Gateway Configuration with Custom Fields

Advanced configuration of the Keeper gateway with Keeper Vault custom fields

These configuration capabilities are functional and currently in an experimental phase, and we invite users to actively explore and utilize them. We are actively evaluating their functionality and performance, with the intention of considering them for official integration into our product in the future.

Advanced Gateway Configuration with Custom Fields

When setting up Rotation in your Keeper Vault, you store the credentials of your assets involved in rotation on their corresponding PAM Record Types. On these record types, you are able to create custom fields.

The additional gateway configurations will be defined with these custom fields on the PAM Record Types. The Keeper Gateway will then adjust its behavior based on the defined configurations.

The following tables lists all the possible configurations with custom fields:

Custom Field NameTypeDefault ValueDescription




Allows you to specify a custom shell path that the Gateway will use when executing rotation and post-rotation scripts. This gives you control over the environment in which these scripts run. Example Value: C:\MY\SHLL




Allows you to control whether the Gateway performs the primary rotation operation or proceeds directly to execution of the post-rotation script.

If set to True the Gateway will skip the rotation process and proceed directly in executing the post-rotation script(s). Example Value: True




Specifically designed for WinRM connections using Kerberos authentication. By default, the Gateway automatically decides whether to use Kerberos based on certain rules, and If these conditions are met, the Gateway will attempt to use Kerberos for WinRM. However, if you encounter issues with this automatic detection, setting this field to True will override the default behavior and force the Gateway to use Kerberos for WinRM. Example Value: True

Private Key Type



Gateway Version 1.3.4+ This custom field pertains to the type or algorithm of the private key stored in a record. When adding a private key to a record, users do not need to take any additional action regarding its type or algorithm. The system is designed to automatically recognize and use the same algorithm as the existing private key during the rotation process. If the algorithm in use is ECDSA, the key size will also be preserved during the rotation. Available Options if needed to overwrite the key type: ssh-rsa (Note: 4096 bits)

ssh-dss (Note: 1024 bit, obsolete) ecdsa-sha2-nistp256




Private Key Rotate



Gateway Version 1.3.4+

TRUE - (Default) If the custom field doesn't exist, the private key will be rotated if it exists.

FALSE - The private key won't be rotated, even if it exists. Users should pick this if they wish to retain the private key in the record without any rotations.


  • The custom fields values are not case-sensitive.

Last updated