Password Rotation in the Local Network Environment
In this section, you will learn how to rotate user credentials within a Local Network environment across various target systems.
A local network is configured by setting the Local Network as your environment in the PAM Configuration Record. Using this Local Network setting will only allow rotation on the local machine and all interactions with the operating system are done via Bash or PowerShell.
At a high level, the following steps are needed to successfully rotate passwords on your local network:
Create Shared Folders to hold the PAM records involved in rotation
Create PAM Machine, PAM Database, PAM Directory records that contain credentials with the necessary permissions to rotate and update the user's credentials
Create PAM User records that contain the user's information
Create a Secrets Manager Application and assign it to the shared folders that hold the PAM records
Configure the Gateway and add it to the Secrets Manager application
Create a PAM Configuration
Configure Rotation settings on the PAM User records
The following pages cover these steps in more details on how to successfully rotate passwords in different scenarios on the local network:
Rotating active directory accounts remotely using LDAP
In this guide, you'll learn how to remotely rotate Active Directory accounts via LDAP using Keeper Rotation.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role.
Keeper Rotation is enabled for your role.
A Keeper Secrets Manager application has been created.
A Keeper Rotation gateway is already installed, running, and is able to communicate via LDAPs to your directory server.
Keeper Rotation will use an admin credential to rotate other accounts in your environment. This account does not need to be a domain admin account, but needs to be able to successfully change passwords for other accounts.
The admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
Record Type
PAM Directory
Title
Keeper record title
Hostname or IP Address
IP address, hostname or FQDN of the directory server. Examples: 10.10.10.10
, dc01.mydomain.local
Port
636
- LDAPs is required for rotation. Note: LDAP over port 389
is insecure, and does not support credential rotation.
Use SSL
Must be enabled
Login
Username of the account performing the LDAP rotation. Example: rotationadmin
Password
Admin account password
Domain Name
Domain name of the Active Directory. Example: mydomain.local
Other fields
These should be left blank
Note: You can skip this step if you already have a PAM configuration setup.
A PAM Configuration associates a Keeper Gateway with credentials. If you don't have a PAM Configuration set up yet for this use case, create one. On the left menu of the Vault, select "Secrets Manager", then select the "PAM Configurations" tab and create a new configuration for Active Directory rotation.
Title
Configuration name, example: LDAP Rotation
Environment
Select: Local Network
Gateway
Select the Gateway that has access to your Active Directory server from the pre-requisites
Application Folder
Select the Shared folder that contains the PAM Directory record above
Admin Credentials Record
Select the PAM Directory record, this list is filtered to records in the application folder
Add Resource Credential
Add any optional credentials to be attempted in addition to the primary credential
Default Rotation Schedule
Optional
Other fields
These should be left blank
Keeper Rotation will use the credentials in the "PAM Directory" record to rotate "PAM User" records in your environment.
The user credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites.
Record Type
PAM User
Title
Keeper record title
Login
Username of the account being rotated. Example: bsmith
Password
Account password is optional, rotation will set one if blank
Distinguished Name
The LDAP DN for the user
Other fields
These should be left blank
The following PowerShell command can be used to get the correct DN for the user: Get-ADUser -Identity bsmith -Properties DistinguishedName
Select the PAM User record, edit the record and open the "Password Rotation Settings".
Any user with Can Edit rights to a PAM User record has the ability to set up rotation for that record.
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the "PAM Directory" credential setup previously.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
An easy way to test if LDAP is properly configured is to run 'LDP.exe' and test the connection. If this connection succeeds, then Keeper Rotation should also succeed.
Rotating Windows User Accounts on Local Network
In this guide, you'll learn how to rotate Windows user accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role.
Keeper Rotation is enabled for your role.
A Keeper Secrets Manager application has been created.
A Keeper Rotation gateway is already installed and showing online
Connection Method Choose one of the following methods to enable on your target Windows Machine(s):
WinRM: Enabled and running on port 5986.
Verification: Run winrm get winrm/config
to verify that WinRM is running.
OR
SSH: Enabled and running on port 22.
Verification: Run ssh [your-user]@[your-machine] -p 22
to verify that SSH is running.
Keeper Rotation will use an admin credential to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
In this guide, we will store the admin credentials in a PAM Machine Record.
The following table lists all the required fields that needs to be filled on the PAM Machine Record with your information:
Title
Name of the Record ex: "Local Windows Admin"
Hostname or IP Address
Machine hostname or IP as accessed by the Gateway (internal) or "localhost"
Port
22 for SSH, 5985 (HTTP) or 5986 (HTTPS) for WinRM
Login
Username of the Admin account
Password
Required for WinRM
Optional for SSH if your setup requires a password, otherwise can use PEM key.
Note: The following chars are restricted: " '
Private PEM Key
Required for SSH if not using a password
This PAM Machine Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
If you already have a PAM Configuration for your Local environment, you can simply add the additional Resource Credentials required for rotating Windows users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: Windows LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has SSH access to your Windows devices
Application Folder
Select the Shared folder that contains the PAM Machine record in Step 1.
Admin Credentials Record
Select the PAM Machine record created in Step 1. This is the record with the admin credentials and sufficient permissions to rotate credentials
Keeper Rotation will use the credentials in the PAM Machine record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Machine record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Rotating Linux User Accounts on Local Network
In this guide, you'll learn how to rotate Linux user accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role.
Keeper Rotation is enabled for your role.
A Keeper Secrets Manager application has been created.
Keeper Rotation will use an admin credential to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
In this guide, we will store the admin credentials in a PAM Machine Record.
The following table lists all the required fields that needs to be filled on the PAM Machine Record with your information:
Title
Name of the Record ex: "Local Linux Admin"
Hostname or IP Address
Machine hostname or IP as accessed by the Gateway (internal) or "localhost"
Port
22 for SSH
Login
Username of the Admin account
Password
Depends on your SSH setup.
Your SSH setup may require a password, otherwise optional.
Note: The following char are restricted: " '
Private PEM Key
Required for SSH if not using a password
This PAM Machine Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
If you already have a PAM Configuration for your Local environment, you can simply add the additional Resource Credentials required for rotating Linux users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: Linux LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has SSH access to your Linux devices
Application Folder
Select the Shared folder that contains the PAM Machine record in Step 1.
Admin Credentials Record
Select the PAM Machine record created in Step 1. This is the record with the admin credentials and sufficient permissions to rotate credentials
Keeper Rotation will use the credentials in the PAM Machine record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Machine record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Rotating Local Mac User Accounts with Keeper Rotation
In this guide, you'll learn how to remotely rotate MacOS accounts via SSH using Keeper Rotation.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role.
Keeper Rotation is enabled for your role.
A Keeper Secrets Manager application has been created.
Keeper Rotation will use an admin credential to rotate other accounts in your environment. This account does not need to be joined to a domain, or a full admin account, but the account needs to be able to successfully change passwords for other accounts.
The admin credential needs to be in a shared folder that is shared to the KSM applicaiton created in the pre-requisites. Only the KSM applicaiton needs access to this privileged account, it does not need to be shared with any users.
Record Type
PAM Machine
Title
Keeper record title
Hostname or IP Address
IP address or hostname of the directory MacOS device. Use localhost if the gateway is installed on the device. Examples: 10.10.10.10
, MarysMacBook
, localhost
Port
SSH port, typically: 22
- SSH is required for rotation.
Use SSL
Must be enabled
Login
Username of the account performing the LDAP rotation. Example: rotationadmin
Password
Admin account password
Operating System
For Mac OS rotation, use: MacOS
Other fields
These should be left blank
Note: You can skip this step if you already have a PAM configuration setup.
In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab. Create a new configuration:
Title
Configuration name, example: MAC Rotation
Environment
Select: Local Network
Gateway
Select the Gateway that has SSH access to your MacOS devices
Application Folder
Select the Shared folder that contains the PAM Machine record above.
Admin Credentials Record
Select the admin record record, this list is filtered to records in the application folder
Add Resource Credential
Add any optional credentials to be attempted in addition to the primary credential
Default Rotation Schedule
Optional
Other fields
These should be left blank
Keeper Rotation will use the credentials in the PAM Machine record to rotate the PAM User records in your environment.
The user credential needs to be in a shared folder that is shared to the KSM applicaiton created in the pre-requisites.
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Other fields
These should be left blank
Select the PAM User record, edit the record and open the "Password Rotation Settings".
Any user with edit
rights to a PAM User record has the abilty to setup rotation for that record.
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the "PAM Machine" credential setup previously.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
DB credential Rotation in the Local Environment
In this section, you will learn how to rotate DB User or Admin credentials within your local network across various databases:
Rotating Local Network MySQL database accounts with Keeper Rotation
In this guide, you'll learn how to rotate Local MySQL Database User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role.
Keeper Rotation is enabled for your role.
A Keeper Secrets Manager application has been created.
A Keeper Rotation gateway is already installed, running, and is able to communicate to your MySQL database
Keeper Rotation will use an admin credential to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
In this guide, we will store the admin credentials in a PAM Database record.
The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see port mapping
Ex: mysql=3306
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
The admin account that will perform rotation
Password
Admin account password
Database Type
mysql
If you already have a PAM Configuration for your Local environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: MySQL LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MySQL database
Application Folder
Select the Shared folder that contains the PAM Database record in Step 1
Admin Credentials Record
Select the PAM Database record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate credentials
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Rotating Local Network MariaDB database accounts with Keeper Rotation
In this guide, you'll learn how to rotate Local MariaDB User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role.
Keeper Rotation is enabled for your role.
A Keeper Secrets Manager application has been created.
A Keeper Rotation gateway is already installed, running, and is able to communicate to your MariaDB database
Keeper Rotation will use an admin credential to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
In this guide, we will store the admin credentials in a PAM Database Record.
The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see port mapping
Ex: mariadb=3306
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
The admin account that will perform rotation
Password
Admin account password
Database Type
maridb
or maridb-flexible
If you already have a PAM Configuration for your Local environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: MariaDB LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MariaDB database
Application Folder
Select the Shared folder that contains the PAM Database record in Step 1
Admin Credentials Record
Select the PAM Database record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate credentials
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Rotating Local Network PostgreSQL database accounts with Keeper Rotation
In this guide, you'll learn how to rotate Local Postgres Database User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role.
Keeper Rotation is enabled for your role.
A Keeper Secrets Manager application has been created.
A Keeper Rotation gateway is already installed, running, and is able to communicate to your Postgres database
Keeper Rotation will use an admin credential to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
In this guide, we will store the admin credentials in a PAM Database Record.
The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see port mapping
Ex: postgresql=5432
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
The admin account that will perform rotation
Password
Admin account password
Connect Database
Optional database that will be used when connecting to the database server. For example, PostgreSQL requires a database and so this will default to template1.
Database Type
postgresql
or postgresql-flexible
If you already have a PAM Configuration for your Local environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: Postgresql LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your PostgreSQL database
Application Folder
Select the Shared folder that contains the PAM Database record in Step 1
Admin Credentials Record
Select the PAM Database record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate credentials
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server. For example: PostgreSQL requires a database and so this will default to template1.
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Rotating Local Network MongoDB database accounts with Keeper Rotation
In this guide, you'll learn how to rotate Local MongoDB User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role.
Keeper Rotation is enabled for your role.
A Keeper Secrets Manager application has been created.
A Keeper Rotation gateway is already installed, running, and is able to communicate to your MongoDB Database
Keeper Rotation will use an admin credential to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
In this guide, we will store the admin credentials in a PAM Database Record.
The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see port mapping
Ex: mongodb=27017
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
The admin account that will perform rotation
Password
Admin account password
Connect Database
Optional database that will be used when connecting to the database server.
For example, MongoDB requires a database and so this will default to admin
.
Database Type
mongodb
If you already have a PAM Configuration for your Local environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: MongoDB LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MongoDB database
Application Folder
Select the Shared folder that contains the PAM Database record in Step 1
Admin Credentials Record
Select the PAM Database record created in Step 1. This is the record with the admin credentials and sufficient permissions to rotate credentials
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server.
For example: MongoDB requires a database and so this will default to admin
.
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Rotating Local Network Microsoft SQL Server database accounts with Keeper Rotation
In this guide, you'll learn how to rotate Local MS SQL Server Database User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role.
Keeper Rotation is enabled for your role.
A Keeper Secrets Manager application has been created.
A Keeper Rotation gateway is already installed, running, and is able to communicate to your MySQL database
If the Gateway is installed on a Linux or macOS server, install the Microsoft ODBC driver
Keeper Rotation will use an admin credential to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
In this guide, we will store the admin credentials in a PAM Database Record.
The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see port mapping
Ex: mssql=1433
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
The admin account that will perform rotation
Password
Admin account password
Connect Database
Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to master
.
Database Type
mssql
If you already have a PAM Configuration for your Local environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: MSSQL LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MS SQL Server database
Application Folder
Select the Shared folder that contains the PAM Database record in Step 1.
Admin Credentials Record
Select the PAM Database record created in Step 1. This is the record with the admin credentials and sufficient permissions to rotate credentials
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to master
.
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Rotating Local Network Oracle database accounts with Keeper Rotation
In this guide, you'll learn how to rotate Local Oracle Database User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role.
Keeper Rotation is enabled for your role.
A Keeper Secrets Manager application has been created.
A Keeper Rotation gateway is already installed, running, and is able to communicate to your Oracle database
Keeper Rotation will use an admin credential to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
In this guide, we will store the admin credentials in a PAM Database Record.
The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see port mapping
Ex: oracle=1521
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
The admin account that will perform rotation
Password
Admin account password
Database Type
oracle
If you already have a PAM Configuration for your Local environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: Oracle LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Oracle database
Application Folder
Select the Shared folder that contains the PAM Database record in Step 1.
Admin Credentials Record
Select the PAM Database record created in Step 1. This is the record with the admin credentials and sufficient permissions to rotate credentials
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.