Keeper Password Rotation architecture diagram and data flow
The Keeper Rotation Module infrastructure diagram is below. Click the image to zoom in.
Keeper Admin schedules rotation or clicks ‘Rotate Now’ from the Vault interface
Keeper backend schedules the rotation using the Record UID
Keeper Gateway establishes an outbound WebSocket connection, receives the request to rotate, and pulls the needed records using Keeper Secrets Manager APIs
The Keeper Gateway generates new credentials and updates Keeper, and the target resource
Gateway runs custom post-execution scripts on the Gateway or target machines
Client devices securely retrieve the updated record using Keeper Secrets Manager
Vault end-users receive the latest rotated information on the Keeper Vault user interface
Keeper's Advanced Reporting & Alerts module logs all events and triggers alerts
The Keeper Gateway is a lightweight service which is installed into the customer's environment and communicates outbound to Keeper services. The Gateway performs the rotation, discovery and connections to assets on the network. The Gateway receives commands from the Keeper Router, then uses Keeper Secrets Manager APIs to authenticate, communicate and decrypt data from the Keeper cloud.
Keeper hosted infrastructure that manages connections between Keeper and Rotation Gateways. The Cloud Router provides real-time messaging and communication between the Keeper Vault, customer gateway and Keeper backend services.
Keeper's Backend API is the endpoint which all Keeper client applications communicate with. Client applications encrypt data locally and transmit encrypted ciphertext to the API in a Protocol Buffer format.
Keeper hosted infrastructure that manages timing and logistics around scheduled rotation of credentials across the target infrastructure.
The Management console used to set and enforce policies across all Keeper component.
The end-user interface for managing the vault and rotating passwords.