Rotating Local Network MySQL database accounts with Keeper Rotation
In this guide, you'll learn how to rotate Local MySQL Database User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role.
Keeper Rotation is enabled for your role.
A Keeper Secrets Manager application has been created.
A Keeper Rotation gateway is already installed, running, and is able to communicate to your MySQL database
Keeper Rotation will use an admin credential to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
In this guide, we will store the admin credentials in a PAM Database record.
The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see port mapping
Ex: mysql=3306
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
The admin account that will perform rotation
Password
Admin account password
Database Type
mysql
If you already have a PAM Configuration for your Local environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: MySQL LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MySQL database
Application Folder
Select the Shared folder that contains the PAM Database record in Step 1
Admin Credentials Record
Select the PAM Database record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate credentials
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.