All pages
Powered by GitBook
1 of 1

Native MongoDB

Rotating Local Network MongoDB database accounts with Keeper Rotation

Overview

In this guide, you'll learn how to rotate Local MongoDB User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.

Prerequisites

This guide assumes the following tasks have already taken place:

  • Keeper Secrets Manager is enabled for your role

  • Keeper Rotation is enabled for your role

  • A Keeper Secrets Manager application has been created

  • A Keeper Rotation gateway is already installed, running, and is able to communicate to your MongoDB Database

1. Set up a PAM Database Record

Keeper Rotation will use an admin credential linked to the PAM Database to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.

The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:

Field
Description

Title

Keeper record title Ex: dbadmin

Hostname or IP Address

Server address - doesn't need to be publicly routable

Port

For default ports, see port mapping Ex: mongodb=27017

Use SSL

Check to perform SSL verification before connecting, if your database has SSL configured

Administrative Credentials

Linked PAM User record that contains the username and password of the Admin account which will perform the rotation.

Connect Database

Optional database that will be used when connecting to the database server. For example, MongoDB requires a database and so this will default to admin.

Database Type

mongodb

2. Set up a PAM Configuration

Note: You can skip this step if you already have a PAM Configuration set up for this environment.

If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:

Field
Description

Title

Configuration name, example: MongoDB LAN Configuration

Environment

Select: Local Network

Gateway

Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MongoDB database

Application Folder

Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.

3. Set up one or more PAM User records

Keeper Rotation will use the credentials linked from the PAM Database record to rotate the PAM User records on your local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.

The following table lists all the required fields on the PAM User record:

Field
Description

Record Type

PAM User

Title

Keeper record title

Login

Case sensitive username of the db account being rotated. Example: msmith

Password

Account password is optional, rotation will set one if blank

Connect Database

Optional database that will be used when connecting to the database server. For example: MongoDB requires a database and so this will default to admin.

4. Configure Rotation on the PAM User records

Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".

  • Select the desired schedule and password complexity.

  • The "Rotation Settings" should use the PAM Configuration setup previously.

  • The "Resource Credential" field should select the PAM Database credential setup from Step 1.

  • Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.

Any user with edit rights to a PAM User record has the ability to setup rotation for that record.