PAM Database
KeeperPAM resource for managing databases either on-prem or in the cloud
Last updated
Was this helpful?
KeeperPAM resource for managing databases either on-prem or in the cloud
Last updated
Was this helpful?
In your Keeper Vault, the following assets can be configured on the PAM Database record type:
PAM Database
MySQL, PostgreSQL, SQL Server, MongoDB, MariaDB, Oracle
This guide will cover the PAM Database Record type in more details.
The PAM Database resource supports the following features:
Password rotation
Zero-trust Connections
TCP Tunnels
Graphical session recording
Text session recording (Typescript)
Sharing access without sharing credentials
Connecting to the PAM database requires only that the Keeper Gateway has access to the database either through native protocols or AWS/Azure APIs. The Keeper Vault operates independently and does not require direct connectivity to the database, leveraging Keeper's zero-trust network access model to securely manage access through the Gateway. See the network architecture diagram for more details.
Prior to creating a PAM Database, make sure you have already created a PAM Configuration. The PAM Configuration contains information of your target infrastructure while the PAM Database contains information about the target database, such as the hostname, type (MySQL, PostgreSQL, etc) and port number.
To create a PAM Database:
Click on Create New
Depending on your use case, click on "Rotation", "Tunnel", or "Connection"
On the prompted window:
Select "New Record"
Select the Shared Folder you want the record to be created in
Specify the Title
Select "Database" for the Target
Click "Next" and complete all of the required information.
The following table lists all the configurable fields on the PAM Database Record Type:
Hostname or IP Address
Address of the Database Resource
Required
Port
Port to connect to the Database Resource
Required Standard ports are: PostgreSQL: 5432 MySQL: 3306 Maria DB: 3306 Microsoft SQL: 1433 Oracle: 1521 Mongo DB: 27017
Use SSL
Use SSL when connecting
Connect Database
Database name to connect to
Required for connecting to PostgreSQL, MongoDB, and MS SQL Server
Database Id
Azure or AWS Resource ID
Required if a managed AWS or Azure Database
Database Type
Appropriate database type from supported databases.
If a non-standard port is provided, the Database Type will be used to determine connection method.
Provider Group
Azure or AWS Provider Group
Required if a managed AWS or Azure Database
Provider Region
Azure or AWS Provider Region
Required if a managed AWS or Azure Database
On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential.
PAM Configuration
Associated PAM Configuration record which defines the environment
Required
Administrative Credential Record
Linked PAM User credential used for connection and administrative operations
Required Visit this section for more details
Protocol
Native database protocol used for connecting from the Gateway to the target
Required
Connection Parameters (multiple)
Connection-specific protocol settings which can vary based on the protocol type
Depends on protocol
Below is an example of a PAM Database record with Connections and Tunnels activated.
Visit the following pages to set up: