Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Creating a one-time access token for installing the Keeper Gateway
In order to successfully install and setup up the Keeper Gateway, you need the Keeper Gateway's One Time Access Token. In order to generate this token, you will need to:
Prior to working with this guide, make sure that:
Keeper Secrets Manager is enabled for your enterprise and your role
Keeper Rotation is enabled for your role
Follow these steps to create a KSM Application:
In the Keeper Web Vault or Desktop App user interface, create a shared folder. This shared folder will contain the PAM records you will create as you are working through the use-case guides.
Navigate to the "Secret Managers" tab on the left and click on "Create Application" to create a KSM application
In the prompted window:
Enter the name of your KSM application
Choose the shared folder you have created in Step 1
Set the Record Permissions for Application to "Can Edit"
Click on "Generate Access Token" and then click on "OK"
You can safely ignore the first One-Time Access Token generated for the newly created KSM application. When creating a Keeper Gateway device, a different One-Time Access Token will be created.
For more information on KSM, visit:
Follow these steps to generate the Keeper Gateway's One Time Access Token:
After creating your KSM Application, select it, and navigate to the Gateways tab
In the Gateways tab, click on Provision Gateway
In the prompted screen do the following:
Enter your desired Gateway Name
Choose the operating system where this Gateway will be installed
After clicking Next, you will get a confirmation screen as shown in the screenshots below.
For Gateways that will be installed on windows, just the One-Time Access Token is shown:
For Gateways installed on Mac or Linux, you have the option of choosing one of the following:
New Gateway: This gives you the installation command with the One-Time Access Token
Existing Gateway: This gives you just the installation command
Important: Make sure to store this One Time Access Token for your records as this code is necessary to complete your Keeper Gateway Installation
Installation and setup of the Keeper Gateway
The Keeper Gateway is a lightweight service that is installed on any Windows, Linux or macOS machine in order to execute rotation, discovery and connection tasks. A single Gateway can be used to communicate with any target infrastructure, both on-prem and cloud. For example, to rotate Active Directory accounts, the Gateway can be installed on any machine which can communicate to AD.
The Gateway preserves zero knowledge by performing all encryption and decryption of data locally. The Gateway uses Keeper Secrets Manager APIs to communicate with the Keeper cloud. A full description of the security architecture can be found here.
Windows (minimum OS version: Server 2016+ 1803 and newer)
Linux: Ubuntu, CentOS, and RedHat
macOS: 12+
Disk space required: 50MB
Memory: 1GB+
The Keeper Gateway generates encryption keys and a local Secrets Manager configuration that is used to authenticate with the Keeper cloud. The location depends on the context in which the Gateway is being run. It can be installed to the local user or installed as a service.
Login to the Keeper Web Vault or Desktop App
Create a Secrets Manager Application or select existing application
Click on the "Gateways" tab and click "Provision Gateway"
Select Windows, Mac or Linux install method
Install the Keeper Gateway using the provided method
During the creating of a Keeper Gateway, you have the choice to select "Lock external WAN IP Address of device for initial request". This will additionally IP lock the Gateway in addition to the authentication and encryption built into the service. This option is recommended as long as the external IP of your gateway machine is static.
Based on your Operating System, refer to the corresponding guide on installing the Keeper Gateway:
If you are installing on an EC2 instance in AWS, the Keeper Gateway can be configured to use the instance role for pulling its configuration from AWS Secrets Manager. Detailed instructions on this setup can be found here.
Keeper Admins can view and monitor all Gateways created under the enterprise environment. In the Secrets Manager section of the Keeper Admin Console, visit the "Gateways" tab.
Admins can see the status, creation date, and node assignment for all gateways. By clicking the Edit button, the Gateway name and Node can be modified, and a list of attached configurations and rotation history can be viewed.
Instructions for installing Keeper Gateway on MacOS
This document contains information on how to install, configure, and update your Keeper Gateway on MacOS.
Prior to proceeding with this document, make sure you generated a Keeper Gateway One-Time Access Token in your Vault. For more information, visit the following page:
Note: On macOS, the Gateway can only be installed as the local user and not as a service
Executing the following command will install the Keeper Gateway: