System Architecture
Keeper Password Rotation architecture diagram and data flow
System Architecture Diagram
The Keeper Rotation Module infrastructure diagram is below. Click the image to zoom in.
Data Flow
Keeper Admin schedules rotation or clicks ‘Rotate Now’ from the Vault interface
Keeper backend schedules the rotation using the Record UID
Keeper Gateway establishes an outbound WebSocket connection, receives the request to rotate, and pulls the needed records using Keeper Secrets Manager APIs
The Keeper Gateway generates new credentials and updates Keeper, and the target resource
Gateway runs custom post-execution scripts on the Gateway or target machines
Client devices securely retrieve the updated record using Keeper Secrets Manager
Vault end-users receive the latest rotated information on the Keeper Vault user interface
Keeper's Advanced Reporting & Alerts module logs all events and triggers alerts
Components
Keeper Gateway
The Keeper Gateway is a lightweight service which is installed into the customer's environment and communicates outbound to Keeper services. The Gateway performs the rotation, discovery and connections to assets on the network. The Gateway receives commands from the Keeper Router, then uses Keeper Secrets Manager APIs to authenticate, communicate and decrypt data from the Keeper cloud.
Keeper Router
Keeper hosted infrastructure that manages connections between Keeper and Rotation Gateways. The Cloud Router provides real-time messaging and communication between the Keeper Vault, customer gateway and Keeper backend services.
Keeper Backend API
Keeper's Backend API is the endpoint which all Keeper client applications communicate with. Client applications encrypt data locally and transmit encrypted ciphertext to the API in a Protocol Buffer format.
Scheduler
Keeper hosted infrastructure that manages timing and logistics around scheduled rotation of credentials across the target infrastructure.
Admin Console
The Management console used to set and enforce policies across all Keeper component.
Client Applications
The end-user interface for managing the vault and rotating passwords.
Last updated