Defining alternative ports in PAM Configurations
Rotation relies on the port field in resource records to determine its connection method.
For example, in a PAM Machine record, port 22 tells the gateway to use SSH, port 5985 for WinRM (http) and port 5986 for WinRM (https).
The expected standard ports are listed in the following table.
PAM Machine
SSH
22=ssh
PAM Machine
WinRM
5986=winrm
PAM Directory
Active Directory
636=ldaps
PAM Directory
OpenLDAP
636=ldaps
PAM Database
Postgresql
5432=postgresql
PAM Database
MySQL
3306=mysql
PAM Database
MariaDB
3306=mariadb
PAM Database
Microsoft SQL
1433=mssql
PAM Database
Oracle
1521=oracle
PAM Database
MongoDB
27017=mongodb
To use a non-standard port, specify the alternative port in two places:
In the PAM Configuration port mapping field, enter {port}=
{connection}
, for example, 32636=ldaps.
For {connection}
: refer to the labels under Standard Port in the standard ports table.
In the PAM Machine/Directory/Database record, enter the chosen port in the port field
For example, to connect to a MySQL database using port 3307, your PAM Configuration should have 3307=mysql
under port mapping, and your PAM Database record should reference port 3307.
Multiple port mappings are newline-separated in the PAM Configuration.
Example guide for setting up SSH on target machines
Customers are responsible for the configuration of their servers and environments.
Secure Shell (SSH) allows confidential and authenticated remote access to a computer. SSH traffic is fully encrypted and, by default, runs on port 22
. For reference and testing, see below for instructions and guidance on enabling SSH for your target operating system.
Linux requires the SSH daemon to be running in order to accept SSH connections. Most Linux distributions will have the OpenSSH server installed, but may not have the service enabled. The service needs to be enabled, started, and added to the list of services to be started upon reboot.
To verify that ssh is running on your Linux system, invoke the following command:
If ssh is not running, you may need to install OpenSSH or/and enable ssh. The following commands demonstrate this in Ubuntu:
Note:
you may need sudo permissions to install and enable ssh
The installation command may be different based on your linux distribution
SSH is normally not installed on Windows. However, SSH can easily be installed via Windows capability packages which are maintained by Microsoft. The following PowerShell script will 1) install SSH, 2) start the SSH service and makes sure it starts with each reboot, and 3) make sure the firewall allows SSH connections:
Windows SSH can either default to PowerShell or CMD. Keeper Rotation uses PowerShell commands. If the default shell is CMD, Keeper Rotation will invoke rotation commands via PowerShell Invoke-Command -ScriptBlock { COMMANDS }
. To change the default shell to PowerShell, invoke the following PowerShell command:
SSH is installed on macOS and usually not turned on for the user.
To enable it via the UI, enable Remote Login on the General->Sharing panel.
To enable it via the command line, invoke the following command:
Note:
you will require Full Disk Access privileges for this command line method.
Example guide for setting up WinRM on target machines
Customers are responsible for the configuration of their servers and environments. For reference and testing, the below PowerShell script can be run on a target machine to enable WinRM with a self-signed certificate. We recommend creating a certificate with a public CA in your production environment.
Below is a breakdown of what this script performs to configure WinRM on a Windows machine:
Set the network connection profile to Private:
Configure and enable WinRM:
Allow non-SSL (unencrypted) traffic on port 5985:
Create a self-signed SSL certificate for encrypted traffic on port 5986:
Create Windows Firewall rules to allow inbound traffic on ports 5985 (non-SSL) and 5986 (SSL):
After running this script, WinRM will be configured to allow both unencrypted (port 5985) and encrypted (port 5986) remote connections. Additionally, Windows Firewall rules will be created to allow inbound traffic on these ports.
From a Windows server, you can test the connectivity to the target machine through PowerShell:
Complete list of the devices and accounts Keeper can access and rotate
After enabling Rotation, you will have access to new PAM record types:
PAM User Contains a login / password, private key, or both.
