All pages
Powered by GitBook
1 of 10

Gateways

Installation and setup of the Keeper Gateway

Overview

The Keeper Gateway is a service that is installed on any Docker, Linux or Windows machine in order to execute rotation, discovery, connection and tunneling. A single Gateway can be used to communicate with any target infrastructure, both on-prem and cloud. Typically, customers deploy a Keeper Gateway in each environment that is being managed.

Platforms Supported

Platform Specific Capabilities

The Keeper Gateway offers different feature capabilities based on the underlying operating system and hardware. We recommend using Docker on a Linux or Windows host with x86 CPUs for full feature support and ease of management.

Platform
Compatibility

Docker (Linux or Windows host w/ x86)

  • All features supported

Linux (RHEL 8, Rocky Linux 8)

  • All features supported

Docker (Linux host on ARM)

  • No Remote Browser Isolation

Linux Binary Install (Ubuntu, Debian)

  • No Remote Browser Isolation

  • Limited connection protocols

Windows Binary Install

  • No Remote Browser Isolation

  • No database connections

Note: EL9 which includes Rocky Linux 9 and RHEL 9 support is coming soon.

System Requirements

System requirements vary based on the number of simultaneous user sessions and the types of connections being established. As the volume of simultaneous connections grows, scaling CPU and memory resources becomes essential. In particular, remote browser isolation (RBI) launches a headless Chromium instance for each session. If you anticipate a high number of RBI sessions, ensure the system is scaled to meet these demands.

For a testing or sandbox a minimum of 2 CPUs with 8GB of memory and 10GB of storage is required. In a production environment, increase to at least 4 CPUs with 16GB of memory. Scale the number of CPUs and memory as the number of simultaneous sessions increases.

Installation Steps

The Keeper Gateway generates encryption keys and a local Secrets Manager configuration that is used to authenticate with the Keeper cloud. The location depends on the context in which the Gateway is being run. It can be installed to the local user or installed as a service.

  • Login to the Keeper Web Vault or Desktop App (version 17.1 or newer required)

  • Click on Secrets Manager on the left side

  • Create a new Secrets Manager Application or select existing application

  • Click on the "Gateways" tab and click "Provision Gateway"

  • Select Docker, Linux or Windows install method

  • Install the Keeper Gateway using the provided method

During the creating of a Keeper Gateway using a one-time token method for Linux and Windows, you have the choice to select "Lock external WAN IP Address of device for initial request". This will additionally IP lock the Gateway in addition to the authentication and encryption built into the service.

Based on your Operating System, refer to the corresponding guide on installing the Keeper Gateway:

Additional Installation Configurations

If you are installing on an EC2 instance in AWS, the Keeper Gateway can be configured to use the instance role for pulling its configuration from AWS Secrets Manager. Detailed instructions on this setup can be found here.

Creating a Gateway

Creating a Keeper Gateway

Overview

In order to install and setup a Keeper Gateway device, you need to have a few resources set up:

  • Shared Folders to hold the PAM Resources (Machines, Databases, Users, etc)

  • Keeper Secrets Manager application

  • PAM Configuration

To simplify the process, we have a new Gateway wizard which creates all of the necessary components. Or, you can run each step individually.

Using the Gateway Wizard

A new Gateway deployment can be created by clicking on Create New > Gateway from the Web Vault. We have also posted a page describing how to create a sandbox environment in just a few steps.

Creating a Gateway

1

Create a Secrets Manager Application

  • In the Keeper Web Vault or Desktop App user interface, create a Shared Folder. This Shared Folder will contain the PAM resource records.

  • Navigate to the "Secret Managers" tab on the left and click on "Create Application" to create a KSM application

  • In the prompted window:

    • Enter the name of your KSM application

    • Choose the Shared Folder

    • Set the Record Permissions for Application to "Can Edit"

    • Click on "Generate Access Token" and then click on "OK"

    • You can safely ignore the first One-Time Access Token generated for the newly created KSM application. When creating a Keeper Gateway device, a different One-Time Access Token will be created.

