KCM Version 2.21.0

Released on Sep 15, 2025

Overview

Keeper Connection Manager 2.21.0 introduces support for linked records in PAM, allowing dynamic tokens to pull admin and launch credentials from linked Keeper records, with new ${KEEPER_SERVER_ADMIN_*} and ${KEEPER_GATEWAY_LAUNCH_*} tokens alongside updates to existing ones.

This release also adds a healthcheck API endpoint to monitor service connectivity, authentication responsiveness, and license status. The release also incorporates Apache Guacamole 1.6.0 improvements including enhanced text selection, VNC auto-resize, expanded parameter tokens, and Wake-on-LAN checks. Additional updates include configurable username case sensitivity, group-based MFA enforcement, LDAP and OpenID Connect enhancements, and broader internationalization and keyboard layout support.

Support for KeeperPAM Linked Records

KCM-421: Support for Linked Records

The Keeper Secrets Manager integration is now capable of reading secrets that involve linked records, specifically the “admin” and “launch” credentials that may be associated with a PAM record in the Vault. Similar to the established ${KEEPER_SERVER_*} and ${KEEPER_GATEWAY_*} tokens, the additional dynamic tokens are now available that pull secrets from linked records.

${KEEPER_SERVER_ADMIN_*}

The requested admin credentials (ie: ${KEEPER_SERVER_ADMIN_PASSWORD}) that are linked to the Keeper record matching the remote desktop server’s hostname (exactly as ${KEEPER_SERVER_*} would match).

${KEEPER_SERVER_LAUNCH_*}

The requested launch credentials (ie: ${KEEPER_SERVER_LAUNCH_PASSWORD}) that are linked to the Keeper record matching the remote desktop server’s hostname (exactly as ${KEEPER_SERVER_*} would match).

${KEEPER_GATEWAY_ADMIN_*}

The requested admin credentials (ie: ${KEEPER_GATEWAY_ADMIN_PASSWORD}) that are linked to the Keeper record matching the remote desktop server’s “gateway-hostname” parameter (exactly as ${KEEPER_GATEWAY_*} would match). This is specific to use of the Microsoft RD Gateway and applies only to RDP connections.

${KEEPER_GATEWAY_LAUNCH_*}

The requested admin credentials (ie: ${KEEPER_GATEWAY_LAUNCH_PASSWORD}) that are linked to the Keeper record matching the remote desktop server’s “gateway-hostname” parameter (exactly as ${KEEPER_GATEWAY_*} would match). This is specific to use of the Microsoft RD Gateway and applies only to RDP connections.

Changes to established dynamic token behavior

Additionally, the ${KEEPER_SERVER_*} and ${KEEPER_GATEWAY_*} tokens will now use the linked “admin” credentials for any record that includes linked admin credentials. Secrets stored directly in a matching record will now only be used for dynamic tokens if the record does not use record links.

Endpoint for checking health and license status

KCM-469: Healthcheck API

KCM now includes an automatic healthcheck that runs regularly, checking that the guacd service is reachable, that the authentication subsystem is responsive, and that the KCM license is not expiring soon. The healthcheck includes a REST API endpoint that can be automatically queried to check the status of the system.

The healthcheck endpoint can be reached by issuing a GET request to .../api/ext/healthcheck/full and does not require authentication. For example, if KCM is hosted at kcm.example.net, the following curl command would retrieve the status of the healthcheck:

curl https://kcm.example.net/api/ext/healthcheck/full

If the KCM server is healthy and the license is valid, this will produce JSON that looks like the following:

{ "licensed": true, "licenseExpiresSoon": false, "healthy" : true }

If unhealthy, or if the license is not valid, the flags shown in the above JSON will have different values. The flags in the healthcheck response JSON are as follows:

Property Name

Description

licensed

Whether the KCM license is currently valid. If the license is valid and unexpired, this will be true. If the license is invalid or has expired, this will be false.

licenseExpiresSoon

Whether the KCM license is currently valid but expiring soon. If the license is not expiring soon, this will be false. If the license is expiring soon and should be renewed as soon as possible, this will be true.

The amount of time used to define “soon” for the sake of this check is configurable (see below). By default, the license is considered to be expiring “soon” if it expires within the next week.

