Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Password Rotation in the Local Network Environment
In this section, you will learn how to rotate user credentials within a Local Network environment across various target systems.
A "local network" simply means any resource that has line of sight access from the Keeper Gateway. This configuration can be used in any cloud or managed environment. Native protocols are used to communicate to the target resources and perform rotations.
At a high level, the following steps are needed to successfully rotate passwords on a network:
Create Shared Folders to hold the PAM records involved in rotation
Create PAM Machine, PAM Database and PAM Directory records representing each resource
Create PAM User records that contain the necessary account credentials for each resource
Link the PAM User record to the PAM Resource record.
Assign a Secrets Manager Application to all of the shared folders that hold the PAM records
Install a Keeper Gateway and add it to the Secrets Manager application
Create a PAM Configuration with the AWS environment setting
Configure Rotation settings on the PAM User records
Rotating Active Directory or OpenLDAP user accounts remotely using KeeperPAM
In this guide, you'll learn how to remotely rotate Active Directory or OpenLDAP user accounts using KeeperPAM.
This guide assumes the following tasks have already taken place:
are configured for your role
A Keeper Secrets Manager has been created
Your is online
The Keeper Gateway is able to communicate via LDAPS (port 636) or LDAP (port 389) to your directory.
Keeper Rotation will use the linked admin credential to rotate other accounts in your directory. This account does not need to be a domain admin account, but needs to be able to successfully change passwords for other accounts.
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
A associates an environment with a Keeper Gateway and credentials. If you don't have a PAM Configuration set up yet for this use case, create one.
KeeperPAM will use the credentials linked from the "PAM Directory" record to rotate other "PAM User" records in your environment. The PAM User credential needs to be saved in a shared folder that is assigned to the secrets manager application. In the example below, the AD user demouser can be rotated.
If you don't know the user's DN, the following PowerShell command can be used to find it:
Select the PAM User record, edit the record and open the "Password Rotation Settings".
Any user with edit rights to a PAM User record and allowing rotation has the ability to set up rotation for that record.
The "Rotation" should be of type "General".
The "PAM Resource" field should select the "PAM Directory" credential setup previously.
Select the desired schedule and password complexity.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
An easy way to test if LDAP is properly configured is to run 'LDP.exe' and test the connection. If this connection succeeds, then Keeper Rotation should also succeed.
For the purpose of testing an Active Directory user account rotation with Keeper, it is necessary to ensure that the LDAPS connection is active and using a valid certificate. If you are just testing and don't have a production certificate, the instructions below provide you with a self-signed cert.
Using a self-signed certificate with AD is only for testing purposes, do not use in production
Linked PAM User credential used for performing the LDAP rotation. Example: rotationadmin
Domain Name
Domain name of the Active Directory. Example: mydomain.local
Directory Type
Set to Active Directory or OpenLDAP
Record Type
PAM Directory
Title
Keeper record title
Hostname or IP Address
IP address, hostname or FQDN of the directory server. Examples: 10.10.10.10, dc01.mydomain.local
Port
636 - LDAPS is required for rotation on Active Directory.
LDAP over port 389 is insecure and should be avoided.
Use SSL
Must be enabled for use with Active Directory
Title
Configuration name, example: My Active Directory
Environment
Select: Local Network
Gateway
Select the Gateway that has access to your directory server
Application Folder
Select the Shared folder that contains the PAM Directory record
Other fields
Depends on your use case. See the PAM Configuration section.
Record Type
PAM User
Title
Keeper record title, e.g. AD User - demouser
Login
Username of the account being rotated. The format of the username depends on the target system and type of service.
Examples:
demouser
[email protected]
Password
Account password is optional. In most cases, a password rotation will not require the existing password to be present. However there are some scenarios and protocols which may require it.
Distinguished Name
Required for Active Directory and OpenLDAP directories.
The LDAP DN for the user, e.g.
CN=Demo User,CN=Users,DC=lureydemo,DC=local
Administrative Credentials
Rotating Windows User Accounts on Local Network
In this guide, you'll learn how to rotate Windows user accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed and showing online
Keeper Rotation will use an admin credential to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
In this guide, we will store the admin credentials in a PAM Machine Record.
The following table lists all the required fields that needs to be filled on the PAM Machine Record with your information:
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Machine record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Note that Keeper will attempt to login to the remote system using the username exactly as supplied. If authentication fails, Keeper will then attempt to use the below variations:
User Principal Name (UPN) format: [email protected]
Domain NetBIOS format: COMPANY\admin
Shortened UPN format (no TLD): admin@company
Domain FQDN with backslash format: company.com\admin
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine credential setup from Step 1.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Keeper can automatically update the Windows service account "log on as" credentials for any Windows services running as the PAM User, and restart the service. Keeper will also update the credential of any scheduled task running as that user on the target machine.