Create a KSM Application
2

Generate the Gateway Token

  • From the Application screen, open the Gateways tab

  • Click on Provision Gateway

  • Select a name for the Gateway and the operating system

  • Follow the on-screen instructions based on the type of install

Windows Gateway

Using Commander CLI

You can also create a Gateway and configuration file from the Commander CLI:

pam gateway new -n "<Gateway Name>" -a <Application Name or UID> -c b64

The Application names and UIDs can be found with secrets-manager app list

Docker Installation

Instructions for installing Keeper Gateway on Docker

Overview

This document contains information on how to install, configure, and update your Keeper Gateway on Docker. The Docker container is built upon the base image of Rocky Linux 8 and it is hosted in DockerHub.

For full PAM capabilities, use a Linux host with a x86 AMD processor.

Prerequisites

  • A Linux host with a x86 AMD processor

  • docker and docker-compose installed (see Docker Install for help)

Note: The syntax is docker-compose for servers, but on a local Docker Desktop it might be docker compose (with no space).

Create a Gateway

A new Gateway deployment can be created by clicking on Create New > Gateway from the Web Vault or Desktop App (version 17.1 or newer required).

You can also create a Gateway and configuration file from the Commander CLI:

pam gateway new -n "<Gateway Name>" -a <Application Name or UID> -c b64

The Application names and UIDs can be found with secrets-manager app list

Installation

1

Docker Compose

A Docker Compose file is provided through the Vault UI. Typically this file would be saved in your local environment as docker-compose.yml in your preferred folder. An example is below:

services:
      keeper-gateway:
        platform: linux/amd64
        image: keeper/gateway:latest
        shm_size: 2g
        security_opt:
          - "seccomp:docker-seccomp.json"
        environment:
          ACCEPT_EULA: Y
          GATEWAY_CONFIG: XXXXXXXXXXXXXXXXX

The only required environment variable setting is GATEWAY_CONFIG which is the resulting base64-encoded configuration provided when creating a Gateway device.

2

SecComp File

Download this file called docker-seccomp.json and place it in the same folder as your Docker Compose file.

15KB
docker-seccomp.json
3

Start the Service

Ensure that you are located in the folder where the docker-compose.yml is saved. Executing the following command will run the Keeper Gateway container in the background, as specified in the docker compose file:

docker compose up -d

Logging

When running the latest version of the Keeper Gateway, you'll see the output in the logs like below:

docker compose logs keeper-gateway
Docker Logs from Keeper Gateway

On the Vault UI in the Secrets Manager > Applications > Gateways screen, the Gateway will show Online.

Gateway is Online

Gateway Service Management

Starting the service

docker compose up -d

Stopping the service

docker compose stop

Restarting the service

docker compose restart

Connecting to the Gateway container

docker compose exec keeper-gateway bash

Enable Debugging

If you need to enable verbose debug logs on the Gateway, enable debug logging by adding the below environment section variables to your Docker Compose file:

services:
      keeper-gateway:
        .....
        environment:
          KEEPER_GATEWAY_LOG_LEVEL: "debug" # logs for gateway
          LOG_LEVEL: "debug" # logs for guacd

After debug is enabled, restart the service with docker compose restart

Tailing the logs:

docker compose logs -f keeper-gateway

Updating

Executing the following command will update the Keeper Gateway container to the latest version and restart the service:

docker compose pull
docker compose down
docker compose up -d

Start up automatically

Adding the "restart" parameter in the docker-compose.yml file will assign a restart policy to the environment:

restart: always

Starting Gateway on Reboot

If you would like to force the host operating system to automatically start the Keeper Gateway on a Docker installation, follow these steps (Linux host).

First, create a .service file in /etc/systemd/system/keeper-gateway.service

[Unit]
Description=Keeper Gateway Docker Compose
Requires=docker.service
After=docker.service

[Service]
Type=oneshot
RemainAfterExit=yes
WorkingDirectory=/home/ec2-user
ExecStart=/usr/local/bin/docker-compose up -d
ExecStop=/usr/local/bin/docker-compose down
User=ec2-user
Group=docker

[Install]
WantedBy=multi-user.target

NOTE:

  • Replace /home/ec2-user with the path to your docker-compose.yml

  • Replace ec2-user user with your user running Docker

  • Replace docker group with your defined group

Then enable the service:

sudo systemctl daemon-reload
sudo systemctl enable keeper-gateway.service
sudo systemctl start keeper-gateway.service

Network Configuration

The Gateway establishes outbound-only connections to the following:

Destination
Port Needed
More Info

Keeper Cloud (keepersecurity.[com|eu|com.au|ca|us|jp)

TLS Port 443

Outbound access for Vault login and Keeper Secrets Manager APIs.

