1 of 12

Local Network

Password Rotation in the Local Network Environment

Overview

In this section, you will learn how to rotate user credentials within a Local Network environment across various target systems.

A "local network" simply means any resource that has line of sight access from the Keeper Gateway. This configuration can be used in any cloud or managed environment. Native protocols are used to communicate to the target resources and perform rotations.

Setup Steps

At a high level, the following steps are needed to successfully rotate passwords on a network:

Create Shared Folders to hold the PAM records involved in rotation
Create PAM Machine, PAM Database and PAM Directory records representing each resource
Create PAM User records that contain the necessary account credentials for each resource
Link the PAM User record to the PAM Resource record.
Assign a Secrets Manager Application to all of the shared folders that hold the PAM records
Install a Keeper Gateway and add it to the Secrets Manager application
Create a PAM Configuration with the AWS environment setting
Configure Rotation settings on the PAM User records

Use Cases

Windows User

Rotating Windows User Accounts on Local Network

Overview

In this guide, you'll learn how to rotate Windows user accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.

Prerequisites

This guide assumes the following tasks have already taken place:

Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed and showing online
The Keeper Gateway can communicate over WinRM or SSH to the target machine:
- WinRM: Enabled and running on port 5986. Verification: Run winrm get winrm/config to verify that WinRM is running. See WinRM setup page for installation help. OR...
- SSH: Enabled and running on port 22. Verification: Run ssh [your-user]@[your-machine] -p 22 to verify that SSH is running.

1. Set up a PAM Machine Record

Keeper Rotation will use an admin credential to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.

In this guide, we will store the admin credentials in a PAM Machine Record.

The following table lists all the required fields that needs to be filled on the PAM Machine Record with your information:

Field

Description

Title

Name of the Record ex: "Local Windows Admin"

Hostname or IP Address

Machine hostname or IP as accessed by the Gateway (internal) or "localhost"

Port

22 for SSH, 5985 (HTTP) or 5986 (HTTPS) for WinRM

Administrative Credentials

Linked PAM User record that contains the username and password (or SSH Key) of the Admin account which will perform the rotation.

The linked PAM User record with the admin credential needs to be in a shared folder that is accessible to the Keeper Gateway.

2. Set up a PAM Configuration

Note: You can skip this step if you already have a PAM Configuration set up for this environment.

If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:

Field

Description

Title

Configuration name, example: Windows LAN Configuration

Environment

Select: Local Network

Gateway

Select the Gateway that is configured on the Keeper Secrets Manager application and has SSH access to your Windows devices

Application Folder

Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the machine resources.

3. Set up one or more PAM User records

Keeper Rotation will use the credentials in the PAM Machine record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.

The following table lists all the required fields on the PAM User record:

Field

Description

Record Type

PAM User

Title

Keeper record title

Login

Case sensitive username of the account being rotated. Example: msmith

Password

Account password is optional, rotation will set one if blank

4. Configure Rotation on the PAM User records

Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".

Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.

Any user with edit rights to a PAM User record has the ability to setup rotation for that record.

Service Management

Keeper can automatically update the Windows service account "log on as" credentials for any Windows services running as the PAM User, and restart the service. Keeper will also update the credential of any scheduled task running as that user on the target machine.

To learn more and set up this capability, see the Service Management page.

macOS User

Rotating Local Mac User Accounts with Keeper Rotation

Overview

In this guide, you'll learn how to remotely rotate MacOS accounts via SSH using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.

Prerequisites

This guide assumes the following tasks have already taken place:

Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate via SSH to your MacOS device.

1. Set up a PAM Machine resource

Keeper Rotation will use the linked admin credential to rotate other accounts in your environment. This account does not need to be joined to a domain, or a full admin account, but the account needs to be able to successfully change passwords for other accounts.

PAM Directory Record Fields

Field

Description

Record Type

PAM Machine

Title

My macOS User

Hostname or IP Address

IP address or hostname of the directory macOS device. Use localhost if the gateway is installed on the device. Examples: 10.10.10.10, MarysMacBook, localhost

Port

SSH port, typically: 22 - SSH is required for rotation.

Use SSL

Must be enabled

Administrative Credentials

Linked PAM User record that contains the username and password (or SSH Key) of the Admin account which will perform the rotation.

Operating System

For Mac OS rotation, use: MacOS

2. Set up a PAM Configuration

Note: You can skip this step if you already have a PAM Configuration set up for this environment.

In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab. Create a new configuration:

Field

Description

Title

Configuration name, example: MAC Rotation

Environment

Select: Local Network

Gateway

Select the Gateway that has SSH access to your MacOS devices

Application Folder

Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the machine resources.

Default Rotation Schedule

Optional

3. Set up one or more PAM user records

Keeper Rotation will use the linked credentials in the PAM Machine record to rotate the PAM User records in your environment.

PAM User Record Fields

Field

Description

Record Type

PAM User

Title

Keeper record title

Login

Case sensitive username of the account being rotated. Example: msmith

Password

Account password is optional, rotation will set one if blank

Other fields

These should be left blank

4. Configure Rotation on the PAM User records

Select the PAM User record, edit the record and open the "Password Rotation Settings".

Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the "PAM Machine" credential setup previously.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.

Any user with edit rights to a PAM User record has the ability to setup rotation for that record.

Database

DB credential Rotation in the Local Environment

In this section, you will learn how to rotate database user credentials within your local network.

Databases Supported

Native PostgreSQL

Rotating Local Network PostgreSQL database accounts with Keeper Rotation

Overview

Prerequisites

This guide assumes the following tasks have already taken place:

1. Set up a PAM Database Record

Keeper Rotation will use an admin credential linked to the PAM Database to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.

The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:

Field

Description

Title

Keeper record title Ex: dbadmin

Hostname or IP Address

Server address - doesn't need to be publicly routable

Port

Use SSL

Check to perform SSL verification before connecting, if your database has SSL configured

Administrative Credentials

Linked PAM User record that contains the username and password of the Admin account which will perform the rotation.

Connect Database

Optional database that will be used when connecting to the database server. For example, PostgreSQL requires a database and so this will default to template1.

Database Type

postgresql or postgresql-flexible

2. Set up a PAM Configuration

Note: You can skip this step if you already have a PAM Configuration set up for this environment.

Field

Description

Title

Configuration name, example: Postgresql LAN Configuration

Environment

Select: Local Network

Gateway

Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your PostgreSQL database

Application Folder

Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.

3. Set up one or more PAM user records

Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.

The following table lists all the required fields on the PAM User record:

Field

Description

Record Type

PAM User

Title

Keeper record title

Login

Case sensitive username of the db account being rotated. Example: msmith

Password

Account password is optional, rotation will set one if blank

Connect Database

Optional database that will be used when connecting to the database server. For example: PostgreSQL requires a database and so this will default to template1.

4. Configure Rotation on the PAM User records

Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".

Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.

Any user with edit rights to a PAM User record has the ability to setup rotation for that record.