To learn more and set up this capability, see the page.
# Get the cert we just created
$cert = Get-ChildItem -Path "Cert:\LocalMachine\My" | Where-Object {$_.Subject -like "*company*"}
$thumbprint = ($cert.Thumbprint | Out-String).Trim()
# Copy to NTDS through registry
$certStoreLoc = 'HKLM:/Software/Microsoft/Cryptography/Services/NTDS/SystemCertificates/My/Certificates'
if (!(Test-Path $certStoreLoc)) {
New-Item $certStoreLoc -Force
}
Copy-Item -Path HKLM:/Software/Microsoft/SystemCertificates/My/Certificates/$thumbprint -Destination $certStoreLoc
# Copy to Trusted Root store
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store([System.Security.Cryptography.X509Certificates.StoreName]::Root, 'LocalMachine')
$rootStore.Open('ReadWrite')
$rootStore.Add($cert)
$rootStore.Close()Restart-Service NTDS -forceGet-ADUser -Identity <username> -Properties DistinguishedNameNew-SelfSignedCertificate -DnsName XYZ123.company.local,company.local,company, -CertStoreLocation cert:\LocalMachine\My
The Keeper Gateway can communicate over WinRM or SSH to the target machine:
WinRM: Enabled and running on port 5986.
Verification: Run winrm get winrm/config to verify that WinRM is running. See WinRM setup page for installation help.
OR...
SSH: Enabled and running on port 22.
Verification: Run ssh [your-user]@[your-machine] -p 22 to verify that SSH is running.
Title
Name of the Record ex: "Local Windows Admin"
Hostname or IP Address
Machine hostname or IP as accessed by the Gateway (internal) or "localhost"
Port
22 for SSH, 5985 (HTTP) or 5986 (HTTPS) for WinRM
Administrative Credentials
Linked PAM User record that contains the username and password (or SSH Key) of the Admin account which will perform the rotation.
Title
Configuration name, example: Windows LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has SSH access to your Windows devices
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the machine resources.
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Rotating Linux User Accounts on Local Network
In this guide, you'll learn how to rotate Linux user accounts within your local network using Keeper Rotation, including both password-based and SSH Key-based credentials. For a high-level overview on the rotation process in the local network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is able to communicate via to your Linux Machine(s)
Keeper Rotation will use an admin credential to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
In this guide, we will store the admin credentials in a PAM Machine Record.
The following table lists all the required fields that needs to be filled on the PAM Machine Record with your information:
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Machine record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine credential setup from Step 1.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating Local Network Oracle database accounts with Keeper Rotation
Title
Name of the Record ex: "Local Linux Admin"
Hostname or IP Address
Machine hostname or IP as accessed by the Gateway (internal) or "localhost"
Port
22 for SSH
Administrative Credentials
Linked PAM User record that contains the username and password (or SSH Key) of the Admin account which will perform the rotation.
Title
Configuration name, example: Linux LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has SSH access to your Linux devices
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the machine resources.
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Private PEM Key
SSH private key. This is only required if you are planning to rotate the PEM key instead of rotating the password.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate to your Oracle database
Keeper Rotation will use an admin credential linked to the PAM Database to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
The following table lists all the required fields that needs to be filled on the PAM Database record with your information:
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see
Ex: oracle=1521
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
Linked PAM User record that contains the username and password of the Admin account which will perform the rotation.
If you already have a PAM Configuration for your Local environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: Oracle LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Oracle database
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating Local Network MariaDB database accounts with Keeper Rotation
In this guide, you'll learn how to rotate Local MariaDB User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is able to communicate to your MariaDB database
Keeper Rotation will use an admin credential linked to the PAM Database record to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating Local Network MongoDB database accounts with Keeper Rotation
Rotating Local Network PostgreSQL database accounts with Keeper Rotation
Database Type
oracle
maridb or maridb-flexible
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see port mapping
Ex: mariadb=3306
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
Linked PAM User record that contains the username and password of the Admin account which will perform the rotation.
Title
Configuration name, example: MariaDB LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MariaDB database
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Database Type
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
Keeper Rotation will use the linked admin credential to rotate other accounts in your environment. This account does not need to be joined to a domain, or a full admin account, but the account needs to be able to successfully change passwords for other accounts.
Record Type
PAM Machine
Title
My macOS User
Hostname or IP Address
IP address or hostname of the directory macOS device. Use localhost if the gateway is installed on the device. Examples: 10.10.10.10, MarysMacBook, localhost
Port
SSH port, typically: 22 - SSH is required for rotation.
Use SSL
Must be enabled
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab. Create a new configuration:
Title
Configuration name, example: MAC Rotation
Environment
Select: Local Network
Gateway
Select the Gateway that has SSH access to your MacOS devices
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the machine resources.
Default Rotation Schedule
Optional
Keeper Rotation will use the linked credentials in the PAM Machine record to rotate the PAM User records in your environment.
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Other fields
These should be left blank
Select the PAM User record, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the "PAM Machine" credential setup previously.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate to your MongoDB Database
Keeper Rotation will use an admin credential linked to the PAM Database to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see
Ex: mongodb=27017
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
Linked PAM User record that contains the username and password of the Admin account which will perform the rotation.
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: MongoDB LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MongoDB database
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.
Keeper Rotation will use the credentials linked from the PAM Database record to rotate the PAM User records on your local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server.
For example: MongoDB requires a database and so this will default to admin.
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate to your Postgres database
Keeper Rotation will use an admin credential linked to the PAM Database to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see
Ex: postgresql=5432
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
Linked PAM User record that contains the username and password of the Admin account which will perform the rotation.
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: Postgresql LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your PostgreSQL database
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server. For example: PostgreSQL requires a database and so this will default to template1.
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating Local Network Microsoft SQL Server database accounts with Keeper Rotation
In this guide, you'll learn how to rotate Local MS SQL Server Database User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is able to communicate to your MySQL database
Keeper Rotation will use an admin credential linked to the PAM Database to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
The following table lists all the required fields that needs to be filled on the PAM Database record with your information:
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating Local Network MySQL database accounts with Keeper Rotation
Administrative Credentials
Linked PAM User record that contains the username and password (or SSH Key) of the Admin account which will perform the rotation.
Operating System
For Mac OS rotation, use: MacOS
Connect Database
Optional database that will be used when connecting to the database server.
For example, MongoDB requires a database and so this will default to admin.
Database Type
mongodb
Connect Database
Optional database that will be used when connecting to the database server. For example, PostgreSQL requires a database and so this will default to template1.
Database Type
postgresql or postgresql-flexible
If the Gateway is installed on a Linux or macOS server, install the Microsoft ODBC driver
Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to master.
Database Type
mssql
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see port mapping
Ex: mssql=1433
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
Linked PAM User record that contains the username and password of the Admin account which will perform the rotation.
Title
Configuration name, example: MSSQL LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MS SQL Server database
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to master.
Connect Database
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate to your MySQL database
Keeper Rotation will use an admin credential linked from the PAM Database record to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see
Ex: mysql=3306
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
Linked PAM User record that contains the username and password of the Admin account which will perform the rotation.
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: MySQL LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MySQL database
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
When rotating the private PEM Key credential on a target machine or user, Keeper will update the authorized_keys file on the machine with the new public key. The first time that a rotation occurs, the old public key is left intact in order to prevent system lockout. The second public key added to the file contains a comment that serves as an identifier for future rotations. For example:
By default, Keeper will not remove other keys from the .ssh/authorized_keys file since some providers will place in their own keys in order to control the virtual machine (ie Google Cloud Provider).
If the first rotation is successful, you can optionally delete the old public key entry in the authorized_keys file. On subsequent rotations, Keeper will update the line which contains the "keeper-security-xxx" comment.
Rotation will also create backup of the prior .ssh/authorized_keys
When configuring a PAM User with only a private PEM key and no password as the admin credential for a machine resource, this user will execute all administrative operations such as password rotation. In this configuration, the admin account must be able to perform sudo operations without being prompted for a password.
If a password is required to execute sudo commands, rotations for non-admin credentials on that resource will fail—since the admin credential does not include a password. To ensure successful rotation, configure the PEM key only admin account to run sudo commands without a password prompt.
Database Type
mysql
.sshFor private key rotation, the new private key will be same algorithm and key size (bits) as the current private key. For example, if the current private key is ecdsa-sha2-nistp256 the new private key will be ecdsa-sha2-nistp256. This can be overridden by adding a custom text field, with the label Private Key Type , and setting the value to one support algorithms:
ssh-rsa - 4096 bits
ecdsa-sha2-nistp256 - ECDSA, 256 bits
ecdsa-sha2-nistp384 - ECDSA, 384 bits
ecdsa-sha2-nistp521 - ECDSA, 521 bits
ssh-ed2551
.This custom field can also be used if the current private key's algorithm cannot be detected.
To prevent private key rotation, a custom text field can be added to the PAM User record with the label Private Key Rotate. If the value of the field is TRUE, or the field doesn't exists, the private key will be rotated if it exists. If the value is FALSE, the private key will not be rotated.
For Linux user rotations, password-encrypted PEM files are not currently supported.
[compute-user@host .ssh]$ cat authorized_keys
ssh-rsa AAAAB3NzaC1...11xZrfOxYXG6RV84mCZ3uldesEyV/ghLxAb7Fcz gcpdemo
ssh-rsa AAAAB3NzaC...un+frl9Q== keeper-security-computeuser