1 of 100

KeeperPAM and Secrets Manager

Overview

KeeperPAM is a modern, cloud-based Privileged Access Manager

Overview

KeeperPAM is a next-gen privileged access management solution that secures and manages access to critical resources, including servers, web apps, databases and workloads.

KeeperPAM consolidates enterprise password management, secrets management, connection management, zero-trust network access, remote browser isolation and a cloud-based access control plane in one unified product.

To learn more about KeeperPAM or sign up for a trial:

KeeperPAM Website

About this Documentation

This documentation is broken out into 3 sections:

Additional documentation on the Keeper platform can be found here:

KeeperPAM vs. Keeper Connection Manager

KeeperPAM is a cloud-native privileged access solution that requires only a lightweight gateway installation, while Keeper Connection Manager (KCM) is a fully self-hosted solution.

KeeperPAM works through outbound-only connections with zero-knowledge encryption, eliminating the need for inbound firewall rules or direct line-of-sight to resources. In contrast, KCM is fully hosted by the customer with control over the authentication, database, web server, reverse proxy and session recordings.

Customers who purchase KeeperPAM may use either the cloud version (described in this documentation) or the self-hosted connection manager as part of the license.

Features

KeeperPAM provides the following capabilities:

Zero-trust connections launched from the Vault
Tunnels established from the Desktop App for ZTNA
Sharing connections without exposing credentials
Sharing tunnels on a time-limited basis
Built-in SSH Agent for use with and without tunneling
Launching remote browser isolation sessions
Session recording and playback
File transfer with drag-and-drop
Splitting credentials between PAM Resources and PAM Users
Discovery of resources
All new Keeper Gateway setup wizard
Docker-based deployment of the Keeper Gateway
Role-based enforcement policies covering PAM use cases
Event reporting of all PAM activity with SIEM integration

Contact the Keeper Team

If you are an existing customer, your customer success team can activate KeeperPAM in your account.

Contact our team

For technical questions, you can also email pam@keepersecurity.com.

Next Steps

Start the setup of KeeperPAM
Launch the Quick Start: Sandbox
Deep dive into the Getting Started guide for KeeperPAM

Privileged Access Manager

Setup Steps

Accessing the KeeperPAM platform

Setup Steps

Follow the below steps to start using KeeperPAM.

Keeper Enterprise license

If you are not a Keeper customer or do not have the required license, you can start a free trial from our website. The free trial includes KeeperPAM full capabilities.

Activate Privileged Access Manager

From the Keeper Admin Console, ensure that your Privileged Access Manager subscription is active. Go to the Admin Console > Subscriptions and activate the trial or contact your Keeper customer success manager.

Enable PAM Policies

From the Admin Console, enable the corresponding PAM Enforcement Policies.

Login to the Admin Console for your region.
Under Admin > Roles, create a new role for PAM or modify an existing role
Go to Enforcement Policies and open the "Privileged Access Manager" section.
Enable all the PAM enforcement policies to use the new features.
Assign yourself or your test user account to this role.

Existing Customers: Updating your Gateway

This assumes you are an existing customer with Keeper Secrets Manager and you have a Gateway already deployed. Using the latest Keeper Gateway is required to support the new features. Depending on the operating system, features available will differ.

Docker

Use the basic docker-compose.yml file as shown below:

services:
      keeper-gateway:
        platform: linux/amd64
        image: keeper/gateway:latest
        shm_size: 2g
        security_opt:
          - "seccomp:docker-seccomp.json"
        environment:
          ACCEPT_EULA: Y
          GATEWAY_CONFIG: XXXXXXXXXXXX

Download the file called docker-seccomp.json and place it in the same folder as your Docker Compose file.

Windows

Download the latest installer: 64-bit Installer (preferred) or 32-bit Installer
You'll be asked to confirm uninstalling the previous Gateway, this is OK
Ensure the "Enter one-time access token" selection is NOT selected

Linux

To update an existing Gateway on Linux:

curl -fsSL https://keepersecurity.com/pam/install | sudo bash -s --

Retrieving the Configuration

If you are replacing an existing Gateway, get the old base64 configuration string from: /etc/keeper-gateway/gateway-config.json on Linux or C:\ProgramData\KeeperGateway\config\gateway-config.json on Windows.

New Customers: Create a new Gateway and Sandbox

Follow the step by step guide in the Getting Started section of this documentation. A new Quick Start Wizard is available to instantly create a sandbox for testing out a few of the connection types.

Explore new features

Notes

PAM Features differ between Linux, Docker and Windows versions of the Keeper Gateway.
For a full range of features, use the Docker installation method, or Linux installation method on Rocky Linux or RHEL8.
We recommend setting up a Keeper Gateway using the new Quick Start Sandbox. This provides a customized Docker Compose file that provides an instant sandbox for testing.

Feedback

Please email us at pam@keepersecurity.com with your feedback and we'll quickly assist you with any questions.

Quick Start: Sandbox

Quickly and easily get started with a pre-configured PAM setup in your vault

Quick Start Wizard

To learn some KeeperPAM basics, we have created a wizard that is integrated into the Vault. If you select the Docker install method, this wizard will create all the necessary vault records, configurations and a customized Docker Compose file for quickly standing up a sandbox environment in less than 3 minutes.

Activate KeeperPAM

Under Admin > Roles, create a new role for PAM or modify an existing role
Go to Enforcement Policies and open the "Privilege Access Manager" section.
Enable all the PAM enforcement policies
Ensure you are assigned to this role

Run the New Gateway Wizard

Click on Create New > Gateway
Enter a name for the project, such as "My Infrastructure Demo"
Select Docker for the gateway
Select "Create with example records"
Click Next
After the wizard is finished, immediately download the provided docker-compose.yml and docker-seccomp.json files.

Run the Docker Environment

Set up a VM which supports Docker. It can be a Linux instance or Windows running Docker Desktop. The instance can exist anywhere, even on your local computer.
Transfer the Docker Compose and Seccomp files from Step 2 to the VM.
Run docker compose up -d from the folder where the files are saved.
- You may need to use a dash, e.g. docker-compose up -d depending on the VM

Test some PAM features

You can now instantly connect to any of the resources by clicking "Launch" from the record detail view.
The MySQL account, SSH password and SSH key can be rotated by clicking "Rotate" from the record detail within the Users folder.
Note: Remote Browser Isolation won't work on some ARM processors

Records Created

The wizard will create the following in your vault:

A folder containing Resources and Users in separate shared folders
A MySQL database
A Linux machine with VNC connection to the desktop UI
A Linux machine with SSH connection using an SSH Key
A Linux machine with SSH connection using a password
A Linux machine with RDP connection to the desktop UI
A Remote Browser Isolation session to bing.com
A Secrets Manager Application and PAM Configuration with all PAM features enabled
A Keeper Gateway ready to initialize

Quick Start Video

We've created a helpful Keeper 101 video to set up your sandbox environment:

Screenshots

Below are screenshots of the Quick Start Wizard from start to finish.

Getting Started

Getting Started with KeeperPAM fundamentals

The Basics

KeeperPAM Features

Secrets Manager Features

Commander CLI Features

Enterprise Password Manager

Architecture

Technical details on the KeeperPAM platform architecture

Overview

KeeperPAM is a Zero-Knowledge platform, ensuring that encryption and decryption of secrets, connections, and tunnels occur locally on the end user's device through the Keeper Vault application. Access to resources in the vault is restricted to users with explicitly assigned permissions, enabling them to establish sessions or tunnels securely.

Keeper's zero-trust connection technology further enhances security by providing restricted and monitored access to target systems without direct connectivity, while never exposing underlying credentials or secrets.

This security content will cover the key areas of KeeperPAM:

Architecture Diagram
Vault Security
Router Security
Gateway Security
Connection and Tunnel Security

Architecture Diagram

Keeper Password Rotation architecture diagram and data flow

Architecture Diagram

The KeeperPAM infrastructure and security model ensures zero-knowledge encryption between the end-user's device and the target infrastructure. Keeper's servers have no ability to decrypt or intercept the underlying sessions.

Components

Keeper Gateway

The Keeper Gateway is a service which is installed into the customer's environment and communicates outbound to Keeper services. The Gateway performs the rotation, discovery and connections to assets on the network. The Gateway receives commands from the Keeper Router, then uses Keeper Secrets Manager APIs to authenticate, communicate and decrypt data from the Keeper cloud.

Keeper Router

The Keeper Router is infrastructure in Keeper's cloud that manages connections between Keeper and Rotation Gateways. The Cloud Router provides real-time messaging and communication between the Keeper Vault, customer gateway and Keeper backend services.

Keeper Relay

The Keeper Relay is infrastructure in Keeper's cloud that is responsible for establishing encrypted WebRTC connections between the end-user vault interface and the customer-hosted Keeper Gateway service.

Keeper Backend API

Keeper's Backend API is the endpoint which all Keeper client applications communicate with. Client applications encrypt data locally and transmit encrypted ciphertext to the API in a Protocol Buffer format.

Scheduler

Keeper hosted infrastructure that manages timing and logistics around scheduled rotation of credentials across the target infrastructure.

Admin Console and Control Plane

The Management console used to set and enforce policies across all Keeper components.

Client Applications

The end-user interface for managing the vault, rotating passwords, running discovery jobs, creating connections and managing tunnels.

Data Flow

Keeper user performs action (rotation, connection, tunneling, discovery) from the Vault interface, Admin Console, Commander CLI or other endpoint application.
Keeper Gateway establishes an outbound WebSocket connection to the Keeper Router, receives the requests to perform the action.
The Vault Client application establishes a WebRTC connection to the customer's hosted Keeper Gateway.
The Keeper Gateway pulls the necessary secrets from the vault using Keeper Secrets Manager APIs.
The Keeper Gateway performs the action on the target infrastructure (such as rotating a credential) and updates the relevant Keeper vault records.
The Keeper Gateway runs any required privilege automation scripts on the Gateway or target machines using native protocols and APIs.
Client devices securely retrieve the updated record using Keeper Secrets Manager APIs.
Vault end-users receive push notifications indicating that new data is available for syncing.
The vault performs encrypted syncing to the Keeper cloud to retrieve the latest record content.
Keeper's Advanced Reporting & Alerts module logs all events and triggers alerts.

Vault Security

Security and encryption model of the Keeper Vault

Keeper's platform is built with End-to-End Encryption (E2EE) across all devices and endpoints.

Data stored in the platform is encrypted locally and encrypted in transit between the user's devices
Information exchanged between Keeper users is encrypted from vault-to-vault
Data at rest is encrypted with multiple layers, starting with AES-256 encryption at the record level
Data in transit is encrypted with TLS and additional layers of transmission encryption which protects against access MITM, service providers and untrusted networks.

A full and detailed disclosure of all encryption related to data at rest, data in transit, cloud architecture and certifications can be found on the Keeper Enterprise Encryption Model page.

A video covering this model is below.

Router Security

Security and encryption model of the Keeper Router

Overview

Keeper Router ("Router") is a cloud service hosted in Keeper's cloud environment which facilitates communications between the Keeper backend API, end-user applications (Web Vault, Desktop App, etc.), and Keeper Gateways installed in the user’s environment. The Router is responsible for communications that perform resource discovery, password rotation, timed access and privileged connection management.

How does Keeper Router work?

In traditional or legacy privileged access products, the customer is responsible for installing on-prem software which is difficult to manage and configure in a cloud environment. In Keeper's model, a hosted service (called a Gateway) is installed into the customer's environment which establishes an outbound secure connection to the Keeper Router, enabling bi-directional communication to the Keeper cloud without any network configuration. Keeper Router makes cloud access to on-prem infrastructure easy and secure by utilizing WebSockets for the inbound requests.