Keeper Relay (krelay.keepersecurity.[com|eu|com.au|jp|ca|us])

TCP and UDP port 3478

Needed to establish secure & encrypted connections between the user's vault and the Gateway service.

Keeper Relay (krelay.keepersecurity.[com|eu|com.au|jp|ca|us])

Outbound access to TCP and UDP ports 49152 through 65535

Needed to establish outbound access over the designated port ranges

The Gateway preserves zero knowledge by performing all encryption and decryption of data locally. Keeper Secrets Manager APIs are used to communicate with the Keeper cloud.

Connecting to the Host Instance

A very useful capability of the Keeper Gateway is being able to open connections and tunnels to the host machine. By adding the extra_hosts section to your docker compose file with a value of host.docker.internal:host-gateway, you can open sessions directly to the host.

Example docker compose with the Gateway container:

services:
      keeper-gateway:
        platform: linux/amd64
        image: keeper/gateway:latest
        shm_size: 2g
        restart: always
        extra_hosts:
          - "host.docker.internal:host-gateway"
        security_opt:
          - "seccomp:docker-seccomp.json"
        environment:
          ACCEPT_EULA: Y
          GATEWAY_CONFIG: xxxxxxxx

Enabling this option allows you to establish a Connection to the host. For example, to open an SSH connection:

  • Create a PAM User record with the SSH private key

  • Create a PAM Machine record with the hostname to host.docker.internal and port 22

  • Activate the SSH connection in PAM settings referencing the PAM User

Upgrading the Keeper Gateway service through the host

If you use KeeperPAM to SSH over to the host service, you can upgrade the container by running the container update of the gateway in the background:

docker-compose pull
nohup docker-compose up -d keeper-gateway &

References:

Linux Installation

Instructions for installing Keeper Gateway on Linux

Overview

This document contains information on how to install, configure, and update your Keeper Gateway on Linux.

Prerequisites

  • Prior to proceeding with this document, make sure you created a Gateway device.

  • For full capabilities, use Rocky Linux 8, RHEL 8 or Alma Linux 8.

  • If you cannot use one of these Linux flavors, please install using the Docker method

Installation

Install Command

Executing the following command will install the Keeper Gateway, and run it as a service:

curl -fsSL https://keepersecurity.com/pam/install | \
  sudo bash -s -- --token XXXXXX

  • Replace XXXXX with the One-Time Access Token provided from creating the Keeper Gateway

Installation Location

The gateway will be installed in the following location:

/usr/local/bin/keeper-gateway

An alias gateway is also created in the same directory

gateway -> /usr/local/bin/keeper-gateway

Gateway Service Management

For managing the Keeper Gateway as a service, the following are created during the Gateway installation:

  • A keeper-gateway folder

  • A keeper-gw user

keeper-gateway folder

The keeper-gateway folder contains the gateway configuration file and is created in the following location:

/etc/keeper-gateway

keeper-gw user

During the gateway installation, a new user, keeper-gw, is created and added to the sudoers list in /etc/sudoers.d/.

The keeper-gw user is the owner of the keeper-gateway folder and runs the gateway service. This is required when performing rotations on the gateway service and performing post-execution scripts.

Managing the Gateway Service

The following commands can be executed to start, restart, or stop the Keeper Gateway as a service:

sudo systemctl start keeper-gateway
sudo systemctl restart keeper-gateway
sudo systemctl stop keeper-gateway

Keeper Gateway Configuration File

The Keeper Gateway configuration file contains a set of tokens that includes encryption keys, client identifiers, and tenant server information used to authenticate and decrypt data from the Keeper Secrets Manager APIs. This configuration file is created from the One-Time Access Token generated when you created the Gateway.

If the Keeper Gateway is installed and running as a service, the gateway configuration file is stored in the following location: 

/etc/keeper-gateway/gateway-config.json

If the Keeper Gateway is installed locally and not running as a service, the gateway configuration file is stored in the following location:

<User>/.keeper/gateway-config.json

Keeper Gateway Log files

Logs that contain helpful debugging information are automatically created and stored on the local machine.