PAM Directory Information about your on-prem or cloud-based directory
PAM Database Self-hosted or managed cloud-based databases such as MySQL, SQL Server, etc
PAM Machine Windows, Linux, macOS machines on-prem or in the cloud
PAM Configuration Information on your network
On the Keeper Vault, these record types contain the relevant credential and/or configuration information for the Provider, Resource, or User
When Rotation is triggered, the credentials defined on the PAM User and/or PAM Directory, Database, Machine will be changed to new credentials. After rotation is complete, the updated credentials will be reflected on the remote Resource and on the Vault Record.
For detailed information on the how each of the PAM record types can be configured, visit the following:
The following tables provides more details on each configurable fields in the PAM User record:
Login
Username; exact context depends on associated resource
Required
Password
Password of the user
Can be rotated
Private PEM Key
PEM Key associated with user
Can be rotated
Distinguished Name
Distinguished name; used if associated with a directory
Required when the User is managed by a directory
Managed User
Flag for accounts that are managed by the AWS or Azure IAM systems
If this is checked, Keeper will skip rotation for this user. This is a planned feature to support account discovery and will not be automatically populated by Keeper at this time.
Record Type Details for PAM Machine, Database, and Directory
When Keeper Rotation is activated on a Keeper account, Rotation record types are added to the account. Records created using these types facilitate record rotation.
The following are supported configurations for record type associated to each Device or Account type:
Database
MySQL, MySQL Flexible
PAM Database
Database
PostgreSQL, PostgresSQL Flexible
PAM Database
Database
SQL Server
PAM Database
Database
Mongo
PAM Database
Database
MariaDB
PAM Database
Machine
Windows, macOS, Linux
PAM Machine
Machine
EC2 Instance
PAM Database
Machine
Azure VM
PAM Database
Directory
Active Directory
PAM Directory
Directory
OpenLDAP
PAM Directory
The following tables provides more details on each configurable field in PAM Machine, PAM Database, and PAM Directory records:
Hostname or IP Address
Address of the machine resource
Required
Port
Port to connect on. The Gateway uses this to determine connection method.
Must be a port for SSH or WinRM
Keeper expects 22, 5985, 5986, or an alternative port for SSH or WinRM specified in the PAM Configuration port mapping
Login
Admin account username
Password
Password for admin account
If Port is 22, or an alternative port mapped to ssh: Private PEM key can used instead
Private PEM Key
PEM Key for ssh connection (optional)
The key take precedence if both a key and password are provided
OS
Operating System
For human reference only. Operating system is detected during rotation
SSL Verification
Verify certificate of host when connecting with SSH
Instance Name
Azure or AWS Instance Name
Not used for rotation
Instance Id
Azure or AWS Instance ID
Not used for rotation
Provider Group
Provider Group for directories hosted in Azure
Not used for rotation
Provider Region
AWS region of hosted directory
Not used for rotation
Hostname or IP Address
Address of the Database Resource
Required
Port
Port to connect on. The Gateway uses this to determine connection method.
A Port must be provided. Standard ports are: postgresql: 5432 MySQL: 3306 Maria DB: 3306 Microsoft SQL: 1433 Oracle: 1521 Mongo DB: 27017
Use SSL
Use SSL when connecting
Login
Admin account username
Password
Admin account password
Connect Database
Database to connect to (Postgres only)
Required for connecting to Postgres, MongoDB, and MS SQL Server
Database Id
Azure or AWS Resource ID
Required for AWS and Azure rotations
Database Type
Appropriate database type from supported databases.
If a non-standard port is provided, the Database Type will be used to determine connection method.
Provider Group
Azure or AWS Provider Group
Required for Azure rotations
Provider Region
Azure or AWS Provider Region
Required for AWS rotations
Hostname or IP Address
Address of the directory resource
Required
Port
Port to connect on
Typically 389 or 636 (LDAP/LDAPS)
Use SSL
Use SSL when connecting
Login
Username of domain account with rotation privilege
Example: "administrator"
Password
Domain account password
Password is masked
Distinguished Name
Distinguished name of the domain login provided above
Example: CN=Jeff Smith,OU=Sales,DC=demo,DC=COM If left blank, defaults are attempted depending on the provider type
Directory ID
Instance ID for AD resource in Azure and AWS hosted environments
Required for Azure Active Directory and AWS Directory Service AWS Example: "d-9a423d0d3b'
Directory Type
Directory type, used for formatting of messaging
Must be Active Directory or OpenLDAP
Domain Name
domain managed by the directory
Example: some.company.com
Provider Group
Provider Group for directories hosted in Azure
Required for directories hosted in Azure
Provider Region
AWS region of hosted directory
Required for directories hosted in AWS Example: us-east-2
Details regarding the PAM Configuration record
When creating a PAM Configuration record, you have the option of choosing one of the following environments:
Local Network
AWS
Azure
The following tables provides more details on each configurable fields in the PAM Configuration record regardless of the environment you choose:
Title
Name of PAM configuration record
Ex: My Configuration
Application Folder
The shared folder that contains the PAM records
Administrative Credential Record
The administrative credential record with sufficient permissions to rotate credentials
This is your PAM Machine, PAM Database or PAM Directory record
Default Rotation Schedule
Specify frequency of Rotation
Ex: Daily
The following tables provides more details on each configurable fields in the PAM Network Configuration record based on the environment you chose:
Network ID
Unique ID for the network
This is for the user's reference
Ex: My Network
AWS ID
A unique id for the instance of AWS
Required, This is for the user's reference
Ex: AWS-1
Access Key ID
From an IAM user account, the Access key ID from the desired Access key.
Optional
Secret Access Key
The secret key for the access key.
Optional, Masked
Region Names
AWS region names
Ex: us-east-2
Azure ID
A unique id for your instance of Azure
Required, This is for the user's reference
Ex: Azure-1
Client ID
The application/client id (UUID) of the Azure application
Required
Client Secret
The client credentials secret for the Azure application
Required
Subscription ID
The UUID of the subscription (i.e. Pay-As-You-GO).
Required
Tenant ID
The UUID of the Azure Active Directory
Required
Resource Groups
A list of resource groups to be checked. If left blank, all resource groups will be checked
Steps to create a Keeper Secrets Manager application for rotation of passwords
Prior to working with Rotation, you need to create a KSM application. For more information on KSM, visit:
About KSMIn the Keeper Web Vault or Desktop App user interface, create a shared folder. This shared folder will contain the PAM records you will create as you are working through the use-case guides.
Navigate to the "Secret Managers" tab on the left and click on "Create Application" to create a KSM application
In the prompted window:
Enter the name of your KSM application
Choose the shared folder you have created in Step 1
Set the Record Permissions for Application to "Can Edit"
Click on "Generate Access Token" and then click on "OK"
You can safely ignore the first One-Time Access Token generated for the newly created KSM application. When creating a Keeper Gateway device, a different One-Time Access Token will be created.
Granting a service account the minimum permissions to rotate
When creating a PAM Directory Resource, it is recommended that you use a service account with the least required privileges to perform rotation.
The following steps show you how to enable a service account to rotate credentials using Active Directory's Delegation of Control feature.
Before starting, create a service account for password rotation whose credentials you will store in the Keeper resource record.
Launch Active Directory Users and Computers
In the directory tree, select a node for which password rotation should be allowed.
Right-click on the node, then click Delegate Control.
In the Delegation of Control Wizard, click 'Add'.
Locate your chosen service account, then click 'OK'.
Click 'Next' to advance to permission selection.
In 'Delegate the following common tasks', check the option for 'Reset user passwords and force password change at next logon', then click 'Next'.
Add the service account's login and password to the Resource Record for the AD instance.
Keeper rotation event reporting in the Advanced Reporting & Alerts module
A new set of Keeper Rotation events are included in the Advanced Reporting & Alerts module within the Keeper Admin Console.
In addition, Rotation leverages existing Keeper Secrets Manager event types. For example, when a Gateway is registered, the app_client_added event is generated.
For the following events, two status codes are included in the status message: one for Rotation, and one for Post-Rotation (if applicable).
If no post-rotation script is present, the event status reflects rotation only.