With Keeper, WebSockets are established between the end-user device (e.g. Web Vault) and the Keeper Router using the user's current session token. The session token is verified by the Keeper Router to authenticate the session. All encrypted payloads sent to the Keeper Router are wrapped by a 256-bit AES transmission key in addition to TLS, to protect against MITM attacks. The transmission key is generated on the end-user device and transferred to the server using ECIES encryption via the Router's public EC key.

When a user on their Web Vault or Desktop App triggers a password rotation, discovery job or remote connection, the message flow is the following:

Upon installation of the Gateway, it authenticates with the Keeper Cloud using a hashed One Time Access Token one time. The client signs the payload and registers a Client Device Public Key with the server on the first authentication. After the first authentication, subsequent requests are sent to the Keeper Router and signed with the Client Device Private Key.
The Gateway establishes an authenticated WebSocket connection using the Client Device Private Key and ECDSA signature.
The Vault sends a message to the Keeper Router with a command to execute (rotation, tunnel, discovery, connection) and authenticates the command using the user's active session token.
The Vault only transmits command and control messages, for example: Rotate UID XXX. No secret information is communicated between Vault and Router. The Router authenticates the command using the session token of the record's rotation configuration to validate the user's request.
The Router relays the command to the destination gateway through the existing WebSocket connection.
The Gateway retrieves secrets, admin credentials, record details and other private data by using Keeper Secrets Manager APIs. API requests to the Keeper Cloud are sent with a Client Device Identifier and a request body that is signed with the Client Device Private Key. The server checks the ECDSA signature of the request for the given Client Device Identifier using the Client Public Key of the device. The Client Device decrypts the ciphertext response from the server with the Application Private Key, which decrypts the Record Keys and Shared Folder Keys. The Shared Folder Keys decrypt the Record Keys, and the Record Keys decrypt the individual Record secrets.
The Gateway uses Keeper Secrets Manager "update" commands to update the user's vault with any password or discovery job updates.
After a rotation or discovery job is complete, the Gateway informs the Router that the job is complete. ARAM event logs are triggered by the Router.

The Keeper Router architecture is Zero Knowledge, and Keeper's infrastructure never has the ability to access or decrypt any of the customer's stored vault data.

Keeper Router Architecture

The Router consists of two logical deployments that work together - the Head and the Workers.

The Router is hosted in Keeper’s AWS cloud environment, isolated to each of the global regions (US, EU, CA, AUS, JP, and US Gov).

The Head is not exposed to the internet, and performs the following functions:

Synchronization of global state between Workers
Inter-worker communication
Scheduling of events (e.g. rotation, discovery and connection requests)

The Workers connect to the Head via WebSocket and also use REST API calls to retrieve information. The Workers perform the following functions:

Communication with Gateways
Communication with Keeper end-user applications
Communication with Keeper backend API
Communication with Head

Workers are scaled and load balanced in each Keeper environment. Access to the Keeper Router is established through a common URL pattern in each region:

US: https://connect.keepersecurity.com

EU: https://connect.keepersecurity.eu

AU: https://connect.keepersecurity.com.au

CA: https://connect.keepersecurity.ca

JP: https://connect.keepersecurity.jp

US GOV: https://connect.keepersecurity.us

The end-user device will always communicate through the same Router instance. When the end-user vault connects to the Router system, a communication exchange is performed to ensure that the vault is communicating to the desired gateway. Once the Gateway communication is established, a Cookie is stored locally on the user's browser which expires automatically in 7 days. This Cookie is only used to establish a sticky session with the target Router instance, and does not contain any secret information.

Each Gateway device is associated with a unique UID. The Gateway UID is stored within an encrypted “PAM Configuration” record in the administrator's vault. This way, the Keeper vault record knows which Gateway must be used to perform the requested rotation, discovery or connection features.

Gateway Security

Security and encryption model of the Keeper Gateway service

What is the Keeper Gateway?

The Keeper Gateway is a service that is installed on-premise in order to execute rotation, discovery and connection tasks. The Keeper Gateway communicates outbound to the Keeper Router using WebSockets and Keeper Secrets Manager zero-knowledge protocols.

Authentication of the Gateway

The Keeper Gateway authenticates first to the Keeper Router using the One Time Access Token provided upon installation of the Gateway service on the target machine. After the first authentication, subsequent API calls to the Router authenticate using a Client Device Identifier (which is the HMAC_SHA512 hash of the One Time Access Token).

For accessing and decrypting vault records, the Keeper Gateway uses standard Keeper Secrets Manager APIs which perform client-side encryption and decryption of data. The security model of Keeper Secrets Manager ensures least privilege and zero knowledge by allocating only specific folders and records that can be decrypted by the service. API requests to the Keeper Cloud are sent with a Client Device Identifier and a request body that is signed with the Client Device Private Key. The server checks the ECDSA signature of the request for the given Client Device Identifier using the Client Public Key of the device.

Like any other Secrets Manager device, access can also be restricted based on IP address in addition to the encryption and signing process.

How does a Gateway fetch instructions?

Rotations can be performed on-demand or on a schedule. When an on-demand rotation, connection or discovery job is triggered by a user in the Web Vault or Desktop App, the Keeper Router uses the active WebSocket connection to the appropriate Gateway to receive instructions. The messages do not contain any secret information or encrypted ciphertext. All messages sent through the WebSocket contain only the command type (e.g. "rotate") and the affected Record UID ("UID") which is not a secret value.

For scheduled rotations, the same mechanism is used. Rotation schedules are tracked in the Router, and at the appropriate intervals rotation instructions are pushed to the Gateway. When the Gateway receives a rotation task, it uses the local KSM configuration to fetch the secrets associated with the provided Record UIDs and decrypts the record information locally. These secrets are in turn used to perform the rotation, discovery or connection.

How is the local KSM Configuration secured?

When the Gateway service is installed, the local KSM configuration is protected by permissions on the local file system. By default, the configuration will be stored in the home directory (.keeper folder) of the user that installed the Gateway.

Docker Install

The Docker installation method passes in the configuration through an environment variable in the Docker Compose file.

Linux Install

If Gateway is started as a user:

Config file: ~/.keeper/gateway-config.json
Logs folder: ~/.keeper/log

If Gateway is running as a service:

User: keeper-gateway-service
Config file: /etc/keeper-gateway/gateway-config.json
Logs folder: /var/log/keeper-gateway

Windows Install

If the Gateway is started via Command Line

Logs location: C:\Users\[USER NAME]\.keeper\logs\
Config File location: C:\Users\[USER NAME]\.keeper\gateway-config.json

If Gateway is started as a Windows Service

Logs location: C:\ProgramData\KeeperGateway\
Config File location: C:\ProgramData\KeeperGatewayPrivate\
Note: This folder can only be accessed by the user who installed the Gateway Service.

Access to the KSM configuration file allows a user to retrieve any associated secrets from Keeper. To prevent unauthorized access, this configuration file is only readable by the installing user and administrative accounts. On a Windows server, the Windows System account is used to run the service by default, and also has access to the KSM configuration.

In AWS environments, the configuration can be protected with the AWS KMS.

Data Caching

Caching is used for discovery but not for rotation. Every time a secret is rotated, the Gateway retrieves associated records in real time using the Keeper Secrets Manager APIs.

The Gateway Shell

The Gateway includes a virtual command shell. When the Gateway is run as a stand-alone application, the user is dropped into the shell. When the Gateway is run as a service, the shell is not accessible.

An SSH service is bundled with the Gateway to provide advanced debug access to the shell. The SSH service is not running by default, and there is no way to access the shell while it is disabled. When the Gateway service is started, an optional argument can be supplied to enable the SSH service component. When the SSH service is enabled, by default there are no accounts that can connect to it. A system administrator must create a key pair with an account to utilize SSH.

The Gateway shell does not provide commands to interact directly with secrets.

Commander Remote Troubleshooting

Keeper Commander can also be used to access the Gateway for troubleshooting. This leverages the connection between the Gateway and the Router, and the associated security mechanisms. For example, Commander can send a command to the Router to retrieve a list of running tasks on the Gateway. These commands can be used with any Gateway in the same enterprise as the Commander user.

Secrets and Logging

Any secrets that are retrieved during rotation are automatically scrubbed from log messages produced by the Gateway. This includes accidental logging, such as stack traces.

Post-Rotation Scripts

Keeper Gateway supports the ability to execute admin-generated scripts in PowerShell and Bash for performing customized behaviors after a successful rotation has taken place. The script is provided to the Gateway through a file attachment in the corresponding Keeper record. Post-Rotation scripts are categorized differently from general file attachments, and only the record owner has the ability to attach post-rotation scripts on the corresponding record.

The script is decrypted by the Gateway and then executed on the Gateway. Connections to secondary devices, for the purpose of restarting services, etc., must be orchestrated within the post-rotation script.

Obviously, the script which is uploaded to the Keeper record and executed on the gateway must be protected from malicious abuse. Keeper Administrators need to ensure that least privilege is assigned to the Keeper record.

When Post-Rotation scripts are run, stdout and stderr output from the script are written to disk in logs. Secrets are also automatically scrubbed from this output. Record UIDs can be logged in this way for diagnostic purposes. The Post-Rotation script can be written with any arbitrary code, however the Keeper Gateway provides the script with minimal information required to perform standard use cases through the command-line parameters. This includes the following parameters:

PAM Rotation Record UID (contains environment settings)
Resource Record UID (contains target resource data)
Account Record UID (the record that was rotated)
Old Password (from Account Record)
New Password (from Account Record)
Username (from Account Record)

After the command is executed, Keeper Gateway clears the command line history on Linux and Windows instances.

If a Post-Rotation script requires access to other secrets beyond those passed in automatically, users are strongly encouraged to use the Keeper Secrets Manager SDKs or the Secrets Manager CLI tool.

Connection and Tunnel Security

Security and encryption model of Connections and Tunnels

Overview

KeeperPAM provides the capability to establish cloud and on-prem privileged sessions, create tunnels, establish direct infrastructure access and secure remote database access.

What is a Connection?

A Connection is a visual remote session using the web browser. Interaction between the user and the target device is with a web browser window or within the Keeper Desktop application.

What is a Tunnel?

A Tunnel is a TCP/IP connection that is established between the local vault client through the Keeper Gateway to the target endpoint. The user can utilize any native application for communicating with the target endpoint, such as the command-line terminal, GUI application or database management application.

Connection and tunnel security

When the user establishes a connection or tunnel:

The Vault Client application communicates to the Keeper Router infrastructure to initiate a WebRTC connection that is protected by a ECDH symmetric key that is stored inside the relevant Keeper record.
The Keeper Gateway communicates with the Keeper Router through outbound-only WebSockets. This is described in detail in the Gateway Security section.
The Keeper Gateway utilizes Keeper Secrets Manager APIs to retrieve the necessary secrets from the vault, including the ECDH symmetric key.
For Connections, the Vault Client (using the Apache Guacamole protocol) passes data through the WebRTC connection to the Keeper Gateway that then uses Guacd to connect to the destination found in the Keeper record.
For Tunneling features (port forwarding), a local port is opened up on the local device running Keeper Desktop software. Data sent to the local port is transmitted through the WebRTC connection to the Keeper Gateway and subsequently forwarded to the target endpoint defined in the Keeper record.
Session recordings of connections are protected by an AES-256 encryption key ("recording key") which is generated on the Keeper Gateway on every session. The recording key is additionally wrapped by a HKDF-derived AES-256 resource key.

KeeperPAM Licensing

Features included with the PAM License

KeeperPAM Licensing Requirements

In order to enable and use KeeperPAM, the following are required:

or License
- A minimum of 5 seats

A Keeper Business or Keeper Enterprise License is required to purchase the KeeperPAM add-on.