NOTE: This property will be omitted if licensed is false.

healthy

Whether the KCM server is healthy, based on testing the availability of the guacd service and KCM’s own authentication system. If either guacd or KCM’s authentication system appear to be unresponsive, this will be false. If both appear to be available, this will be true.

The behavior of the healthcheck can be modified using the following configuration properties (RPM installation) or environment variables (Docker installation):

Configuration Property (guacamole.properties)

Environment Variable

Description

healthcheck-interval

HEALTHCHECK_INTERVAL

The number of seconds to wait between each healthcheck. Independent of any requests to the healthcheck endpoint, KCM will perform this healthcheck regularly according to this interval. Requests to the healthcheck endpoint simply return the result of the most recent check.

By default, the healthcheck is performed every 5 seconds.

healthcheck-license-grace-period

HEALTHCHECK_LICENSE_GRACE_PERIOD

The number of days to before license expiration to consider the license to be expiring “soon”. Once this period is reached, but the license has not yet expired, licenseExpiresSoon will be true in the healthcheck response.

By default, the license will be considered to be expiring “soon” if it expires in the next 7 days.

healthcheck-base-uri

HEALTHCHECK_BASE_URI

The base URI of the KCM server that the healthcheck should use to verify availability of the authentication service. This URI need only be reachable over the local network from KCM itself.

By default, http://localhost:8080 is used.

Improvements/fixes from upstream Apache Guacamole 1.6.0

KCM-446: Keeper Connection Manager has been brought up-to-date with the latest upstream release of Apache Guacamole. Many of the other improvements that are part of this upstream release were already backported in previous KCM releases, however there are several noteworthy updates that are new:

  • Text may now be selected by double-clicking in the terminal emulator.

  • Various issues with copying text in the terminal emulator containing newlines or indentation have been fixed.

  • Automatic resize of the VNC display is supported where also supported by the VNC server.

  • Additional parameter tokens for the domain of an LDAP user, JWT claims from OpenID Connect, and for the current connection name.

  • Better handling of Wake-on-LAN via automatic checks for machine availability.

Configuration options not yet mapped to Docker environment variables

The following noteworthy updates are also new, but are only currently configurable with the Docker images through the ADDITIONAL_GUACAMOLE_PROPERTIES catch-all environment variable (their new properties are not yet explicitly mapped to environment variables):

  • TOTP enforcement can be disabled based on group membership and IP address.

  • Username case sensitivity is now configurable.

User interface / platform Updates

  • Add parameter token for connection name (GUACAMOLE-1177)

  • Configurable username case sensitivity (GUACAMOLE-1239)

  • Display whether user groups are disabled in group list (GUACAMOLE-1479)

  • Support for true fullscreen mode and keyboard lock (GUACAMOLE-1525)

  • Allow branding/customization of the section headers on the user home page (GUACAMOLE-1584)

  • Add support for specifying VNC “encodings” parameter in webapp UI (GUACAMOLE-1642)

  • Base64 encoding of image/binary data results in excessive syscalls that can degrade performance (GUACAMOLE-1776)

  • Improvements to the “Recent connections” section (GUACAMOLE-1866)

  • Provide notification, jump-to-top of page for a clone operation (GUACAMOLE-1916)

Authentication, integration, and storage

  • Ensure GUAC_DATE/GUAC_TIME tokens match connection startDate (GUACAMOLE-61)

  • Add Proxy Hostname and Port to LDAP Extension (GUACAMOLE-577)

  • Randomize generation of TOTP key until enrollment is confirmed (GUACAMOLE-1068)

  • Allow TOTP to be disabled by group membership (GUACAMOLE-1219)

  • Allow LDAP extension to configure TLS level (GUACAMOLE-1488)

  • Allow user to configure Keeper Secrets Manager call frequency (GUACAMOLE-1722)

  • Map JWT claims from OpenID Connect as parameter tokens (GUACAMOLE-1844)

  • Allow MFA to be bypassed or enforced based on client IP (GUACAMOLE-1855)

  • Add parameter token for domain of LDAP user (GUACAMOLE-1881)

Protocol support

Internationalization

PreviousKCM Version 2.22.0NextKCM Version 2.20.1

Last updated

Was this helpful?