Database
DB credential Rotation in the Local Environment
In this section, you will learn how to rotate database user credentials within your local network.
Databases Supported
Native MySQL
Rotating Local Network MySQL database accounts with Keeper Rotation
Overview
In this guide, you'll learn how to rotate Local MySQL Database User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
Prerequisites
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate to your MySQL database
1. Set up a PAM Database Record
Keeper Rotation will use an admin credential linked from the PAM Database record to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see port mapping
Ex: mysql=3306
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
Linked PAM User record that contains the username and password of the Admin account which will perform the rotation.
Database Type
mysql
2. Set up a PAM Configuration
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: MySQL LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MySQL database
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.
3. Set up PAM User records
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
4. Configure Rotation on the PAM User records
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Native MariaDB
Rotating Local Network MariaDB database accounts with Keeper Rotation
Overview
In this guide, you'll learn how to rotate Local MariaDB User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
Prerequisites
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate to your MariaDB database
1. Set up a PAM Database Record
Keeper Rotation will use an admin credential linked to the PAM Database record to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see port mapping
Ex: mariadb=3306
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
Linked PAM User record that contains the username and password of the Admin account which will perform the rotation.
Database Type
maridb or maridb-flexible
2. Set up a PAM Configuration
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: MariaDB LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MariaDB database
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.
3. Set up one or more PAM user records
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
4. Configure Rotation on PAM User records
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Native PostgreSQL
Rotating Local Network PostgreSQL database accounts with Keeper Rotation
Overview
In this guide, you'll learn how to rotate Local Postgres Database User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
Prerequisites
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate to your Postgres database
1. Set up a PAM Database Record
Keeper Rotation will use an admin credential linked to the PAM Database to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see port mapping
Ex: postgresql=5432
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
Linked PAM User record that contains the username and password of the Admin account which will perform the rotation.
Connect Database
Optional database that will be used when connecting to the database server. For example, PostgreSQL requires a database and so this will default to template1.
Database Type
postgresql or postgresql-flexible
2. Set up a PAM Configuration
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: Postgresql LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your PostgreSQL database
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.
3. Set up one or more PAM user records
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server. For example: PostgreSQL requires a database and so this will default to template1.
4. Configure Rotation on the PAM User records
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Native MongoDB
Rotating Local Network MongoDB database accounts with Keeper Rotation
Overview
In this guide, you'll learn how to rotate Local MongoDB User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
Prerequisites
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate to your MongoDB Database
1. Set up a PAM Database Record
Keeper Rotation will use an admin credential linked to the PAM Database to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see port mapping
Ex: mongodb=27017
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
Linked PAM User record that contains the username and password of the Admin account which will perform the rotation.
Connect Database
Optional database that will be used when connecting to the database server.
For example, MongoDB requires a database and so this will default to admin.
Database Type
mongodb
2. Set up a PAM Configuration
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: MongoDB LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MongoDB database
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.
3. Set up one or more PAM User records
Keeper Rotation will use the credentials linked from the PAM Database record to rotate the PAM User records on your local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server.
For example: MongoDB requires a database and so this will default to admin.
4. Configure Rotation on the PAM User records
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Native MS SQL Server
Rotating Local Network Microsoft SQL Server database accounts with Keeper Rotation
Overview
In this guide, you'll learn how to rotate Local MS SQL Server Database User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
Prerequisites
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate to your MySQL database
If the Gateway is installed on a Linux or macOS server, install the Microsoft ODBC driver
1. Set up a PAM Database Record
Keeper Rotation will use an admin credential linked to the PAM Database to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
The following table lists all the required fields that needs to be filled on the PAM Database record with your information:
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see port mapping
Ex: mssql=1433
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
Linked PAM User record that contains the username and password of the Admin account which will perform the rotation.
Connect Database
Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to master.
Database Type
mssql
2. Set up a PAM Configuration
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: MSSQL LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MS SQL Server database
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.
3. Set up one or more PAM User records
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to master.
4. Configure Rotation on the PAM User records
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Native Oracle
Rotating Local Network Oracle database accounts with Keeper Rotation
Overview
In this guide, you'll learn how to rotate Local Oracle Database User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
Prerequisites
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate to your Oracle database
1. Set up a PAM Database Record
Keeper Rotation will use an admin credential linked to the PAM Database to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
The following table lists all the required fields that needs to be filled on the PAM Database record with your information:
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see port mapping
Ex: oracle=1521
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
Linked PAM User record that contains the username and password of the Admin account which will perform the rotation.
Database Type
oracle
2. Set up a PAM Configuration
If you already have a PAM Configuration for your Local environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: Oracle LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Oracle database
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.
3. Set up one or more PAM user records
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
4. Configure Rotation on the PAM User records
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.