If the Gateway is running as a service, the log files are stored in the following location:

/var/log/keeper-gateway/

If the Gateway is not running as a service, the log files are stored in the following location:

<User>/.keeper/logs/

Verbose Logging

To add verbose debug logging, modify this file:

/etc/systemd/system/keeper-gateway.service

and add the -d flag to the "gateway start" command, e.g:

ExecStart=/bin/bash -c "/usr/local/bin/gateway start --service -d --config-file /etc/keeper-gateway/gateway-config.json"

Apply changes to the service:

sudo systemctl daemon-reload
sudo systemctl restart keeper-gateway

Tailing the Logs

sudo journalctl -u keeper-gateway.service -f

Upgrading

Executing the following command will upgrade the Keeper Gateway to the latest version: 

curl -fsSL https://keepersecurity.com/pam/install | sudo bash -s --

Auto Update

Configure your Keeper Gateway installation to automatically check for updates, ensuring it stays up-to-date with the latest version.

Uninstalling

Executing the following command will uninstall the Keeper Gateway:

curl -fsSL https://keepersecurity.com/pam/uninstall | sudo bash -s --

Network Configuration

The Gateway establishes outbound-only connections to the following:

Destination
Port Needed
More Info

Keeper Cloud (keepersecurity.[com|eu|com.au|ca|us|jp)

TLS Port 443

Outbound access for Vault login and Keeper Secrets Manager APIs.

Keeper Relay (krelay.keepersecurity.[com|eu|com.au|jp|ca|us])

TCP and UDP port 3478

Needed to establish secure & encrypted connections between the user's vault and the Gateway service.

Keeper Relay (krelay.keepersecurity.[com|eu|com.au|jp|ca|us])

Outbound access to TCP and UDP ports 49152 through 65535

Needed to establish outbound access over the designated port ranges

The Gateway preserves zero knowledge by performing all encryption and decryption of data locally. Keeper Secrets Manager APIs are used to communicate with the Keeper cloud.

Checksum Verification

Keeper Gateway SHA256 hashes for the latest version are published at the below location:

https://keepersecurity.com/pam/latest.txt

Calculating and verifying the checksum:

Linux

sha256sum keeper-gateway_linux_x86_64
cat keeper-gateway_X.X.X_SHA256SUMS | grep keeper-gateway_linux_x86_64

PowerShell

Get-FileHash -Algorithm SHA256 keeper-gateway_windows_x86_64.exe | Format-List
Get-Content keeper-gateway_X.X.X_SHA256SUMS | Select-String keeper-gateway_windows_x86_64.exe

Windows Installation

Instructions for installing Keeper Gateway on Windows

Overview

This document contains information on how to install, configure, and update the Keeper Gateway on Windows.

Prerequisite

Prior to proceeding with this document, make sure you created a Gateway device.

Installation

The latest Keeper Gateway for Windows is downloaded from here:

You can run the service under system privilege or use a service account.

Keeper Gateway for Windows

New Installs

Upon installation of the service, select "Enter a Keeper One-Time Access Token" and supply the token provided by when you created a Gateway on the Vault. After installation, the service will automatically start up and register with the Keeper cloud.

Upgrading

If you are upgrading an existing Gateway, un-check the "Enter a Keeper One-Time Access Token" so that the existing configuration is maintained.

Installation Location

The default installation location is the following: 

C:\ProgramFiles (x86)\Keeper Gateway\<version>

Setup Options

  • Install Windows service - Installs the gateway as a Windows service.

    • Use service account - Use the specified service account, otherwise the account installing the gateway will be used.

    • Start Windows service - Start the Keeper Gateway service immediately after installation

    • Enable automatic updates

  • Turn on debug logging - Enable verbose logging on the gateway log files. NOT recommended for production environments. Only use this when debugging with Keeper support.

  • Remove Keeper Gateway configuration and logs from previous installations

Specifying the Keeper Gateway Service Account

If "Use service account" is specified you will be prompted to enter the valid credentials of the desired service account:

Service Account Setup

One-Time Access Token

The final step prior to successfully installing the Keeper Gateway as service is to enter the One-Time Access Token provided from the Keeper Vault.

After clicking "Next", click "Install" in the next screen to install the Keeper Gateway.

Gateway Service Management

After installing and running the Keeper Gateway as a service, this service can be accessed and easily managed within the Windows Services Manager as "Keeper Gateway Service".

Keeper Gateway Service

Configuration File

The Keeper Gateway configuration file contains a set of tokens that includes encryption keys, client identifiers, and tenant server information used to authenticate and decrypt data from the Keeper Secrets Manager APIs. This configuration file is created from the One-Time Access Token generated when you created the Gateway.