Trial License

If you are not a Keeper customer or do not have the required license, you can start a free . The enterprise trial will also include the Privileged Access Manager Add-on.

Features Included with KeeperPAM

With the purchase of the Privileged Access Manager add-on, the following features are included:

Secrets Manager - Unlimited API Calls
Password Rotation
Connections
Tunnels
Remote Browser Isolation
Session Recordings and Playback
Discovery
Keeper Connection Manager (Self-Hosted)
PAM Audit and Reporting

What is the difference between KeeperPAM and Keeper Connection Manager (Self-Hosted)?

KeeperPAM License Model

The KeeperPAM add-on license includes all the advanced PAM Features. The number of licenses for the enterprise license and the KeeperPAM license is based on:

Example

For example, if an organization has 100 Enterprise users and needs PAM functionality for only 10 of them, they would purchase:

100 Keeper Enterprise Licenses for users who only need the enterprise features.
10 Privileged Access Manager Add-Ons, to cover the 10 users that need PAM functionality.

MSPs

Existing Customers - Updating KSM/KCM Add-Ons

For existing customers, the following existing Add-ons can be upgraded to the Privileged Access Manager Add-On:

Keeper Secrets Manager Add-On
Keeper Connection Manager Add-On

Both the Keeper Secrets Manager and Keeper Connection Manager Add-Ons are included as part of the Privileged Access Manager Add-On.

Upgrading from Keeper Secrets Manager Add-On

Upgrading to the Privileged Access Manager Add-On from the Keeper Secrets Manager Add-On will give you:

Access to new KeeperPAM Features
Unlimited API Calls

Upgrading from Keeper Connection Manager Add-On

Upgrading to the Privileged Access Manager Add-On from the Keeper Connection Manager Add-On will give you new KeeperPAM Features which includes accessing both the cloud and self-hosted KCM.

Ready to Upgrade?

Enforcement Policies

Role-based enforcement policy settings for KeeperPAM

Overview

Role-based Access Controls (RBAC) provide your organization the ability to define enforcements based on a user's job responsibility as well as provide delegated administrative functions. Prior to proceeding with this guide, familiarize yourself with roles and enforcement policies.

Enable PAM Policies

From the Admin Console, enable the corresponding PAM Enforcement Policies.

Login to the Keeper Admin Console for your region.
Under Admin > Roles, create a new role for PAM or modify an existing role.
Go to Enforcement Policies and open the "Privileged Access Manager" section.

Privileged Access Manager Policies

Secrets Manager

Keeper Gateway

Keeper Rotation

Keeper Connection Manager (KCM)

Keeper Tunnels

Remote Browser Isolation (RBI)

Discovery

Discovery is currently only available on Keeper Commander. The UI is coming soon.

Legacy Policies

These policies are not required moving forward, but they exist for support of legacy features.

Commander CLI

enterprise-role ROLE_ID --enforcement "ALLOW_SECRETS_MANAGER:True"
enterprise-role ROLE_ID --enforcement "ALLOW_PAM_ROTATION:True"
enterprise-role ROLE_ID --enforcement "ALLOW_PAM_DISCOVERY:True"
enterprise-role ROLE_ID --enforcement "ALLOW_PAM_GATEWAY:True"
enterprise-role ROLE_ID --enforcement "ALLOW_CONFIGURE_ROTATION_SETTINGS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_ROTATE_CREDENTIALS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTION:True"
enterprise-role ROLE_ID --enforcement "ALLOW_CONFIGURE_PAM_TUNNELING_SETTINGS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_LAUNCH_PAM_TUNNELS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_LAUNCH_RBI:True"
enterprise-role ROLE_ID --enforcement "ALLOW_CONFIGURE_RBI:True"
enterprise-role ROLE_ID --enforcement "ALLOW_VIEW_KCM_RECORDINGS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_VIEW_RBI_RECORDINGS:True"

Vault Structure

Understanding the Keeper Vault structure and organization for KeeperPAM

Overview

In a customer's environment, the Keeper Vault is deployed to all users within the organization across all devices. The Vault is accessible through any web browser, and also available as a native desktop application for Windows, macOS and Linux. Accessing the Keeper vault is the foundation of the KeeperPAM platform, since the vault is deployed to all users, enforces MFA, SSO and implements a zero-knowledge encryption model.

When the Role-based Enforcement Policies are activated from the Keeper Admin Console, those designated users can work with KeeperPAM functionality directly with the vault.

Records, Record Types and Resources

In Keeper, a record can be a password, file, passkey, or any number of possible record type templates. A record is always encrypted locally on the user's device with a record-level encryption key. All information held within a record is encrypted in the vault.

When working with Secrets Management and Privileged Access Management functionality, records can also represent Applications, Machines, Directories, Databases, Domain Controllers, Users and other infrastructure being managed.

Like any password record, these new record types can also be placed into private or shared folders, managed directly in the vault and controlled through policy enforcements.

Folders and Shared Folders

In the vault, records are placed into folders and shared folders. A typical and recommended setup looks something like this:

Private Folder
- Shared Folder containing Resources
- Shared Folder containing User accounts

The reason that we recommend splitting up Resources and User accounts is based on least privilege. In this configuration, the resources can be provisioned to a user without sharing access to the underlying credentials. The user accounts are in a separate folder and can remain private in this vault or shared to other privileged users as required.

A resource such as a Linux machine can be seen inside the resource folder below. The Administrative Credentials used for connecting to that resource are linked, but not directly embedded in the resource. This way, you can provide access to the resource without sharing the credential.

In this example, the linked Administrative Credential lives in the Users folder with separate permissions and folder privileges.

At the Shared Folder level, both human users and applications can be assigned with access rights. This allows least privilege enforcement across employees and machines.

Application

A Secrets Manager Application is assigned to specific shared folders. Applications are associated to devices and Gateways for accessing the assigned records.

An Application and the associated devices and Gateways can only decrypt the records assigned to the folder. Keeper recommends implementing the principle of least privilege, ensuring applications are limited in their ability to access records from the vault.

Management of Applications is found in the Keeper Secrets Manager section of the vault. An example of an Application might be "Azure DevOps Pipeline" or "Azure AD Rotations" as seen in the screenshot below.

For more information on Applications:

Device

A Device is any endpoint that needs to access secrets associated with an Application. This can be a physical device, virtual device, or cloud-based device. Each Client device has a unique key to read and access the secrets.

A device can be initialized through the Applications section of the vault user interface.

For more information on Devices:

Gateway

The Keeper Gateway is a service that is installed on any Docker, Linux or Windows machine in order to execute password rotation, discovery, connection, tunneling or other privileged automation. The Gateway service can be installed in any remote or on-prem environment, powering a secure zero-trust connection.

Typically, a Keeper Gateway is deployed to each environment that is being managed. For example, if you are an MSP managing 500 client environments, you may deploy 500 Keeper Gateways.

The architecture of the Keeper Gateway deployments is based on your use case and can be reviewed with our implementation team.

Configuration

A PAM Configuration defines the target environment where a Keeper Gateway has been installed. This configuration supplies important secrets to the Gateway that can be used to manage the target infrastructure. For example, it can contain Azure client secrets or Tenant IDs.

The PAM Configuration data is stored as a record in the vault inside the specified "Application Folder". This way, the Gateway has the necessary permission to retrieve this information.

We recommend defining only one Configuration for each Gateway.

More information about PAM Configuration records:

PAM Resources

Inside the vault, records define the type of resources being managed. We call these "PAM Resources". Several new Record Types available in the vault are associated with a resource.

When creating a resource, you can select from various targets, such as Machine, Database, Directory, etc.

Visit the pages linked below to learn more about each PAM Resource:

PAM Users

A special record type in the Keeper Vault called PAM User can be directly associated to any PAM Resource. The PAM User is used by the Keeper Gateway for establishing a connection, rotating a password, discovering accounts or running other privilege automation on a target resource.

A PAM User is linked to the PAM Resource in the "Credentials" section of the record. This linkage ensures that access to the resource does not directly allow access to the credential.

A PAM User record can be configured for on-demand and automatic rotation.

More information on PAM Users is found here:

Activating PAM Features

Now that you understand the basic structure of the vault, activating and utilizing PAM features is described in the below sections.

Record Linking

KeeperPAM migration of records to new linked format

Overview

As part of the KeeperPAM product launch, newly created resources in the Keeper Vault—such as PAM Machines, PAM Directories, and PAM Databases—will no longer support embedding credentials directly within the resource. Instead, KeeperPAM now utilizes Record Linking, where the credential record is securely linked to the resource. This approach ensures a clear separation of encryption and permissions between the resource and its associated credentials.

With Record Linking, resources can be shared with users without exposing the underlying credentials, enhancing both security and access control.

Conversion

For customers currently using Keeper Secrets Manager with rotation capabilities, if a credential is embedded directly in a resource, a new section will appear when editing the record. This section will display the message:

"We moved your rotating credentials down below. Please convert these credentials into a PAM User record type."

This update guides users to transition their rotating credentials into the more secure PAM User record type for enhanced security and proper separation of credentials from resources.

By clicking "Convert Now", you'll be asked to confirm the change and the credentials will be separated from the resource and placed in the same folder.

Click "Next" to finish the conversion. After this is completed, a new record in the same folder will contain the linked credential.

Once the resource has been split, PAM capabilities including connections, tunnels and rotations can be enabled.

Applications

Secrets Manager Applications with KeeperPAM

What's an Application?

A Secrets Manager Application allows a machine or device to communicate with the Keeper vault, retrieve assigned records and decrypt the data.

Folders are shared to the application, similar to how users are folders are shared to users. This gives the application the capability of accessing and decrypting the records in the folder.

Creating an Application

From the Keeper Vault, go to Secrets Manager and click on Create Application.

The Application Name typically represents the use case or environment where it is being used
The Folder selected is where the application is assigned. An application can be added to any number of shared folders.
Record permissions give the application either read-only or read/write access to the folder. This is an additional restriction on top of the existing shared folder permissions.
Click on Generate Access Token to create the first access token, representing the first device
If you don't plan to set up a device yet, the first access token can be discarded

Generating a One-Time Access Token

When creating an application, a one-time access token for the first Device is provided. This one-time access token is supplied to the 3rd party system, Keeper Secrets Manager SDK, Keeper Secrets Manager CLI or other device which needs to access information from the vault.

After creating the application, it is managed from the Secrets Manager screen. You can then assign additional devices or Keeper Gateways.

Applications can be added to new or existing Shared Folders.

Edit the Shared Folder to assign the application.

By assigning the Application to shared folders, the application's devices can send Keeper Secrets Manager API requests to the Keeper vault to access and manage the records assigned. There are many use cases where a device can use Keeper Secrets Manager APIs to communicate with the Keeper vault. Below are a few examples.

Assigning Gateways to Applications

Keeper Gateways are created and associated to an application. To create a new Gateway, open the application and click on the "Gateways" tab. Select "Provision Gateway" to create a Gateway.

Alternatively, Keeper provides a wizard that creates several components at once, and automatically links everything together. From the main vault screen, select "Create New" then "Gateway".

The "Project Name" is used to create a PAM Configuration, Gateway, Application and optionally a set of example folders and records.

Gateways

Installation and setup of the Keeper Gateway

Overview

The Keeper Gateway is a service that is installed on any Docker, Linux or Windows machine in order to execute rotation, discovery, connection and tunneling. A single Gateway can be used to communicate with any target infrastructure, both on-prem and cloud. Typically, customers deploy a Keeper Gateway in each environment that is being managed.

Platforms Supported

Platform Specific Capabilities

The Keeper Gateway offers different feature capabilities based on the underlying operating system and hardware. We recommend using Docker on a Linux or Windows host with x86 CPUs for full feature support and ease of management.

Note: EL9 which includes Rocky Linux 9 and RHEL 9 support is coming soon.