If multiple-post rotation scripts are present, a success event is generated only if all scripts complete execution without errors.
event_record_rotation_scheduled_ok
A scheduled rotation has completed successfully
event_record_rotation_scheduled_fail
A scheduled rotation has encountered an error in either rotation or post-rotation
event_record_rotation_on_demand_ok
An on-demand rotation has completed successfully
event_record_rotation_on_demand_fail
An on-demand rotation has encountered an error in either rotation or post-rotation
event_pam_configuration_created
PAM Configuration has been created
event_pam_configuration_updated
PAM Configuration has been modified
event_pam_configuration_deleted
PAM Configuration has been deleted
event_record_rotation_created
Rotation settings have been added to a record
event_record_rotation_updated
Rotation settings have been modified on a record
event_record_rotation_disabled
Rotation settings have been removed from a record
To receive immediate feedback on any rotation related events, Keeper's "Alerts" capability can push these events to email, SMS, webhooks, Slack, Teams, etc.
To learn more about the Keeper Advanced Reporting & Alerts module at this link.
Bulk import of Keeper PAM records and configuration
Keeper supports importing of PAM records through the Keeper Commander CLI.
Record Types Supported:
pamDatabase
pamDirectory
pamMachine
pamUser
Below is an example template in JSON format which imports 2 PAM Machine records, 2 PAM User records and adds then to a shared folder called "My Shared Folder".
To import this file, run the command:
To see all import options:
See the Commander SDK options for additional PAM automation capabilities.
Managing rotation settings on individual and bulk records using Keeper Commander
Keeper Commander can perform individual or bulk updates on PAM resource records, such as adding rotation to a whole set of records in a folder.
All of your rotation records are imported to the appropriate folders
You have at least one Keeper Gateway installed and running
You have at least one active PAM Configuration
To attach a PAM Machine resource record to an existing PAM Configuration, and to assign a default rotation schedule, use the sample Commander CLI commands below:
Note 1: The PAM Configuration UID can be found by typing: pam config list
Note 2: Machine UIDs can be found by navigating to the folder and using ls -l
The commands below will assign a scheduled rotation to the specific PAM Machine records, and it also sets the resource record to
The below command will assign a resource and set up a rotation schedule using JSON notation:
The below command will assign rotation capabilities in bulk for all records within a specific folder. In this case the folder is a sub-folder beneath a Shared Folder.
To run a large number of commands in a batch mode, see Keeper's Batch Mode command.
Managing rotation with the Commander CLI / SDK interface
Keeper Commander commands have been created to automate and manage the Keeper PAM capabilities including:
Managing Gateways
Managing PAM Configurations
Managing Password Rotation and Discovery
Managing jobs
For more information see the KeeperPAM "pam" command documentation.
Automated password rotation using Cron Specification
In the Keeper Vault, users can configure rotation using a standardized UNIX Cron specification.
The Keeper backend scheduler uses the open source Quartz Job Scheduler for executing rotations. The content below is based on the Quartz public documentation.
In the example below, the Cron Spec is set to 0 28 17 ? * *
which means every day at 5:28PM PST.
A cron expression is a string comprised of 6 or 7 fields separated by white space. Fields can contain any of the allowed values, along with various combinations of the allowed special characters for that field. The fields are as follows:
Seconds
YES
0-59
, - * /
Minutes
YES
0-59
, - * /
Hours
YES
0-23
, - * /
Day of month
YES
1-31
, - * ? / L W
Month
YES
1-12 or JAN-DEC
, - * /
Day of week
YES
1-7 or SUN-SAT
, - * ? / L #
Year
NO
empty, 1970-2099
, - * /
Cron expressions can be as simple as this: * * * * ? *
or more complex, like this:
0/5 14,18,3-39,52 * ? JAN,MAR,SEP MON-FRI 2002-2010
* (“all values”) - used to select all values within a field. For example, “*” in the minute field means “every minute”.
? (“no specific value”) - useful when you need to specify something in one of the two fields in which the character is allowed, but not the other. For example, if I want my trigger to fire on a particular day of the month (say, the 10th), but don’t care what day of the week that happens to be, I would put “10” in the day-of-month field, and “?” in the day-of-week field. See the examples below for clarification.
- - used to specify ranges. For example, “10-12” in the hour field means “the hours 10, 11 and 12”.
, - used to specify additional values. For example, “MON,WED,FRI” in the day-of-week field means “the days Monday, Wednesday, and Friday”.
/ - used to specify increments. For example, “0/15” in the seconds field means “the seconds 0, 15, 30, and 45”. And “5/15” in the seconds field means “the seconds 5, 20, 35, and 50”. You can also specify ‘/’ after the ‘’ character - in this case ‘’ is equivalent to having ‘0’ before the ‘/’. ‘1/3’ in the day-of-month field means “fire every 3 days starting on the first day of the month”.
L (“last”) - has different meaning in each of the two fields in which it is allowed. For example, the value “L” in the day-of-month field means “the last day of the month” - day 31 for January, day 28 for February on non-leap years. If used in the day-of-week field by itself, it simply means “7” or “SAT”. But if used in the day-of-week field after another value, it means “the last xxx day of the month” - for example “6L” means “the last friday of the month”. You can also specify an offset from the last day of the month, such as “L-3” which would mean the third-to-last day of the calendar month. When using the ‘L’ option, it is important not to specify lists, or ranges of values, as you’ll get confusing/unexpected results.
W (“weekday”) - used to specify the weekday (Monday-Friday) nearest the given day. As an example, if you were to specify “15W” as the value for the day-of-month field, the meaning is: “the nearest weekday to the 15th of the month”. So if the 15th is a Saturday, the trigger will fire on Friday the 14th. If the 15th is a Sunday, the trigger will fire on Monday the 16th. If the 15th is a Tuesday, then it will fire on Tuesday the 15th. However if you specify “1W” as the value for day-of-month, and the 1st is a Saturday, the trigger will fire on Monday the 3rd, as it will not ‘jump’ over the boundary of a month’s days. The ‘W’ character can only be specified when the day-of-month is a single day, not a range or list of days.
The 'L' and 'W' characters can also be combined in the day-of-month field to yield 'LW', which translates to *"last weekday of the month"*.
# - used to specify “the nth” XXX day of the month. For example, the value of “6#3” in the day-of-week field means “the third Friday of the month” (day 6 = Friday and “#3” = the 3rd one in the month). Other examples: “2#1” = the first Monday of the month and “4#5” = the fifth Wednesday of the month. Note that if you specify “#5” and there is not 5 of the given day-of-week in the month, then no firing will occur that month.
The legal characters and the names of months and days of the week are not case sensitive. MON is the same as mon.
Here are some full examples:
0 0 12 * * ?
Fire at 12pm (noon) every day
0 15 10 ? * *
Fire at 10:15am every day
0 15 10 * * ?
Fire at 10:15am every day
0 15 10 * * ? *
Fire at 10:15am every day
0 15 10 * * ? 2005
Fire at 10:15am every day during the year 2005
0 * 14 * * ?
Fire every minute starting at 2pm and ending at 2:59pm, every day
0 0/5 14 * * ?
Fire every 5 minutes starting at 2pm and ending at 2:55pm, every day
0 0/5 14,18 * * ?
Fire every 5 minutes starting at 2pm and ending at 2:55pm, AND fire every 5 minutes starting at 6pm and ending at 6:55pm, every day
0 0-5 14 * * ?
Fire every minute starting at 2pm and ending at 2:05pm, every day
0 10,44 14 ? 3 WED
Fire at 2:10pm and at 2:44pm every Wednesday in the month of March.
0 15 10 ? * MON-FRI
Fire at 10:15am every Monday, Tuesday, Wednesday, Thursday and Friday
0 15 10 15 * ?
Fire at 10:15am on the 15th day of every month
0 15 10 L * ?
Fire at 10:15am on the last day of every month
0 15 10 L-2 * ?
Fire at 10:15am on the 2nd-to-last last day of every month
0 15 10 ? * 6L
Fire at 10:15am on the last Friday of every month
0 15 10 ? * 6L
Fire at 10:15am on the last Friday of every month
0 15 10 ? * 6L 2002-2005
Fire at 10:15am on every last friday of every month during the years 2002, 2003, 2004 and 2005
0 15 10 ? * 6#3
Fire at 10:15am on the third Friday of every month
0 0 12 1/5 * ?
Fire at 12pm (noon) every 5 days every month, starting on the first day of the month.
0 11 11 11 11 ?
Fire every November 11th at 11:11am.
Pay attention to the effects of '?' and '*' in the day-of-week and day-of-month fields!