If the Keeper Gateway is installed and running as a service, the gateway configuration file is stored in the following location: 

C:\ProgramData\KeeperGateway\config\gateway-config.json

If the Keeper Gateway is installed locally and not running as a service, the gateway configuration file is stored in the following location:

C:\Users\<User>\.keeper\gateway-config.json

Log files

Logs that contain helpful debugging information are automatically created and stored on the local machine.

If the gateway is running as a service, the gateway log files are stored in the following location:

C:\ProgramData\KeeperGateway\logs\

If the gateway is not running as a service, the gateway log files are stored in the following location:

C:\Users\<User>\.keeper\logs\

Verbose Logging

To activate verbose logging:

  • Go to Windows Services > Keeper Gateway > Properties

  • Stop the service

  • Set the "Start parameters" to: --debug or -d

  • Start the service by clicking on "Start" Do not click "OK" without first starting the service as it will not persist the Parameter setting

Verbose Logging Mode

Upgrading

To upgrade, stop the service, install the latest version and then start the service.

  • Back up your gateway-config.json configuration file

  • Run the latest Keeper Gateway installer

  • During installation DO NOT select "Enter a Keeper One-Time Access Token".

Auto Updates

Select "Enable automatic updates" during the installer process to ensure that your Keeper Gateway is automatically updated when there are new versions available.

Silent Install

This section provides instructions for performing a silent installation of the Keeper Gateway on Windows systems. Silent installation allows the setup process to run in the background without displaying any user interface or messages.

To install the Keeper Gateway silently, use the following command in your command prompt or script:

keeper-gateway_windows_x86_64.exe /verysilent /suppressmsgboxes /norestart /token=<TOKEN>

Replace <TOKEN> with the token provided in the Keeper Vault when creating the Keeper Gateway.

Configuration Options

If you have previously installed Keeper Gateway and wish to use the existing configuration, you can bypass the token entry by using:

/existingconfig=1

To generate a log file during the installation process, use the following option and specify the desired log file path:

/log=<Optional log file>

Windows Service Account

If you prefer to run the Keeper Gateway under a specific Windows service account, use the following options to specify the account details:

/mergetasks="service/account" /serviceuser=<ACCOUNT USERNAME> /servicepass=<ACCOUNT PASSWORD>

Replace <ACCOUNT USERNAME> and <ACCOUNT PASSWORD> with the credentials of the service account you intend to use.

Auto Updater

To enable the Auto Updater feature, allowing Keeper Gateway to automatically check for and apply updates, use the following option:

/autoupdate=1

Uninstalling

To uninstall the service:

  • Uninstall Keeper Gateway from "Add and remove programs"

  • If desired, delete the private configuration .json file

Network Configuration

The Gateway establishes outbound-only connections to the following:

Destination
Port Needed
More Info

Keeper Cloud (keepersecurity.[com|eu|com.au|ca|us|jp)

TLS Port 443

Outbound access for Vault login and Keeper Secrets Manager APIs.

Keeper Relay (krelay.keepersecurity.[com|eu|com.au|jp|ca|us])

TCP and UDP port 3478

Needed to establish secure & encrypted connections between the user's vault and the Gateway service.

Keeper Relay (krelay.keepersecurity.[com|eu|com.au|jp|ca|us])

Outbound access to TCP and UDP ports 49152 through 65535

Needed to establish outbound access over the designated port ranges

The Gateway preserves zero knowledge by performing all encryption and decryption of data locally. Keeper Secrets Manager APIs are used to communicate with the Keeper cloud.

Checksum Verification

Keeper Gateway SHA256 hashes for the latest version are published at the below location:

https://keepersecurity.com/pam/latest.txt

Calculating and verifying the checksum:

Linux

sha256sum keeper-gateway_linux_x86_64
cat keeper-gateway_X.X.X_SHA256SUMS | grep keeper-gateway_linux_x86_64

PowerShell

Get-FileHash -Algorithm SHA256 keeper-gateway_windows_x86_64.exe | Format-List
Get-Content keeper-gateway_X.X.X_SHA256SUMS | Select-String keeper-gateway_windows_x86_64.exe

Auto Updater

Instructions for installing and configuring the Auto Updater for the Keeper Gateway.