System Requirements

System requirements vary based on the number of simultaneous user sessions and the types of connections being established. As the volume of simultaneous connections grows, scaling CPU and memory resources becomes essential. In particular, remote browser isolation (RBI) launches a headless Chromium instance for each session. If you anticipate a high number of RBI sessions, ensure the system is scaled to meet these demands.

For a testing or sandbox a minimum of 2 CPUs with 8GB of memory and 10GB of storage is required. In a production environment, increase to at least 4 CPUs with 16GB of memory. Scale the number of CPUs and memory as the number of simultaneous sessions increases.

Network Configuration

The Gateway only establishes outbound-only connections to the Keeper cloud over TLS port 443, and communicates to target infrastructure through native protocols (SSH, RDP, etc).

The Gateway preserves zero knowledge by performing all encryption and decryption of data locally. Keeper Secrets Manager APIs are used to communicate with the Keeper cloud.

Installation Steps

The Keeper Gateway generates encryption keys and a local Secrets Manager configuration that is used to authenticate with the Keeper cloud. The location depends on the context in which the Gateway is being run. It can be installed to the local user or installed as a service.

Login to the Keeper Web Vault or Desktop App (version 17.1 or newer required)
Click on Secrets Manager on the left side
Create a new Secrets Manager Application or select existing application
Click on the "Gateways" tab and click "Provision Gateway"
Select Docker, Linux or Windows install method
Install the Keeper Gateway using the provided method

During the creating of a Keeper Gateway using a one-time token method for Linux and Windows, you have the choice to select "Lock external WAN IP Address of device for initial request". This will additionally IP lock the Gateway in addition to the authentication and encryption built into the service.

Based on your Operating System, refer to the corresponding guide on installing the Keeper Gateway:

Additional Installation Configurations

Auto Updater

Instructions for installing and configuring the Auto Updater for the Keeper Gateway.

Overview

Automatic updates of the Keeper Gateway can be enabled on Linux and Windows installations through Keeper's Auto Updater feature. The Auto Updater makes periodic checks to update your Keeper Gateway to the latest version.

By default, the Auto Updater is disabled when installing the Keeper Gateway

We recommend enabling the Auto Updater to ensure you receive the most recent security and functionality enhancements. The Auto Updater verifies all Keeper Gateway downloads by checking the GPG signature of hash value, which are then utilized to checksum each file.

Auto Updater Installation

Prerequisites

Ensure that you have administrative privileges on the system.
Version 1.4.0 or later of Keeper Gateway is required.

Docker

On Docker based installations, the best way to update the container is running the below commands from a cron job or your CI/CD tools.

As an example, create a file called update_gateway.sh that contains:

#!/bin/bash
set -e  # Exit immediately if a command fails

# Navigate to the directory containing your docker-compose.yml file
cd /path/to/your/docker-compose-directory

# Pull the latest image and update the Gateway container
docker compose pull
docker compose up -d keeper-gateway

Make the script executable:

chmod +x update_gateway.sh

Edit the crontab:

crontab -e

Add a line to schedule the script. For example, to run it every day at 3 AM:

0 3 * * * /path/to/update_gateway.sh >> /var/log/update_gateway.log 2>&1

Linux

New Gateway

Execute the following command to download and run the KeeperPAM installer with auto update enabled.

The --autoupdate parameter activates the auto updater in addition to the Keeper Gateway.

curl -fsSL https://keepersecurity.com/pam/install | \
  sudo bash -s -- --autoupdate

Existing Keeper Gateway

Activate the Auto Updater on an existing installation by executing the following Keeper Gateway command:

sudo keeper-gateway autoupdate enable

Verify Installation (Optional)

Verify that the Auto Updater has been installed successfully by executing the following Keeper Gateway command:

sudo keeper-gateway autoupdate status

Windows

New Gateway

Download and run the latest version of the Gateway installer.
During installation, check the box "Enable automatic updates".
This setup option will create a new Task Scheduler task for updating the Gateway.

Existing Gateway

Open a command prompt as Administrator.
Install Auto Updater with the following Keeper Gateway command:

keeper-gateway autoupdate enable

Verify Installation (Optional)

Open a command prompt as Administrator.
Verify that Auto Updater has been installed successfully by executing the following Keeper Gateway command:

keeper-gateway autoupdate status

Auto Updater Status

Prerequisites

Ensure that you have administrative privileges on the system.
Version 1.4.0 or later of Keeper Gateway is required.

Status on Linux

Check the Auto Updater status by executing the following Keeper Gateway command:

sudo keeper-gateway autoupdate status

Status on Windows

Open a command prompt as Administrator
Check the Auto Updater status by executing the following Keeper Gateway command:

keeper-gateway autoupdate status

Auto Updater Configuration

Configuration on Linux

Edit the crontab that runs Auto Updater.

sudo crontab -e

Here is an example of the default crontab entry that checks for updates every hour:

0 * * * * /usr/local/bin/keeper-gateway-update --trust

The first part 0 * * * * is the crontab expression which will cause execution to occur every hour at 0 minutes.
The second part is the update command keeper-gateway-update
The option --trust causes explicit trust of the Keeper Gateway GPG public key for verification of downloaded install files.

Configuration on Windows

Configure the update frequency and other settings with the following steps:

Run taskschd.msc to open Windows Task Scheduler.

In the left pane double-click on Task Scheduler Library -> Keeper -> Gateway -> AutoUpdate to show the Auto Updater Task.

In the upper middle pane double-click on the AutoUpdate Task with the name of the current version and click on the Triggers menu tab.

Click Edit... to change when the Auto Updater checks for a new update to install. The default is to "Repeat task every 1 hour indefinitely" as shown below.

Auto Updater Removal

Prerequisites

Ensure that you have administrative privileges on the system.
Version 1.4.0 or later of Keeper Gateway is required.

Removal on Linux

Remove Auto Updater by executing the following Keeper Gateway command:

sudo keeper-gateway autoupdate disable

Removal on Windows

Remove Auto Updater with the following steps:

Open a command prompt as Administrator.
Remove Auto Updater with the following Keeper Gateway command:

keeper-gateway autoupdate disable

Troubleshooting

Check the status of the Auto Update

keeper-gateway autoupdate status

Logging in the Gateway Auto Updater

To assist with diagnosing issues or monitoring the status of updates, the Gateway Auto Updater generates two types of logs. These logs are subject to rotation policies to avoid overuse of disk space.

Linux

Log Location

All log files for Linux are located in /var/log/keeper-gateway

Log Files

Update Logs: Any logs generated during an update will be timestamped and stored as update_YYYY-MM-DD_HH-MM-SS.log.
Last Update Check: The file last-update-check.log contains information regarding the most recent check for updates.

Windows

Log Location

The log files for the Gateway Auto Updater are located in \ProgramData\KeeperGateway\install

Log Files

Update Logs: Any logs generated during an update will be timestamped and stored as YYYY-MM-DD_HH-MM-SS.log
Last Update Check: The file last-update-check.log contains information regarding the most recent check for updates.

Azure App Secret Rotation

Automatically rotate the secret of an Azure app using Keeper Secrets Manager rotations

Overview

This documentation explains how to rotate Azure application secrets using KeeperPAM's rotation option called "Run PAM scripts only". This is a setting in the PAM User rotation settings which tells the Gateway to skip the primary rotation method and directly execute the post-rotation script attached to the PAM User record in the vault.

This guide includes prerequisites, step-by-step instructions, and a Python script example. The script ensures secure application secrets rotation, including deletion of previous application secrets, and stores the new application secret in Keeper. This new secret is automatically available to all already allowed KSM applications and users.

See the for a high level overview and getting started with Azure

Prerequisites

This guide assumes the following tasks have already taken place:

are configured for your role
A Keeper Secrets Manager has been created
Your Azure environment is per our documentation
The gateway host will need to have a supported Python version installed with the 2 dependencies below:

pip3 install keeper_secrets_manager_core
pip3 install azure.identity

Rotation Script Logic Flow

1. Admin Credentials Retrieval

The script retrieve admin credentials in three ways:

Record directly attached to the post rotation script.
The access key provided to the Azure PAM config selected for the rotation. This will be used if no access key is found in the record(s) attached (method 1 above) to the post rotation script.

Attaching another record containing the admin application secret to the PAM Script will allow to easily rotate this admin application secrets in that other record using the same process described in this documentation.

2. Secret Rotation Logic

The script will:

Retrieve an admin application secret either from an attached record to the PAM Script or from the PAM Config.
Get a Microsoft Graph access token using the admin application secret found at the step above.
Create a new client secret on the Azure application defined in the PAM User record.
Delete all other existing secrets for the defined Azure application. Only the one generated at the step above will be kept.
Update the Keeper PAM User record with the new secret, and secret ID.

PAM User Record - Fields Requirements

Fields required:

Custom fields required:

Instead of creating the PAM User record manually using the details above, you could also import the csv file below. It will create a template record you can amend and duplicate as needed.

Importing the file will generate a Login record type: make sure to convert it to PAM User.

Setting Up the Rotation in the Keeper Vault

The script require an admin application secret to authenticate against Azure and rotate another application's secret. Here we will be using the admin app secret provided in the Azure PAM Configuration.

Configuration From the Keeper Vault:

Create a shared folder in the vault

In the Secret Manager tab of the Keeper vault, create a new application for the gateway if there is no gateway yet.
Make sure the Application has edit permissions on the shared folder created above.
In the Secret Manager tab of the Keeper vault, go to the PAM Configurations tab. Create a new PAM configuration if needed.
Under Environment, please select “Azure”, select the Gateway, select the shared folder, provide the “Entra ID” name (arbitrary name of your Entra ID environment), the admin application “Client ID” (Overview tab of the admin application in the Azure portal), “Client Secret” (Certificates & secrets tab of the admin application in the Azure portal), "Subscription ID" and "Tenant ID".

- Password Rotation Settings: select your desired schedule and the PAM configuration created above.
- Select "Run PAM Scripts only" as the Rotation method.
- Add PAM Script to the record: select the provided file below and make sure to specify the script command:

python3

It is possible to also rotate the application secret of the admin Azure application. To do this, you will need to store you admin Azure app secret in another Keeper PAM User record.

Admin App Secret Record Requirements

Custom fields required:

Importing the file will generate a Login record type: make sure to convert it to PAM User.

Configuration From the Keeper Vault:

Create a shared folder in the vault

In the Secret Manager tab of the Keeper vault, create a new application for the gateway if there is no gateway yet.
Make sure the Application has edit permissions on the shared folder created above.
In the Secret Manager tab of the Keeper vault, go to the PAM Configurations tab. Create a new PAM configuration if needed.
Under Environment, please select “Local Network”, select the Gateway and the shared folder.

