Note: The new version of Docker Compose is run using the command:
docker compose
The older version uses a dash, e.g.:
docker-compose
After installing, you may still need to start the Docker service, if it's not running.
sudo service docker start
Then configure the service to start automatically
sudo systemctl enable docker.service
To allow non-root users to run Docker (and if this meets your security requirements), run this command:
sudo chmod 666 /var/run/docker.sock
(2) Create docker-compose.yml file
Save the snippet below as the file docker-compose.yml on your server, in the location where you will be executing docker compose commands.
#########################################################
# This is the Docker-compose file for Keeper Automator.
#
# Keeper Automator automates some admin-level tasks
# for Keeper installations.
#
# Last updated: Automator 3.0.0, 2023-08-24
#
# How to run:
# $ docker compose pull
# $ docker compose up -d
# $ docker cp your-ssl-certificate.pfx Automator:/usr/mybin/config/ssl-certificate.pfx
# $ docker restart Automator
# $ docker logs -f Automator
# -- Then use Commander to setup-init-enable the Automator.
#
# How to update:
# $ docker compose pull
# $ docker compose up -d
# -- No further setup should be needed if the Automator was previously configured.
#########################################################
# Customers can change this
name: keeper-automator
# Customers can change the container_name, both port numbers, and the environment variables.
# If you change the internal Docker port number (the rightmost one), you must also change it
# in the settings/keeper.properties file or in the AUTOMATOR_PORT environment variable in this file.
# Using an environment variable will override the corresponding setting in the keeper.properties file.
services:
automator:
container_name: "automator"
environment:
- AUTOMATOR_PORT=443
- AUTOMATOR_HOST=localhost
# - DISABLE_SNI_CHECK=false
# - EMAIL_DOMAINS=
# - ENABLE_RATE_LIMITS=false
# - FILTER_BY_EMAIL_DOMAINS=false
# - IP_ALLOW=
# - IP_DENY=
# - SSL_CERTIFICATE=<base64-encoded-pfx-file>
# - SSL_CERTIFICATE_FILE=/config/ssl-certificate.pfx
# - SSL_CERTIFICATE_FILE_PASSWORD=/config/ssl-certificate-password.txt
# - SSL_CERTIFICATE_KEY_PASSWORD=
# - SSL_MODE=certificate
# - AUTOMATOR_DEBUG=false
restart: on-failure
image: "keeper/automator:latest"
ports:
- 8089:443
volumes:
- automatordata:/usr/mybin/config
volumes:
automatordata:
# -------------------------------------------------
# Default settings for all environment variables
# -------------------------------------------------
# AUTOMATOR_DEBUG=false -- turn on/off debug logging in Automator
# AUTOMATOR_HOST=localhost -- domain name or IP address
# AUTOMATOR_PORT=443 -- port number that the Automator listens on
# DISABLE_SNI_CHECK=false -- disable SNI check for SSL certificates
# EMAIL_DOMAINS= -- comma-separated list of email domains to consider
# ENABLE_RATE_LIMITS=false -- Rate limits on API calls to the Automator
# FILTER_BY_EMAIL_DOMAINS=false -- see EMAIL_DOMAINS
# IP_ADDRESS_ALLOW= -- comma-separated list of IP addresses, checked first
# IP_ADDRESS_DENY= -- comma-separated list of IP addresses
# SSL_CERTIFICATE=<base64-encoded-pfx-file> -- this overrides the SSL_CERTIFICATE_FILE setting
# SSL_CERTIFICATE_FILE=/config/ssl-certificate.pfx
# SSL_CERTIFICATE_FILE_PASSWORD=/config/ssl-certificate-password.txt
# -- contains the password for the SSL_CERTIFICATE_FILE
# SSL_CERTIFICATE_KEY_PASSWORD=/config/ssl-certificate-password.txt
# -- if used, must be the same as the file password due to a library limitation
# SSL_MODE=certificate -- other values are "self_signed" and "none"
# -------------------------------------------------------------
# How to turn on/off debug logging when running Automator in Docker
# -------------------------------------------------------------
# Replace 'automator' with the actual name of your automator docker container
#
# ON: set the AUTOMATOR_DEBUG environment variable to true and restart the container
# or
# $ docker exec automator sed -ie 's/info/debug/g' /usr/mybin/settings/log4j2.xml
# $ docker restart automator
#
# OFF: set the AUTOMATOR_DEBUG environment variable to false and restart the container
# or
# $ docker exec automator sed -ie 's/debug/info/g' /usr/mybin/settings/log4j2.xml
# $ docker restart automator
At this point, the service is running but it is not able to communicate with Keeper yet.
On your workstation, server or any computer, install the Keeper Commander CLI. This is just used for initial setup. The installation instructions including binary installers are here:
Installing Keeper Commander
After Commander is installed, you can type keeper shell to open the session, then login using the login command. In order to set up Automator, you must login as a Keeper Administrator, or an Admin with the ability to manage the SSO node.
$ keeper shell
My Vault> login admin@company.com
.
.
My Vault>
(7) Initialize with Commander
Login to Keeper Commander and activate the Automator using a series of commands, starting with automator create
The Node Name (in this case "Azure Cloud") comes from the Admin Console UI as seen below.
The output of the command will display the Automator settings, including metadata from the identity provider.
Automator ID: 1477468749950
Name: My Automator
URL:
Enabled: No
Initialized: No
Skills: Device Approval
Note that the "URL" is not populated yet. Edit the URL with the FQDN you selected.
Run the "automator edit" command as displayed below, which sets the URL and also sets up the skills (team, team_for_user and device).
automator edit --url https://<application URL> --skill=team --skill=team_for_user --skill=device "My Automator"
Next we exchange keys: The enterprise private key encrypted with the Automator public key is provided to Automator:
automator setup "My Automator"
Initialize the Automator with the new configuration
automator init "My Automator"
Enable the service
automator enable "My Automator"
At this point, the configuration is complete.
For automated health checks, you can use the below URL:
https://<server>/health
Example:
$ curl https://automator.lurey.com/health
OK
Monitoring Logs
The Automator logs can be monitored by using the Docker Compose command:
docker compose logs -f
For environments using AD FS ...
When activating Keeper Automator with AD FS as the identity provider, users will not be able to login until you update the Keeper certificate using the instructions below:
Login to the Keeper Admin Console
Go to Admin > SSO Node > Provisioning and then view the SSO Cloud configuration.
Click on "Export SP Cert".
In the AD FS Management Console select the Keeper Cloud SSO Relying Party Trust properties.
On the "Encryption" tab, replace the old certificate with this new cert.
On the "Signature" tab, Add/Replace the new SP certificate with this new cert.
Securing the Service
We recommend restricting network access to the service. Please see the Ingress Requirements section for a list of IP addresses to allow.
Testing the User Experience
Now that Keeper Automator is deployed, you can test the end-user experience. No prompts for approval will be required after the user authenticates with the SSO identity provider.
The easiest way to test is to open an incognito mode window to the Keeper Web Vault and login with SSO Cloud. You will not be prompted for device approval.