Overview

Automatic updates of the Keeper Gateway can be enabled on Linux and Windows installations through Keeper's Auto Updater feature. The Auto Updater makes periodic checks to update your Keeper Gateway to the latest version.

By default, the Auto Updater is disabled when installing the Keeper Gateway

We recommend enabling the Auto Updater to ensure you receive the most recent security and functionality enhancements. The Auto Updater verifies all Keeper Gateway downloads by checking the GPG signature of hash value, which are then utilized to checksum each file.

Auto Updater Installation

Prerequisites

  • Ensure that you have administrative privileges on the system.

  • Version 1.4.0 or later of Keeper Gateway is required.

Docker

On Docker based installations, the best way to update the container is running the below commands from a cron job or your CI/CD tools.

As an example, create a file called update_gateway.sh that contains:

#!/bin/bash
set -e  # Exit immediately if a command fails

# Navigate to the directory containing your docker-compose.yml file
cd /path/to/your/docker-compose-directory

# Pull the latest image and update the Gateway container
docker compose pull
docker compose up -d keeper-gateway

Make the script executable:

chmod +x update_gateway.sh

Edit the crontab:

crontab -e

Add a line to schedule the script. For example, to run it every day at 3 AM:

0 3 * * * /path/to/update_gateway.sh >> /var/log/update_gateway.log 2>&1

Linux

New Gateway

Execute the following command to download and run the KeeperPAM installer with auto update enabled.

The --autoupdate parameter activates the auto updater in addition to the Keeper Gateway.

curl -fsSL https://keepersecurity.com/pam/install | \
  sudo bash -s -- --autoupdate

Existing Keeper Gateway

Activate the Auto Updater on an existing installation by executing the following Keeper Gateway command:

sudo keeper-gateway autoupdate enable

Verify Installation (Optional)

Verify that the Auto Updater has been installed successfully by executing the following Keeper Gateway command:

sudo keeper-gateway autoupdate status

Windows

New Gateway

  • Download and run the latest version of the Gateway installer.

  • During installation, check the box "Enable automatic updates".

  • This setup option will create a new Task Scheduler task for updating the Gateway.

Windows Automatic Updates

Existing Gateway

  • Open a command prompt as Administrator.

  • Install Auto Updater with the following Keeper Gateway command:

keeper-gateway autoupdate enable

Verify Installation (Optional)

  • Open a command prompt as Administrator.

  • Verify that Auto Updater has been installed successfully by executing the following Keeper Gateway command:

keeper-gateway autoupdate status

Auto Updater Status

Prerequisites

  • Ensure that you have administrative privileges on the system.

  • Version 1.4.0 or later of Keeper Gateway is required.

Status on Linux

Check the Auto Updater status by executing the following Keeper Gateway command:

sudo keeper-gateway autoupdate status

Status on Windows

  • Open a command prompt as Administrator

  • Check the Auto Updater status by executing the following Keeper Gateway command:

keeper-gateway autoupdate status

Auto Updater Configuration

Configuration on Linux

Edit the crontab that runs Auto Updater.

sudo crontab -e

Here is an example of the default crontab entry that checks for updates every hour:

0 * * * * /usr/local/bin/keeper-gateway-update --trust

  • The first part 0 * * * * is the crontab expression which will cause execution to occur every hour at 0 minutes.

  • The second part is the update command keeper-gateway-update

  • The option --trust causes explicit trust of the Keeper Gateway GPG public key for verification of downloaded install files.

Configuration on Windows

Configure the update frequency and other settings with the following steps:

  • Run taskschd.msc to open Windows Task Scheduler.

  • In the left pane double-click on Task Scheduler Library -> Keeper -> Gateway -> AutoUpdate to show the Auto Updater Task.

  • In the upper middle pane double-click on the AutoUpdate Task with the name of the current version and click on the Triggers menu tab.

  • Click Edit... to change when the Auto Updater checks for a new update to install. The default is to "Repeat task every 1 hour indefinitely" as shown below.

Auto Updater Removal

Prerequisites

  • Ensure that you have administrative privileges on the system.

  • Version 1.4.0 or later of Keeper Gateway is required.

Removal on Linux

Remove Auto Updater by executing the following Keeper Gateway command:

sudo keeper-gateway autoupdate disable

Removal on Windows

Remove Auto Updater with the following steps:

  • Open a command prompt as Administrator.

  • Remove Auto Updater with the following Keeper Gateway command:

keeper-gateway autoupdate disable

Troubleshooting

Check the status of the Auto Update

keeper-gateway autoupdate status

Logging in the Gateway Auto Updater

To assist with diagnosing issues or monitoring the status of updates, the Gateway Auto Updater generates two types of logs. These logs are subject to rotation policies to avoid overuse of disk space.

Linux

Log Location

All log files for Linux are located in /var/log/keeper-gateway

Log Files

  • Update Logs: Any logs generated during an update will be timestamped and stored as update_YYYY-MM-DD_HH-MM-SS.log.

  • Last Update Check: The file last-update-check.log contains information regarding the most recent check for updates.

Windows

Log Location

The log files for the Gateway Auto Updater are located in \ProgramData\KeeperGateway\install

Log Files

  • Update Logs: Any logs generated during an update will be timestamped and stored as YYYY-MM-DD_HH-MM-SS.log

  • Last Update Check: The file last-update-check.log contains information regarding the most recent check for updates.

Alerts and SIEM Integration

Monitoring Gateway events and integrating with your SIEM

Overview

KeeperPAM supports integration with your SIEM provider to provide real-time event logging and monitoring of all privileged access management activity. In the Keeper Admin Console, alerts can also be configured based on any event.

For more information on activating SIEM integration from the Keeper Enterprise guide:

Features

  • Push over 200 different event types to any connected SIEM provider

  • Send alerts to email, SMS, Webhook, Slack or Microsoft Teams on any event trigger

  • Run custom reports from the Keeper Admin Console or Keeper Commander CLI

KeeperPAM Events

Events related to KeeperPAM include:

  • Starting and stopping sessions, tunnels, remote browser isolation

  • Gateway lifecycle (online, offline, added/removed)

  • Connection lifecycle (creation, editing and deleting PAM resources)

KeeperPAM Events

Recommended Alerts

As a KeeperPAM administrator, it is useful to receive alerts related to Gateway actions, such as when a Gateway goes offline (in case of server outage or system restart).

From the Admin Console, go to Reporting & Alerts > Alerts > select Event Types and set the recipient information.

Set Alert for Gateway Offline

Event alert details will include the name and UID of the affected Keeper gateway.

Gateway Offline Alert

Email alerts contain event information

Email Alert for Gateway Offline

Advanced Configuration

Advanced Keeper Gateway Configurations

Overview

This section will cover additional configurations to modify the Keeper Gateway's default behavior.

Support Configurations

The following are supported configurations for the Keeper Gateway:

Gateway Configuration with AWS KMS

Storing and protecting the Keeper Gateway Configuration using AWS KMS

Overview

If the Keeper Gateway is installed on an AWS EC2 Instance, the corresponding Gateway configuration file can be protected and stored in AWS Secrets Manager. This method eliminates the need for storing a configuration file on the instance, and instead stores the configuration file with AWS KMS protection.

AWS Key Management Service (KMS) Key

AWS KMS is a fully managed service that makes it easy for you to create and control the cryptographic keys used to encrypt and decrypt your data. The service is integrated with other AWS services, making it easier to encrypt data and manage keys. You will need a AWS KMS key as part of this process, and it is recommended that you follow the principle of least privilege when assigning permissions to this key.

Prerequisites

In order to use AWS KMS to protect the Gateway configuration secrets, you need to install the Keeper Gateway on an EC2 instance which assumes an IAM Role. This works on either Docker or Linux install methods.

Generate a Configuration

From the Keeper Vault, go to Secrets Manager > Applications and select the application configured with your Gateway. Then select the Gateways tab and select "Provision Gateway".

Select the Gateway initialization method of "Configuration" and click Next.

Select Configuration Method
Copy the Base64 Configuration

Alternatively, you can generate a One-Time Access Token and then use the Keeper Gateway's "gateway ott-init" command:

gateway ott-init [ONE-TIME-TOKEN]

In either case, you'll be provided with a base64 encoded configuration. Save this for the next step.

Create Secret in AWS Secrets Manager

From the AWS Console, go to the Secrets Manager and create a new secret.

  • Select "Other type of secret"

  • Select Plaintext and paste the entire base64 value there.

  • Click Next.

Create Secret using Plaintext formatting

Enter a Secret Name and a description then click Next, Next and Store.