Edit the target app PAM User record:
- Password Rotation Settings: select your desired schedule and the PAM configuration created above.
- Add PAM Script to the record:
  1. Select the provided Python file below.
  2. Rotation Credential: select the admin app PAM User record.
  3. Specify the script command:

python3

Python Script

import logging
import requests
import sys
import base64
import json
from azure.identity import ClientSecretCredential
from datetime import datetime, timedelta, timezone
from keeper_secrets_manager_core import SecretsManager
from keeper_secrets_manager_core.storage import FileKeyValueStorage

# sys.stdin is not an array, it cannot be subscripted (i.e., sys.stdin[0])
for base64_params in sys.stdin:
    # Retrieve params from the gateway
    params = json.loads(base64.b64decode(base64_params).decode('utf-8'))
    break

# Retrieve records attached to the post-rotation script in Keeper
records = json.loads(base64.b64decode(params.get('records')).decode('utf-8'))

# Initiate Keeper Secrets Manager SDK using the gateway configuration
secrets_manager = SecretsManager(config=FileKeyValueStorage('/etc/keeper-gateway/gateway-config.json'))

# Configure logging
logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
logger = logging.getLogger(__name__)

GRAPH_API_URL = "https://graph.microsoft.com/v1.0"

# Function to get Microsoft Graph access token using ClientSecretCredential
def get_access_token(tenant_id, client_id, client_secret):
    try:
        credential = ClientSecretCredential(tenant_id=tenant_id, client_id=client_id, client_secret=client_secret)
        token = credential.get_token("https://graph.microsoft.com/.default")
        logger.info("Authentication successful.")
        return token.token
    except Exception as e:
        logger.error(f"Authentication failed: {e}")
        raise

# Function to create a new client secret and return its ID and secret text
def create_client_secret(access_token, target_app_id, secret_expiry_days=365):
    try:
        # Set expiry time for the secret using timezone-aware datetime
        expiry_time = (datetime.now(timezone.utc) + timedelta(days=secret_expiry_days)).isoformat()

        # API request body to create a new client secret
        body = {
            "passwordCredential": {
                "displayName": "Client Secret Rotated by Keeper",
                "endDateTime": expiry_time
            }
        }

        headers = {
            "Authorization": f"Bearer {access_token}",
            "Content-Type": "application/json"
        }

        response = requests.post(f"{GRAPH_API_URL}/applications/{target_app_id}/addPassword", json=body, headers=headers)
        
        if response.status_code == 200:
            response_json = response.json()
            new_client_secret = response_json['secretText']
            secret_id = response_json['keyId']  # Fetch the ID of the new secret

            # Log both the new secret and its ID
            logger.info(f"New client secret created for Application {target_app_id}. Secret ID: {secret_id}.")
            return secret_id, new_client_secret, expiry_time
        else:
            logger.error(f"Failed to create client secret: {response.status_code}, {response.text}")
            raise Exception(f"Failed to create client secret: {response.status_code}")
    except Exception as e:
        logger.error(f"An error occurred: {e}")
        raise

# Function to retrieve existing client secrets
def get_existing_client_secrets(access_token, target_app_id):
    try:
        headers = {
            "Authorization": f"Bearer {access_token}"
        }

        response = requests.get(f"{GRAPH_API_URL}/applications/{target_app_id}", headers=headers)
        if response.status_code == 200:
            app = response.json()
            logger.info(f"Retrieved existing client secrets for Application {target_app_id}.")
            return app.get('passwordCredentials', [])
        else:
            logger.error(f"Failed to retrieve client secrets: {response.status_code}, {response.text}")
            raise Exception(f"Failed to retrieve client secrets: {response.status_code}")
    except Exception as e:
        logger.error(f"An error occurred: {e}")
        raise

# Function to delete old client secrets, excluding the newly created one
def delete_old_secrets(access_token, target_app_id, new_client_secret_id):
    try:
        headers = {
            "Authorization": f"Bearer {access_token}",
            "Content-Type": "application/json"
        }

        existing_secrets = get_existing_client_secrets(access_token, target_app_id)
        
        # Iterate through all secrets and delete the ones that are not the newly created secret
        for secret in existing_secrets:
            if secret['keyId'] != new_client_secret_id:
                body = {
                    "keyId": secret['keyId']
                }
                response = requests.post(f"{GRAPH_API_URL}/applications/{target_app_id}/removePassword", json=body, headers=headers)

                if response.status_code == 204:
                    logger.info(f"Deleted secret with ID: {secret['keyId']} for Application {target_app_id}.")
                else:
                    logger.error(f"Failed to delete secret: {response.status_code}, {response.text}")
                    raise Exception(f"Failed to delete secret: {response.status_code}")
    except Exception as e:
        logger.error(f"An error occurred: {e}")
        raise

# Main function
def rotate_client_secret(tenant_id, client_id, client_secret, target_app_id, secret_expiry_days=365, delete_old_secrets_flag=False):
    try:
        # Step 1: Get access token
        access_token = get_access_token(tenant_id, client_id, client_secret)
        
        # Step 2: Create a new client secret and get its ID
        new_client_secret_id, new_client_secret, expiry_time = create_client_secret(access_token, target_app_id, secret_expiry_days)
        if not new_client_secret:
            logger.error("Failed to create a new client secret. Exiting.")
            return None, None, None  # Prevent further execution if secret creation failed
        
        logger.info(f"New client secret id: {new_client_secret_id}. Expiration date: {expiry_time}")
        
        # Step 3: Optionally delete old secrets, but exclude the newly created one
        if delete_old_secrets_flag:
            delete_old_secrets(access_token, target_app_id, new_client_secret_id)

        return new_client_secret_id, new_client_secret, expiry_time
    except Exception as e:
        logger.error(f"An error occurred during the secret rotation process: {e}")
        return None, None, None  # Return None in case of an error

# Inputs from the gateway and full PAM user query using KSM
pam_user_to_update = secrets_manager.get_secrets([params.get('userRecordUid')])[0]

# Retrieve app object id to rotate
try:
    target_app_id = pam_user_to_update.custom_field('application_object_id', single=True)
except Exception as e:
    raise RuntimeError(f"No app object id found, the script will exit after this error: {e}")

# Retrieve admin user account access key
admin_cred_provided = False
for record in records:
    if "application_client_id" in record:
        client_id = record["application_client_id"]
        client_secret = record["client_secret"]
        tenant_id = record["tenant_id"]
        admin_cred_provided = True
        logger.info(f"Admin creds provided. Using secret_id {client_id}, from attached record UID {record['uid']}.")
        break
    elif "clientId" in record:
        client_id = record["clientId"]
        client_secret = record["clientSecret"]
        tenant_id = record["tenantId"]
        admin_cred_provided = True
        logger.info(f"Admin creds provided. Using secret_id {client_id}, from attached PAM Config record UID {record['uid']}.")
        break

# If there is no app key provided to an attached record, then use the PAM config.
if admin_cred_provided == False:
    try:
        pam_config = secrets_manager.get_secrets([params.get('providerRecordUid')])[0]
        client_id = pam_config.field('clientId', single=True)
        client_secret = pam_config.field('clientSecret', single=True)
        tenant_id = pam_config.field('tenantId', single=True)
        admin_cred_provided = True
        logger.info(f"Using PAM config creds. Using secret_id {client_id}, from PAM Config UID.")
    except Exception as e:
        logger.error(f"Error retrieving admin creds from PAM config: {e}")

# Exit if no credentials were provided
if not admin_cred_provided:
    raise RuntimeError("No admin creds provided. The script will exit.")

# Rotate client secret and handle success/failure
new_client_secret_id, new_client_secret, expiry_time = rotate_client_secret(
    tenant_id, client_id, client_secret, target_app_id, secret_expiry_days=365, delete_old_secrets_flag=True
)

if new_client_secret_id and new_client_secret:
    logger.info("\nRotation Result:")
    logger.info(f"New secret id: {new_client_secret_id}")

    # Update the PAM User record in Keeper
    try:
        pam_user_to_update.custom_field('client_secret_id', new_client_secret_id)
        pam_user_to_update.custom_field('client_secret', new_client_secret)
        pam_user_to_update.custom_field('expires', expiry_time)
        secrets_manager.save(pam_user_to_update)
    except Exception as e:
        logger.error(f"Error while updating PAM User record in Keeper: {e}")

IAM User Access Key

Automatically rotate AWS access keys using Keeper Secrets Manager rotations

Overview

This documentation explains how to rotate AWS IAM user access keys using KeeperPAM's rotation option called "Run PAM scripts only". This is a setting in the PAM User rotation settings which tells the Gateway to skip the primary rotation method and directly execute the post-rotation script attached to the PAM User record in the vault.

This guide includes prerequisites, step-by-step instructions, and a Python script example. This provided script supports both provided admin credentials (AWS Access key for an admin account) and EC2 instance role authentication. The script ensures secure access key rotation, including deletion of previous user keys. The new key is stored in the Keeper record after rotation is complete.

Prerequisites

KSM role: Ensure that the Keeper user has a role providing access to Keeper Secrets Manager, and Keeper Secrets Manager rotations.
A Linux instance to run the Keeper Gateway: The Gateway can be deployed in an EC2 instance, any private Cloud or on-prem. This script is capable of leveraging EC2 Instance Roles Authentication to perform the Access Key rotation if the Gateway runs in an EC2 instance. If the gateway runs somewhere else, then an Access Key with role privilege needs to be provided in the Keeper vault to perform the rotation of the end user Access Key.

Rotation Script Logic Flow

1. Admin Credentials Retrieval

The script retrieve admin credentials in three ways:

Record directly attached to the post rotation script.
The access key provided to the AWS PAM config selected for the rotation. This will be used if no access key is found in the record attached (method 1 above) to the post rotation script.
Uses AWS instance role authentication if no credentials are provided from either methods above. The gateway needs to be running on an EC2 Instance with an EC2 Instance Role in place.

2. Key Rotation Logics

The script provides two modes of operation based on the delete_all_keys_before_rotating custom field:

If False (default), a new access key is created first, then the old ones are deleted, keeping only the newly created key. This will fail if the user account has already two access keys: AWS will not allow the script to create a third one.
If this custom field is set to True, the script deletes all existing access keys for the IAM user before creating a new one. This helps in the scenario described above where the end user account has already two access keys.

3. Updating the Keeper PAM User Record in the Vault

After key rotation, the script updates the rotated PAM User Keeper record with the new AWS access key ID, secret access key, creation date, and any deleted access keys IDs.

PAM User Record - Fields Requirements

You need to create a PAM User record where the rotation will be configured later on. The fields below need to be created.

Fields required:

Field Name

Description

Name of the user account in AWS where the access key needs to be rotated.

Password

It will be a dummy value in this case. The password field gets automatically rotated, but it is not used anywhere. This is still required field.

Custom fields required:

Custom Field Label

Field Type

Description

aws_access_key_id

Text

This field will receive the new access key id after the rotation.

aws_secret_access_key

Hidden Field

This field will receive the new secret access key after the rotation.

CreateDate

Text

This field will contain the timestamp of when the new key has been generated by the script.

Access_Key_ID_Removed_during_previous_rotation

Text

This field will contain the old access key id(s) removed from the user account in AWS during the rotation.

delete_all_keys_before_rotating

Text

This custom field is optional. It could be set to “False” or “True”, the default value is “False”.

If set to “True” then the rotation script will start by deleting all existing access keys on the user account before creating a new one. This is needed when the user has already 2 access keys setup. AWS will not allow the script to create a third one, hence the need to delete the existing keys before adding a new one.

NOOP

Text

This rotation requires the gateway to only execute the rotation script, and not try to rotate something using the built-in rotation features.

The value has to be:

True

Private Key Type

Text

Second field to enable NOOP.

The value has to be:

rsa-ssh

Instead of creating the PAM User record manually using the details above, you could also import the csv file below. It will create a template record you can amend and duplicate as needed. Importing the file will generate a Login record type: make sure to convert it to PAM User.

Setting Up the Rotation in the Keeper Vault

When the gateway runs in an EC2 instance, you don’t need to provide an admin access key to the script. The gateway will leverage the AWS Instance Role permissions assigned to the VM.

The steps below explains how to set up an EC2 Instance role to the gateway EC2 instance with minimal permissions:

Steps to Add/Configure Instance Role With Minimum Permissions to Rotate Access Keys:

Step 1: Create a Policy in AWS

Go to the IAM Management Console.
Select Policies and click Create policy.
Select JSON and paste the following, make sure to replace your AWS Account ID:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:CreateAccessKey",
        "iam:ListAccessKeys",
        "iam:DeleteAccessKey"
      ],
      "Resource": "arn:aws:iam::YOUR_AWS_ACCOUNT_ID_HERE:user/*"
    }
  ]
}

Name the policy and save it.

Step 2: Create an IAM Role in AWS

Go to the IAM Management Console.
Select Roles and click create role.
Choose AWS service and select EC2.

Attach the necessary IAM policies (e.g., the policy we created above with the minimum permissions).

Step 3: Assign the Role to Your EC2 Instance

In the EC2 Management Console, find your instance.
Click Actions > Security > Modify IAM Role.

Select the role you created and click Update

Verify Instance Role Permissions

You can ensure that the instance role has appropriate permissions to interact with IAM by running the command below on the Gateway EC2 Instance:

aws sts get-caller-identity

After configuring this role, your EC2 instance, in this case your Keeper Gateway, will automatically use the attached role credentials for your script, allowing it to perform actions like creating and deleting IAM access keys without needing explicit access key credentials.

Rotation Configuration From the Vault:

Create a shared folder in the vault
Create a PAM User record in the shared folder with the fields and custom fields described above.
In the Secret Manager tab of the Keeper vault, create a new application for the gateway if there is no gateway yet.
Make sure the Application has edit permissions on the shared folder created above.
Provision the gateway (gateway tab after selecting the application) on an EC2 instance. On the EC2 Instance run the install command provided by the Keeper vault and make sure boto3 and keeper_secrets_manager_core are installed by running the following commands in the EC2 instance:

pip3 install boto3
pip3 install keeper_secrets_manager_core

In the Secret Manager tab of the Keeper vault, go to the PAM Configurations tab. Create a new PAM configuration if needed.
Under Environment you can select “Local Network” or “AWS”. If you select “AWS”, please make sure to leave the “Access Key” and “Secret Access Key” field empty. If you provide one, it will be automatically used by the script instead of using the Instance Role authentication. You will still need to provide the AWS Account ID to the AWS PAM configuration.
Select the gateway, select the shared folder and save the PAM configuration.

Edit the PAM User record previously described in this documentation:
- Password Rotation Settings: select your desired schedule and the PAM configuration created above.
- Add PAM Script to the record: select the provided file below and make sure to specify the script command:

python3

Configuration From the Keeper Vault:

Create a shared folder in the vault
Create a PAM User record in the shared folder with the fields and custom fields described above.

In the Secret Manager tab of the Keeper vault, create a new application for the gateway if there is no gateway yet.
Make sure the Application has edit permissions on the shared folder created above.
Provision the gateway (gateway tab after selecting the application) on a Linux box. Simply run the install command provided by the Keeper vault and make sure boto3 and keeper_secrets_manager_core are installed by running the following commands on the Linux box:

pip3 install boto3
pip3 install keeper_secrets_manager_core

In the Secret Manager tab of the Keeper vault, go to the PAM Configurations tab. Create a new PAM configuration if needed.
Under Environment, please select “AWS”, select the Gateway, select the shared folder, provide the “AWS ID”, the “Access Key” and “Secret Access Key”. This will be the admin access key that the script uses to rotate a user access key.

Edit the PAM User record previously described in this documentation:
- Password Rotation Settings: select your desired schedule and the PAM configuration created above.
- Add PAM Script to the record: select the provided file below and make sure to specify the script command:

python3

When the gateway does not run in an EC2 instance, it will require an admin access key to authenticate against AWS and rotate another user's access key. Here we will be using the admin access key provided in another Keeper record. This option also allows to rotate the admin access key the same way Keeper rotates an user access key.

You may have followed any of the two other tabs available in this doc (Using AWS instance role, or Using AWS PAM Config) to set up the rotation: you will have a PAM configuration that contains or does not contain an access key. Following the steps below will force the use of an admin access key stored in another Keeper record.

Configuration From the Keeper Vault:

When attaching the PAM Script to the PAM user record, it is possible to attach Rotation Credentials.

The attached record could be any record type. It needs at least the two custom fields “aws_access_key_id” and “aws_secret_access_key” with the admin access key.

Using the PAM User record type to store the admin access key allows you to also automate the rotation of the admin access key. Make sure to follow those requirements in that case.

Using AWS AssumeRole to rotate user access keys across other AWS accounts

When attaching a record to the PAM script itself to provide an admin AWS access keys also allows to leverage AWS AssumeRole to rotate an AWS user access key across multiple AWS accounts.

More information about AWS AssumeRole here.

To leverage this feature, you need to add a new custom field to the record attached to the PAM script (Rotation Credentials).

The custom field label needs to be:

role_arn

This field will contain the role arn from your AWS environment that has the permissions to rotate access keys in other AWS accounts.

When this field exists, the rotation script will use it along with the provided admin access key ID and secret to generate a new temporary access key to rotate the end user’s one in the other AWS account. The script will then update the Keeper PAM User record with the new key and information, the same way it usually does without this extra field.

Python Script

import boto3
import sys
import base64
import json
from keeper_secrets_manager_core import SecretsManager
from keeper_secrets_manager_core.storage import FileKeyValueStorage
from botocore.exceptions import ClientError, NoCredentialsError

# sys.stdin is not an array, it cannot be subscripted (i.e., sys.stdin[0])
for base64_params in sys.stdin:
    # Retrieve params from the gateway
    params = json.loads(base64.b64decode(base64_params).decode('utf-8'))
    break

# Retrieve records attached to the post-rotation script in Keeper
records = json.loads(base64.b64decode(params.get('records')).decode('utf-8'))

# Initiate Keeper Secrets Manager SDK using the gateway configuration
secrets_manager = SecretsManager(config=FileKeyValueStorage('/etc/keeper-gateway/gateway-config.json'))

# Function to create a new access key for a user
def create_new_access_key(iam_client, user_name: str) -> tuple:
    new_key = iam_client.create_access_key(UserName=user_name)
    return new_key['AccessKey']['AccessKeyId'], new_key['AccessKey']['SecretAccessKey'], new_key['AccessKey']['CreateDate']

# Function to rotate user's access key
def rotate_user_access_key(iam_client, user_name: str) -> dict:
    if not user_name:
        raise ValueError("User name is required for rotation")

    try:
        # Step 1: Create a new access key for the user
        new_access_key_id, new_secret_access_key, create_date = create_new_access_key(iam_client, user_name)

        print(f"New Access Key created successfully for user {user_name}")

        # Step 2: List all existing access keys for the user
        existing_keys = iam_client.list_access_keys(UserName=user_name)
        deleted_keys = [access_key['AccessKeyId'] for access_key in existing_keys['AccessKeyMetadata']
                        if access_key['AccessKeyId'] != new_access_key_id]

        # Step 3: Delete all other access keys, except the newly created one
        for access_key_id in deleted_keys:
            iam_client.delete_access_key(UserName=user_name, AccessKeyId=access_key_id)

        # Return the results
        return {
            'NewAccessKeyId': new_access_key_id,
            'NewSecretAccessKey': new_secret_access_key,
            'CreateDate': create_date,
            'DeletedAccessKeys': deleted_keys
        }

    except ClientError as e:
        print(f"An error occurred: {e}")
        raise e

# Function to delete all keys and then rotate user's access key
def delete_then_rotate_user_access_key(iam_client, user_name: str) -> dict:
    try:
        # Step 1: List all existing access keys for the user
        existing_keys = iam_client.list_access_keys(UserName=user_name)
        deleted_keys = [access_key['AccessKeyId'] for access_key in existing_keys['AccessKeyMetadata']]

        # Step 2: Delete all keys
        for access_key_id in deleted_keys:
            iam_client.delete_access_key(UserName=user_name, AccessKeyId=access_key_id)

        # Step 3: Create a new access key for the user
        new_access_key_id, new_secret_access_key, create_date = create_new_access_key(iam_client, user_name)

        print(f"New Access Key created successfully for user {user_name}")

        # Return the results
        return {
            'NewAccessKeyId': new_access_key_id,
            'NewSecretAccessKey': new_secret_access_key,
            'CreateDate': create_date,
            'DeletedAccessKeys': deleted_keys
        }

    except ClientError as e:
        print(f"An error occurred: {e}")
        raise e

# Function to assume the role in the target AWS account
def assume_role_in_target_account(role_arn, session_name='CrossAccountSession'):
    sts_client = boto3.client('sts')
    try:
        assumed_role = sts_client.assume_role(
            RoleArn=role_arn,
            RoleSessionName=session_name
        )
        credentials = assumed_role['Credentials']
        return {
            'aws_access_key_id': credentials['AccessKeyId'],
            'aws_secret_access_key': credentials['SecretAccessKey'],
            'aws_session_token': credentials['SessionToken']
        }
    except ClientError as e:
        print(f"Error assuming role: {e}")
        raise e

# Inputs from the gateway and full PAM user query using KSM
pam_user_to_update = secrets_manager.get_secrets([params.get('userRecordUid')])[0]
user_name = params.get('user')

# Retrieve admin user account access key
aws_admin_cred_provided = False
for record in records:
    if "role_arn" in record: # AssumeRole auth detected from the Keeper record
        aws_admin_cred_provided = True
        role_arn = record["role_arn"]
        aws_access_key_id = record["aws_access_key_id"]
        aws_secret_access_key = record["aws_secret_access_key"]
        print(f"Admin access key provided along with role arn for AWS AssumeRole. Using Access Key ID {aws_access_key_id}, from record UID {record['uid']}.")
        # Assume the role and get temporary credentials
        assumed_role_credentials = assume_role_in_target_account(role_arn)
        # Initialize IAM client using the assumed role's credentials
        iam_client = boto3.client(
            'iam',
            aws_access_key_id=assumed_role_credentials['aws_access_key_id'],
            aws_secret_access_key=assumed_role_credentials['aws_secret_access_key'],
            aws_session_token=assumed_role_credentials['aws_session_token'],
            region_name='us-east-1'
        )
        break
    if "aws_access_key_id" in record:
        aws_admin_cred_provided = True
        aws_access_key_id = record["aws_access_key_id"]
        aws_secret_access_key = record["aws_secret_access_key"]
        print(f"Admin access key provided. Using Access Key ID {aws_access_key_id}, from record UID {record['uid']}.")
        # Initialize IAM client with admin credentials
        iam_client = boto3.client('iam',
                                  aws_access_key_id=aws_access_key_id,
                                  aws_secret_access_key=aws_secret_access_key,
                                  region_name='us-east-1')
        break
    if "accessKeyId" in record:
        aws_admin_cred_provided = True
        aws_access_key_id = record["accessKeyId"]
        aws_secret_access_key = record["accessSecretKey"]
        print(f"Admin access key provided. Using Access Key ID {aws_access_key_id}, from record UID {record['uid']}.")
        # Initialize IAM client with admin credentials
        iam_client = boto3.client('iam',
                                  aws_access_key_id=aws_access_key_id,
                                  aws_secret_access_key=aws_secret_access_key,
                                  region_name='us-east-1')
        break
else:
    try:
        # Try to retrieve admin access key from the PAM config using Keeper Secrets Manager
        pam_config = secrets_manager.get_secrets([params.get('providerRecordUid')])[0]
        aws_access_key_id = pam_config.field('accessKeyId', single=True)
        aws_secret_access_key = pam_config.field('accessSecretKey', single=True)

        # Check if keys are retrieved successfully
        if aws_access_key_id and aws_secret_access_key:
            aws_admin_cred_provided = True
            print(f"Admin access key retrieved from the PAM Config. Using Access Key ID {aws_access_key_id}, from the PAM Config.")
            # Initialize IAM client with admin credentials
            iam_client = boto3.client('iam',
                                      aws_access_key_id=aws_access_key_id,
                                      aws_secret_access_key=aws_secret_access_key,
                                      region_name='us-east-1')
        else:
            print("Access key ID or secret key not found in the retrieved Keeper Secrets Manager record.")
    except Exception as e:
        # Handle any error that occurs during retrieval
        print(f"Error retrieving admin access key: {e}")

# Check for instance role credentials if no admin access key is provided
if not aws_admin_cred_provided:
    print("No admin access key provided. Checking for instance role authentication...")
    try:
        # Test if instance role credentials are available by creating an IAM client without credentials
        iam_client = boto3.client('iam')
        iam_client.list_access_keys(UserName=user_name)  # Test if we can access the API
        aws_admin_cred_provided = True
        print("Instance role credentials found. Using instance role authentication.")
    except NoCredentialsError:
        print("No instance role credentials available.")
    except ClientError as e:
        print(f"Error using instance role credentials: {e}")

# Exit if no credentials were provided
if not aws_admin_cred_provided:
    raise RuntimeError("No admin access key or instance role credentials provided. The script will exit.")

