM Settings need to be configured to enable connections or tunnels on the target defined on the PAM Machine Record. To configure the SSH protocol, visit the following page:

SSH Connections

Launching Connections

Once you have configured the SSH Protocol connection on your PAM Machine Record, your record will contain the following connection banner with the "Launch" Button:

In the above image, a Linux Machine has been configured on the PAM Machine Record. When clicking launch, the Vault Client will render a window with the established connection protocol to the specified target:

Sharing PAM Machine Records

PAM Machine records can be shared with other Keeper users within your organization. However, the recipient must have the appropriate PAM enforcement policies in place to utilize KeeperPAM features on the shared PAM records.

When sharing a PAM Machine record, the linked admin credentials will not be shared. For example, if the PAM Machine is configured with a Linux Machine, the recipient can connect to the Linux Machine on the PAM Machine record without having direct access to the linked credentials.

RDP Protocol - Azure Virtual Machine

Establish a connection to an Azure Virtual Machine directly from your Vault

Overview

In this guide, you will learn how to configure a Azure Virtual Machine on your PAM Machine and configure the RDP protocol to successfully launch a zero-trust connection to the Azure Virtual Machine — directly from your Keeper Vault.

Summary

For this setup, you need to do the following:

  1. Enable the Connection Enforcement Policies

  2. Install and Configure the Keeper Gateway

  3. Create and configure the PAM Configuration File

  4. Create the PAM Machine and PAM User record types

  5. Configure PAM Settings and the RDP Connection Protocol

After completing the above, you can launch zero-trust connections to the Azure Virtual Machine directly from your Keeper Vault.

Step 1 - Enable Connection Enforcement Policies

From the Admin Console, enable the corresponding PAM Enforcement Policies for connections:

Policy
Definition
Commander CLI

Can configure connection and session recording

Allow users to configure Connection and Session Recordings settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Record Types

ALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGS

Can launch connections

Allow users to launch connections on PAM Machine, PAM Directory, PAM Database Record Types

ALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTION

Can view session recordings

Allow users to view Session Recordings

ALLOW_VIEW_KCM_RECORDINGS

Step 2 - Install and configure the Keeper Gateway

Prior to creating the PAM Record types in your Vault, the Keeper Gateway needs to be installed in your infrastructure. Visit the following guides based on your needs:

Additionally, the Keeper Gateways needs to be configured with the Gateway token. For more information, visit this page.

Steps 3 and Step 4 can be automated with the Gateway Wizard. For more information, visit this page.

Step 3 - Configuring the PAM Configuration

The PAM Configuration contains critical information on your infrastructure, settings and associated Keeper Gateway. Visit the following pages for more details based on your target infrastructure:

Step 4 - Create and Configure PAM Machine and PAM User(s) Records

After setting up your Gateway and PAM Configuration Record, the Azure Virtual Machine and its users need to be configured on PAM Record types in your Vault:

  • PAM Machine - The Azure Virtual machine is configured on this record type

  • PAM User - The Azure Virtual User is configured on this record type

Refer to this example on how to configure Azure Virtual Machine on a PAM Machine record type:

Example: Azure Windows VM

Step 5 - Configuring PAM Settings and RDP Protocol

The PAM Machine record type contains the necessary information required for the Keeper Gateway to locate and establish a connection with the machine, while the PAM User record type contains the necessary information to authenticate the connection.

The PAM Settings need to be configured to enable connections or tunnels on the target defined on the PAM Machine Record. To configure the RDP protocol, visit the following page:

RDP Connections

Launching Connections

Once you have configured the RDP Protocol connection on your PAM Machine Record, your record will contain the following connection banner with the "Launch" Button:

In the above image, an Azure Virtual Machine has been configured on the PAM Machine Record. When clicking launch, the Vault Client will render a window with the established connection protocol to the specified target:

Sharing PAM Machine Records

PAM Machine records can be shared with other Keeper users within your organization. However, the recipient must have the appropriate PAM enforcement policies in place to utilize KeeperPAM features on the shared PAM records.

When sharing a PAM Machine record, the linked admin credentials will not be shared. For example, if the PAM Machine is configured with an Azure Virtual Machine, the recipient can connect to the Azure Virtual Machine on the PAM Machine record without having direct access to the linked credentials.

MySQL Protocol - MySQL Database

Establish a connection to a MySQL Database directly from your Vault

Overview

In this guide, you will learn how to configure a MySQL Database on your PAM Database and configure the MySQL protocol to successfully launch a zero-trust connection to the MySQL Database — directly from your Keeper Vault.

Summary

For this setup, you need to do the following:

  1. Enable the Connection Enforcement Policies

  2. Install and Configure the Keeper Gateway

  3. Create and configure the PAM Configuration File

  4. Create the PAM Database and PAM User record types

  5. Configure PAM Settings and the MySQL Connection Protocol

After completing the above, you can launch zero-trust connections to the MySQL Database directly from your Keeper Vault.

Step 1 - Enable Connection Enforcement Policies

From the Admin Console, enable the corresponding PAM Enforcement Policies for connections:

Policy
Definition
Commander CLI

Can configure connection and session recording

Allow users to configure Connection and Session Recordings settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Record Types

ALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGS

Can launch connections

Allow users to launch connections on PAM Machine, PAM Directory, PAM Database Record Types

ALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTION

Can view session recordings

Allow users to view Session Recordings

ALLOW_VIEW_KCM_RECORDINGS

Step 2 - Install and configure the Keeper Gateway

Prior to creating the PAM Record types in your Vault, the Keeper Gateway needs to be installed in your infrastructure. Visit the following guides based on your needs:

Additionally, the Keeper Gateways needs to be configured with the Gateway token. For more information, visit this page.