Secret Name and Description
View Secrets

Assign Policy to Instance Role

The EC2 instance role needs to be assigned a policy which provides read access to the specific AWS Secrets Manager key. As an example:

{
    "Sid": "SecretsManagerPermissions",
    "Effect": "Allow",
    "Action": [
        "secretsmanager:GetSecretValue"
     ],
     "Resource": "arn:aws:secretsmanager:us-west-1:XXX:secret:XXX"
}

Confirming Access

From the EC2 instance, the below command will confirm the policy has been applied:

aws secretsmanager get-secret-value --secret-id YourSecretName --query SecretString --output text

Configuration of the Keeper Gateway

Docker Install Method

For Docker installations, remove the GATEWAY_CONFIG entry and add AWS_KMS_SECRET_NAME with the value containing the name of the secret from the AWS secrets manager.

services:
      keeper-gateway:
        platform: linux/amd64
        image: keeper/gateway:latest
        shm_size: 2g
        security_opt:
          - "seccomp:docker-seccomp.json"
        environment:
          ACCEPT_EULA: Y
          AWS_KMS_SECRET_NAME: "YourSecretName"

Then update the service with the new environment:

docker compose pull
docker compose down
docker compose up -d

Linux Install Method

Open the Keeper Gateway service unit file:

/etc/systemd/system/keeper-gateway.service

Modify the "ExecStart" line as seen below, replacing YourSecretName with your assigned name.

ExecStart=/bin/bash -c "/usr/local/bin/gateway start --service --aws-kms-secret-name="YourSecretName" --log-to-stdout"

Apply changes to the service:

sudo systemctl daemon-reload
sudo systemctl restart keeper-gateway

If there are any errors starting up, they can be seen through this command:

systemctl status keeper-gateway.service

Gateway Configuration with Custom Fields

Advanced configuration of the Keeper gateway with Keeper Vault custom fields

These configuration capabilities are functional and currently in an experimental phase, and we invite users to actively explore and utilize them. We are actively evaluating their functionality and performance, with the intention of considering them for official integration into our product in the future.

Advanced Gateway Configuration with Custom Fields

When setting up Rotation in your Keeper Vault, you store the credentials of your assets involved in rotation on their corresponding PAM Record Types. On these record types, you are able to create custom fields.

The additional gateway configurations will be defined with these custom fields on the PAM Record Types. The Keeper Gateway will then adjust its behavior based on the defined configurations.

The following tables lists all the possible configurations with custom fields:

Custom Field Name
Type
Default Value
Description

Shell

Text

None

Allows you to specify a custom shell path that the Gateway will use when executing rotation and post-rotation scripts. This gives you control over the environment in which these scripts run. Example Value: C:\MY\SHELL

NOOP

Text

False

Allows you to control whether the Gateway performs the primary rotation operation or proceeds directly to execution of the post-rotation script.

If set to True the Gateway will skip the rotation process and proceed directly in executing the post-rotation script(s). Example Value: True

Kerberos

Text

False

Specifically designed for WinRM connections using Kerberos authentication. By default, the Gateway automatically decides whether to use Kerberos based on certain rules, and If these conditions are met, the Gateway will attempt to use Kerberos for WinRM. However, if you encounter issues with this automatic detection, setting this field to True will override the default behavior and force the Gateway to use Kerberos for WinRM. Example Value: True

Private Key Type

Text

ssh-rsa

Gateway Version 1.3.4+ This custom field pertains to the type or algorithm of the private key stored in a record. When adding a private key to a record, users do not need to take any additional action regarding its type or algorithm. The system is designed to automatically recognize and use the same algorithm as the existing private key during the rotation process. If the algorithm in use is ECDSA, the key size will also be preserved during the rotation. Available Options if needed to overwrite the key type: ssh-rsa (Note: 4096 bits)

ssh-dss (Note: 1024 bit, obsolete) ecdsa-sha2-nistp256

ecdsa-sha2-nistp384

ecdsa-sha2-nistp521

ssh-ed25519

Private Key Rotate

Text

True

Gateway Version 1.3.4+

TRUE - (Default) If the custom field doesn't exist, the private key will be rotated if it exists.

FALSE - The private key won't be rotated, even if it exists. Users should pick this if they wish to retain the private key in the record without any rotations.

Note:

  • The custom fields values are not case-sensitive.