# Check if the user specified a delete_all_keys_before_rotating custom field
try:
    delete_all_keys_before_rotating = pam_user_to_update.custom_field('delete_all_keys_before_rotating', single=True)
    delete_all_keys_before_rotating = str(delete_all_keys_before_rotating).lower() in ['true', 'yes', '1']
except Exception as e:
    print(f"OPTIONAL field 'delete_all_keys_before_rotating' not found: {e}")
    delete_all_keys_before_rotating = False  # Set to false if an error occurs

# Call the right rotate function based on user parameters
if delete_all_keys_before_rotating:
    result = delete_then_rotate_user_access_key(iam_client, user_name=user_name)
else:
    result = rotate_user_access_key(iam_client, user_name=user_name)

if result:
    print("\nRotation Result:")
    print(f"New Access Key ID: {result['NewAccessKeyId']}")
    print(f"Create Date: {result['CreateDate']}")
    print(f"Deleted Access Keys: {result['DeletedAccessKeys']}")

    # Update the PAM User record in Keeper
    pam_user_to_update.custom_field('aws_access_key_id', result['NewAccessKeyId'])
    pam_user_to_update.custom_field('aws_secret_access_key', result['NewSecretAccessKey'])
    create_date_str = result['CreateDate'].isoformat() if hasattr(result['CreateDate'], 'isoformat') else str(result['CreateDate'])  # Convert the create_date to string format
    pam_user_to_update.custom_field('CreateDate', create_date_str)
    deleted_keys_str = ', '.join(result['DeletedAccessKeys'])  # Convert deleted access keys to a comma-separated string
    pam_user_to_update.custom_field('Access_Key_ID_Removed_during_previous_rotation', deleted_keys_str)
    secrets_manager.save(pam_user_to_update)

Cisco IOS XE

Rotate your Cisco IOS XE Network Credentials

Overview

In this guide, you will learn how to set up password rotation to rotate Cisco IOS XE network credentials.

Prerequisites

KSM Application: Ensure that the Keeper Secrets Manager (KSM) application is set up.
Shared Folder: A shared folder should be set up where all the records will be stored.
PAM Configuration: Ensure that the PAM Configuration is set up and that the Gateway is running and attached to this configuration.
Requests Library: Ensure that the requests library is installed in your Python environment. This library is necessary for making HTTP requests to Cisco devices.
Setting up AnyConnect Cisco VPN: In order to connect to cisco devices, ensure that the machine hosting Keeper Gateway has Cisco AnyConnect VPN installed and properly configured
Test Cisco Device Connectivity

Requests library installation

The Requests library allows you to send HTTP requests easily. Activate a Python virtual environment in your Keeper Gateway environment and install the library using the following command:

pip install requests

Setting up AnyConnect Cisco VPN

Ensure that the machine hosting Keeper Gateway has Cisco AnyConnect VPN installed and properly configured in order to connect to cisco device. This setup is necessary for establishing secure connections to Cisco devices.

Steps to Test Cisco Device

Following these steps will allow you to test the Cisco device and create a new user in the Cisco sandbox environment.

Log in with your Cisco account credentials.
Select and launch the sandbox.

2. Select and Launch the Device

Navigate to the sandbox catalog.
Select the appropriate sandbox for your Cisco device (e.g., Cisco IOS XE, etc.).
Launch the sandbox.

3. Receive Details via Email or DevNet Environment

After launching the sandbox, you will receive an email with the connection details or find them in the DevNet Environment under Quick Access.

4. Download Cisco AnyConnect VPN

Download and install the Cisco AnyConnect Secure Mobility Client.

5. Connect to the VPN

Open the Cisco AnyConnect Secure Mobility Client.
Enter the VPN connection details provided in the email or from the DevNet Environment.
Connect using the provided username and password.

6. Store Developer Credentials

At this point, you will see Developer Credentials—a host, username, and password. Store these values in a Keeper Security record of type Login named as Cisco Authentication Record. You will need this Keeper Security record name in order to run the post-rotation script.

7. Add Custom Field to Cisco Authentication Record

Add a custom field named host_endpoint to the Cisco Authentication Record and set its value to the host address (e.g., 10.10.20.48).

8. Create a User

Open your terminal or SSH client.
Connect to the Cisco device using the provided IP address and credentials.

9. Follow These Steps to Create a User

Login with Admin User (developer):
```
ssh developer@<device-ip>
```
Enable privileged commands:
```
enable
```
Enter configuration mode:
```
configure terminal
```
Create a new user with a password:
```
username <user> password <pass>
```

10. Test the New User

ssh <user>@<device-ip>

Note: Replace <user> with the username you created and <device-ip> with the IP address of the Cisco device.

Setting up Rotation in your Vault

Once you have your prerequisites ready, make sure you cover the following:

Make sure you satisfy all the prerequisites
Ensure that the post-rotation script references the Keeper Security record containing your Cisco admin credentials.
Attach the post-rotation script to a Keeper Security PAM user record using the Keeper Security documentation. When this record has its secrets rotated, the post-rotation script will execute and update the password for the specified Cisco device user.

Step 1: Set Up Rotation Record

Create a new PAM User record to store Cisco User details whose password will be rotated.

Set the username to match the Cisco device admin credentials
Set the password to the current password set for the user.
Add a custom field named host_endpoint to the Cisco Authentication Record and set its value to the host address (e.g., 10.10.20.48).

Step 2: Add PAM Script

Step 3: Add NOOP Custom Field

Enable No-Operation (NOOP) atomic execution:
- In the current PAM User record where user's details are stored, create a new custom text field labeled NOOP and set its value to True.

Step 4: Configure Password Rotation Settings

Rotation Type: Set it to "On-Demand" for this example.
Password Complexity: Leave it as default unless you have specific requirements.
Rotation Settings: Point to the PAM Configuration set up earlier.
Administrative Credentials Record: Can should be left empty

Python Script

PAM script to rotate Cisco IOS XE user credentials:

'''
Password rotation script for Cisco user accounts.

This script is designed to rotate the password for a given Cisco user.
It facilitates the automated updating of user password in your Cisco environment.

NOTE: If spaces are present in the path to the python interpreter, the script will fail to execute.
    This is a known limitation of the shebang line in Linux and you will need to create a symlink
    to the python interpreter in a path that does not contain spaces.
    For example: sudo ln -s "/usr/local/bin/my python3.7" /usr/local/bin/pam_rotation_venv_python3
'''

import sys
import base64
import json
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
'''
Optionally display installed packages for debugging. Uncomment if needed.
import pkg_resources
print("# \n# Installed packages for debugging:")
installed_packages = pkg_resources.working_set
installed_packages_list = sorted(["%s==%s" % (i.key, i.version) for i in installed_packages])
for m in installed_packages_list:
    print(f"  {m}")
'''

# Import the requests package
try:
    import requests
except ImportError:
    print("# Error: The 'requests' package is not installed. Run 'pip install requests' to install it.")
    exit(1)

def get_username_details(cisco_url, cisco_admin_username, cisco_admin_password, cisco_user_name):
    """
    Verify the Cisco user.
    Args:
    - cisco_url (str): The host endpoint of the Cisco account to connect to.
    - cisco_admin_username (str): The username of the Cisco admin account.
    - cisco_admin_password (str): The password of the Cisco admin account.
    - cisco_user_name (str): The name of the Cisco user whose password needs to be rotated.
    Returns:
    - True if username found.
    """
    
    # Constructs the request URL for the username API endpoint
    request_url = f"{cisco_url}username/"
    
    # Sets the headers for the RESTCONF request, specifying that we expect and send YANG data in JSON format
    headers = {
    'Accept': 'application/yang-data+json',
    'Content-Type': 'application/yang-data+json'
    }
    try:
        # Sends a GET request to the Cisco router to fetch user details
        response = requests.get(request_url, headers=headers, auth=(cisco_admin_username,cisco_admin_password), verify=False)
        response.raise_for_status()
        data = response.json()
        # Extracts the list of usernames from the response data
        usernames = data["Cisco-IOS-XE-native:username"]
        # Iterates through the list of usernames to find the specified user
        for user in usernames:
            if user["name"]==cisco_user_name:
                # Returns True if the specified username is found
                return True
    except requests.exceptions.HTTPError as http_err:
        print(f"HTTP error occurred while fetching username details from Cisco router: {http_err}")
    except Exception as err:
        print(f"An error occurred: {err}")
    return False

def rotate(cisco_url, cisco_admin_username, cisco_admin_password, cisco_user_name, new_password):
    """
    Rotate the password for a given Cisco user.
    Args:
    - cisco_url (str): The host endpoint of the Cisco account to connect to.
    - cisco_admin_username (str): The username of the Cisco admin account.
    - cisco_admin_password (str): The password of the Cisco admin account.
    - cisco_user_name (str): The name of the Cisco user whose password needs to be rotated.
    - new_password (str): The new password to be set for the Cisco user.
    Returns:
    - None
    """
    
    # Calls the function get_username_details to check if the specified user exists on the Cisco router
    user = get_username_details(cisco_url, cisco_admin_username, cisco_admin_password, cisco_user_name)

    # If the user does not exist, print an error message and exit the program
    if not user:
        print(f"No user found with the username: {cisco_user_name}")
        exit(1)
    
    # Sets the headers for the RESTCONF request, specifying that we expect and send YANG data in JSON format
    headers = {
    'Accept': 'application/yang-data+json',
    'Content-Type': 'application/yang-data+json'
    }

    # Creates the data payload for the PATCH request to update the user's password
    data = {
    "Cisco-IOS-XE-native:native": {
        "username": [
                {
                "name": cisco_user_name,
                "password": {
                    "password": new_password
                    }
                }
            ]
        }
    }
    
    try:
        # Sends a PATCH request to the Cisco router to update the user's password
        response = requests.patch(cisco_url, headers=headers, auth=(cisco_admin_username,cisco_admin_password), data=json.dumps(data), verify=False)
        response.raise_for_status()
        print(f"Password updated successfully for user {cisco_user_name}")
    except requests.exceptions.HTTPError as http_err:
        print(f"HTTP error occurred while updating the password for the given user: {http_err}")
    except Exception as err:
        print(f"An error occurred: {err}")

def main():
    """
    Main function to rotate the password for a Cisco device user.