Steps 3 and Step 4 can be automated with the Gateway Wizard. For more information, visit this page.

Step 3 - Configuring the PAM Configuration

The PAM Configuration contains critical information on your infrastructure, settings and associated Keeper Gateway. Visit the following pages for more details based on your target infrastructure:

Step 4 - Create and Configure PAM Database and PAM User(s) Records

After setting up your Gateway and PAM Configuration Record, the MySQL Database and its users need to be configured on PAM Record types in your Vault:

  • PAM Database - The MySQL Database is configured on this record type

  • PAM User - The MySQL Database User is configured on this record type

Refer to this example on how to configure MySQL Database on a PAM Database record type:

Example: MySQL Database

Step 5 - Configuring PAM Settings and MySQL Protocol

The PAM Database record type contains the necessary information required for the Keeper Gateway to locate and establish a connection with the database, while the PAM User record type contains the necessary information to authenticate the connection.

The PAM Settings need to be configured to enable connections or tunnels on the target defined on the PAM Database Record. To configure the MySQL protocol, visit the following page:

MySQL Connections

Launching Connections

Once you have configured the MySQL Protocol connection on your PAM Database Record, your record will contain the following connection banner with the "Launch" Button:

In the above image, a MySQL Database has been configured on the PAM Database Record. When clicking launch, the Vault Client will render a window with the established connection protocol to the specified target.

Sharing PAM Database Records

PAM Database records can be shared with other Keeper users within your organization. However, the recipient must have the appropriate PAM enforcement policies in place to utilize KeeperPAM features on the shared PAM records.

When sharing a PAM Database record, the linked admin credentials will not be shared. For example, if the PAM Database is configured with a MySQL Database, the recipient can connect to the MySQL Database on the PAM Database record without having direct access to the linked credentials.

PostgreSQL Protocol - PostgreSQL Database

Establish a connection to a PostgreSQL Database directly from your Vault

Overview

In this guide, you will learn how to configure a PostgreSQL Database on your PAM Database and configure the PostgreSQL protocol to successfully launch a zero-trust connection to the PostgreSQL Database — directly from your Keeper Vault.

Summary

For this setup, you need to do the following:

  1. Enable the Connection Enforcement Policies

  2. Install and Configure the Keeper Gateway

  3. Create and configure the PAM Configuration File

  4. Create the PAM Database and PAM User record types

  5. Configure PAM Settings and the PostgreSQL Connection Protocol

After completing the above, you can launch zero-trust connections to the PostgreSQL Database directly from your Keeper Vault.

Step 1 - Enable Connection Enforcement Policies

From the Admin Console, enable the corresponding PAM Enforcement Policies for connections:

Policy
Definition
Commander CLI

Can configure connection and session recording

Allow users to configure Connection and Session Recordings settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Record Types

ALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGS

Can launch connections

Allow users to launch connections on PAM Machine, PAM Directory, PAM Database Record Types

ALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTION

Can view session recordings

Allow users to view Session Recordings

ALLOW_VIEW_KCM_RECORDINGS

Step 2 - Install and configure the Keeper Gateway

Prior to creating the PAM Record types in your Vault, the Keeper Gateway needs to be installed in your infrastructure. Visit the following guides based on your needs:

Additionally, the Keeper Gateways needs to be configured with the Gateway token. For more information, visit this page.

Steps 3 and Step 4 can be automated with the Gateway Wizard. For more information, visit this page.

Step 3 - Configuring the PAM Configuration

The PAM Configuration contains critical information on your infrastructure, settings and associated Keeper Gateway. Visit the following pages for more details based on your target infrastructure:

Step 4 - Create and Configure PAM Database and PAM User(s) Records

After setting up your Gateway and PAM Configuration Record, the PostgreSQL Database and its users need to be configured on PAM Record types in your Vault:

  • PAM Database - The PostgreSQL Database is configured on this record type

  • PAM User - The PostgreSQL Database User is configured on this record type

Refer to this example on how to configure PostgreSQL Database on a PAM Database record type:

Example: PostgreSQL Database

Step 5 - Configuring PAM Settings and PostgreSQL Protocol

The PAM Database record type contains the necessary information required for the Keeper Gateway to locate and establish a connection with the database, while the PAM User record type contains the necessary information to authenticate the connection.

The PAM Settings need to be configured to enable connections or tunnels on the target defined on the PAM Database Record. To configure the PostgreSQL protocol, visit the following page:

PostgreSQL Connections

Launching Connections

Once you have configured the PostgreSQL Protocol connection on your PAM Database Record, your record will contain the following connection banner with the "Launch" Button:

In the above image, a PostgreSQL Database has been configured on the PAM Database Record. When clicking launch, the Vault Client will render a window with the established connection protocol to the specified target.

Sharing PAM Database Records

PAM Database records can be shared with other Keeper users within your organization. However, the recipient must have the appropriate PAM enforcement policies in place to utilize KeeperPAM features on the shared PAM records.

When sharing a PAM Database record, the linked admin credentials will not be shared. For example, if the PAM Database is configured with a PostgreSQL Database, the recipient can connect to the PostgreSQL Database on the PAM Database record without having direct access to the linked credentials.