    Reads and decodes input parameters from stdin, including the authentication record details
    and the new password. Then, updates the password of the specified Cisco device user.
    """
    record_title = 'Cisco Authentication Record' #This should be same as the title of the record containing username, password and host endpoint details. 
    api_access_token_record = None
    params = None
    
    # Read and decode input parameters from stdin
    for base64_params in sys.stdin:
        params = json.loads(base64.b64decode(base64_params).decode())

        # Decode and load records passed in as JSON strings from the PAM Script section as "Rotation Credential" records
        records = json.loads(base64.b64decode(params.get('records')).decode())
        # Find the record that matches the specified title
        api_access_token_record = next((record for record in records if record['title'].lower() == record_title.lower()), None)
        break

    if api_access_token_record is None:
        print(f"# Error: No Record with the access token found. Title: {record_title}")
        exit(1)
    
    # Extract Details from the record
    # HostName endpoint of the Cisco device endpoint.
    cisco_router_endpoint = api_access_token_record.get('host_endpoint') 
    # Admin username for the Cisco device
    cisco_admin_username = api_access_token_record.get('login')
    # Admin password for the Cisco device
    cisco_admin_password = api_access_token_record.get('password')

    # Username of the Cisco device user whose password needs to be rotated
    cisco_user_name = params.get('user')
    # New password to set for the Cisco device user
    new_password = params.get('newPassword')
    
    # Check if all required fields are present
    if not all([cisco_router_endpoint, cisco_admin_username, cisco_admin_password, cisco_user_name]):
        print("# Error: One or more required fields are missing in the access token record.")
        exit(1)
    
    # Construct the Cisco API URL
    cisco_url = f"https://{cisco_router_endpoint}/restconf/data/Cisco-IOS-XE-native:native/"

    # Rotate the password for the specified Cisco device user
    rotate(cisco_url, cisco_admin_username, cisco_admin_password, cisco_user_name, new_password)

if __name__ == "__main__":
    main()

The above script for the Cisco Post-Rotation Script can be also found here:

Rotating Cisco IOS XE Network User Credentials

Note: The user whose password is getting rotated should not be an administrator and must be Authorized for Client VPN [While adding the user via user management portal, the authorized option should be selected as 'Yes'].

After successfully setting up Rotation for your Cisco User Credentials on the PAM User Record, clicking on "Run Scripts Only" will rotate the credential:

Cisco Meraki

Rotate your Cisco Meraki Network Credentials

Overview

In this guide, you will learn how to set up password rotation to rotate Cisco Meraki network credentials.

Prerequisites

KSM Application: Ensure that the Keeper Secrets Manager (KSM) application is set up.
Shared Folder: A shared folder should be set up where all the records will be stored.
PAM Configuration: Ensure that the PAM Configuration is set up and that the Gateway is running and attached to this configuration.
Requests Library: Ensure that the requests library is installed in your Python environment. This library is necessary for making HTTP requests to Cisco devices.
Setting up AnyConnect Cisco VPN: In order to connect to cisco devices, ensure that the machine hosting Keeper Gateway has Cisco AnyConnect VPN installed and properly configured
Test Cisco Device Connectivity

Requests library installation

The Requests library allows you to send HTTP requests easily. Activate a Python virtual environment in your Keeper Gateway environment and install the library using the following command:

pip install requests

Setting up AnyConnect Cisco VPN

Ensure that the machine hosting Keeper Gateway has Cisco AnyConnect VPN installed and properly configured inorder to connect to cisco device. This setup is necessary for establishing secure connections to Cisco devices.

Steps to Test Cisco Device

Following these steps will allow you to test the Cisco device and create a new user in the Cisco sandbox environment.

Log in with your Cisco account credentials.
Select and launch the sandbox.

2. Select and Launch the Device

Navigate to the sandbox catalog.
Select the appropriate sandbox for your Cisco device (e.g., Cisco IOS XE, etc.).
Launch the sandbox.

3. Receive Details via Email or DevNet Environment

After launching the sandbox, you will receive an email with the connection details or find them in the DevNet Environment under Quick Access.

4. Download Cisco AnyConnect VPN

Download and install the Cisco AnyConnect Secure Mobility Client.

5. Connect to the VPN

Open the Cisco AnyConnect Secure Mobility Client.
Enter the VPN connection details provided in the email or from the DevNet Environment.
Connect using the provided username and password.

6. Store Developer Credentials

7. Add Custom Field to Cisco Authentication Record

Add a custom field named network_id to the Cisco Authentication Record and set its value to the host address (e.g., 13.0.0.1).

8. Create a User

Open your terminal or SSH client.
Connect to the Cisco device using the provided IP address and credentials.

9. Follow These Steps to Create a User

Login with Admin User (developer):
```
ssh developer@<device-ip>
```
Enable privileged commands:
```
enable
```
Enter configuration mode:
```
configure terminal
```
Create a new user with a password:
```
username <user> password <pass>
```

10. Test the New User

ssh <user>@<device-ip>

Note: Replace <user> with the username you created and <device-ip> with the IP address of the Cisco device.

Setting up Rotation in your Vault

Once you have your prerequisites ready, make sure you cover the following:

Make sure you satisfy all the prerequisites
Ensure that the post-rotation script references the Keeper Security record containing your Cisco admin credentials.
Attach the post-rotation script to a Keeper Security PAM user record using the Keeper Security documentation. When this record has its secrets rotated, the post-rotation script will execute and update the password for the specified Cisco device user.

Step 1: Set Up Rotation Record

Create a new PAM User record to store Cisco User details whose password will be rotated.

Set the username to match the Cisco device admin credentials
Set the password to the current password set for the user.
Add a custom field named network_id to the Cisco Authentication Record and set its value to the host address (e.g., 13.0.0.1).

Step 2: Add PAM Script

Step 3: Add NOOP Custom Field

Enable No-Operation (NOOP) atomic execution:
- In the current PAM User record where user's details are stored, create a new custom text field labeled NOOP and set its value to True.

Step 4: Configure Password Rotation Settings

Rotation Type: Set it to "On-Demand" for this example.
Password Complexity: Leave it as default unless you have specific requirements.
Rotation Settings: Point to the PAM Configuration set up earlier.
Administrative Credentials Record: Can should be left empty

Python Script

PAM script to rotate Cisco Meraki user credentials:

'''
Password rotation script for Cisco meraki user accounts.

This script is designed to rotate the password for a given Cisco Meraki User.
It facilitates the automated updating of user password in your Cisco meraki environment.

NOTE: If spaces are present in the path to the python interpreter, the script will fail to execute.
    This is a known limitation of the shebang line in Linux and you will need to create a symlink
    to the python interpreter in a path that does not contain spaces.
    For example: sudo ln -s "/usr/local/bin/my python3.7" /usr/local/bin/pam_rotation_venv_python3
'''

import sys
import base64
import json
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
'''
Optionally display installed packages for debugging. Uncomment if needed.
import pkg_resources
print("# \n# Installed packages for debugging:")
installed_packages = pkg_resources.working_set
installed_packages_list = sorted(["%s==%s" % (i.key, i.version) for i in installed_packages])
for m in installed_packages_list:
    print(f"  {m}")
'''

# Import the requests package
try:
    import requests
except ImportError:
    print("# Error: The 'requests' package is not installed. Run 'pip install requests' to install it.")
    exit(1)

def fetch_meraki_user_by_email(api_key, network_id, email):
    """
    Fetches User details by email.
    
    Args:
    - api_key (str): The Meraki API key.
    - network_id (str): The network ID to search within.
    - email (str): The email of the user to fetch.
    
    Returns:
    - User details if found, otherwise None.
    """
    if not network_id:
        print("Invalid network ID.")
        return None

    # URL to fetch Meraki dashboard users
    users_url = f"https://api.meraki.com/api/v1/networks/{network_id}/merakiAuthUsers"
    headers = {
        'X-Cisco-Meraki-API-Key': api_key,
        'Content-Type': 'application/json',
        'Accept': 'application/json'
    }

    try:
        # Make GET request to fetch users
        response = requests.get(users_url, headers=headers)
        response.raise_for_status()
        # Parse response JSON
        users = response.json()

        if users:
            for user in users:
                if user['email'] == email:
                    print("\nUser found for the email-", email)
                    return user
        return None

    except requests.exceptions.RequestException as e:
        print(f"Error fetching Meraki dashboard users: {e}")
        return None

def update_meraki_user_password(api_key, network_id, user_id, new_password):
    """
    Updates the password for a Meraki dashboard user.
    
    Args:
    - api_key (str): The Meraki API key.
    - network_id (str): The network ID the user belongs to.
    - user_id (str): The ID of the user to update.
    - new_password (str): The new password to set.
    
    Returns:
    - bool: True if successful, otherwise False.
    """
    if not network_id:
        print("Invalid network ID.")
        return False

    # URL to update a specific user's password
    user_url = f"https://api.meraki.com/api/v1/networks/{network_id}/merakiAuthUsers/{user_id}"
    headers = {
        'X-Cisco-Meraki-API-Key': api_key,
        'Content-Type': 'application/json',
        'Accept': 'application/json'
    }

    payload = {'password': new_password}

    # Make PUT request to update user's password
    response = requests.put(user_url, headers=headers, json=payload)
    
    return response

def rotate(meraki_network_id, meraki_api_key, meraki_user_email, new_password):
    """
    Rotate the password for a given Cisco user.
    Args:
    - meraki_network_id (str): Network ID of the network where the user is located.
    - meraki_api_key (str): API access key for authorization.
    - meraki_user_email (str): Email of the user whose password needs to be rotated.
    - new_password (str): The new password to be set for the Cisco user.
    Returns:
    - None
    """
    
    # Calls the function fetch_meraki_user_by_email to fetch the user details using user email.
    user = fetch_meraki_user_by_email(meraki_api_key, meraki_network_id, meraki_user_email)

    # If the user does not exist, print the message and exit the program
    if not user:
        print(f"No user found with the email: {meraki_user_email}")
        exit(1)
    
    try:
        meraki_user_id = user['id']

        # Updating password for the given user using ID
        response = update_meraki_user_password(meraki_api_key, meraki_network_id, meraki_user_id, new_password)
        if response.status_code == 200:
            print(f"Password updated successfully for user with email {meraki_user_email}")
        else:
            print(f"Failed to update password. Status code: {response.status_code}, Error: {response.text}")

    except requests.exceptions.HTTPError as http_err:
        print(f"HTTP error occurred while updating the password for the given user email: {http_err}")
    except Exception as err:
        print(f"An error occurred: {err}")

def main():
    """
    Main function to rotate the password for a Cisco meraki user.

    Reads and decodes input parameters from stdin, including the authentication record details
    and the new password. Then, updates the password of the specified Cisco meraki user.
    """
    record_title = 'Cisco Authentication Record' #This should be same as the title of the record containing meraki api key and network ID details. 
    api_access_token_record = None
    params = None
    
    # Read and decode input parameters from stdin
    for base64_params in sys.stdin:
        params = json.loads(base64.b64decode(base64_params).decode())

        # Decode and load records passed in as JSON strings from the PAM Script section as "Rotation Credential" records
        records = json.loads(base64.b64decode(params.get('records')).decode())
        # Find the record that matches the specified title
        api_access_token_record = next((record for record in records if record['title'].lower() == record_title.lower()), None)
        break

    if api_access_token_record is None:
        print(f"# Error: No Record with the access token found. Title: {record_title}")
        exit(1)
    
    # Extract Details from the record
    
    # Network ID of the network where the user is located
    meraki_network_id = api_access_token_record.get('network_id')
    
    # API Key for Cisco meraki api authentication
    meraki_api_key = api_access_token_record.get('password')

    # Email of the Cisco meraki user whose password needs to be rotated
    meraki_user_email = params.get('user')

    # New password to set for the Cisco meraki user
    new_password = params.get('newPassword')
    
    # Check if all required fields are present
    if not all([meraki_network_id, meraki_api_key, meraki_user_email]):
        print("# Error: One or more required fields are missing in the access token record.")
        exit(1)

    # Rotate the password for the specified Cisco meraki user
    rotate(meraki_network_id, meraki_api_key, meraki_user_email, new_password)

if __name__ == "__main__":
    main()

The above script for the Cisco Post-Rotation Script can be also found here:

Rotating Cisco Meraki Network User Credentials

After successfully setting up Rotation for your Cisco User Credentials on the PAM User Record, clicking on "Run Scripts Only" will rotate the credential: