Gateway Configuration with Custom Fields

Advanced configuration of the Keeper gateway with Keeper Vault custom fields

These configuration capabilities are functional and currently in an experimental phase, and we invite users to actively explore and utilize them. We are actively evaluating their functionality and performance, with the intention of considering them for official integration into our product in the future.

Advanced Gateway Configuration with Custom Fields

When setting up Rotation in your Keeper Vault, you store the credentials of your assets involved in rotation on their corresponding PAM Record Types. On these record types, you are able to create custom fields.

The additional gateway configurations will be defined with these custom fields on the PAM Record Types. The Keeper Gateway will then adjust its behavior based on the defined configurations.

The following tables lists all the possible configurations with custom fields:

Custom Field Name Type Default Value Description

Custom Field Name	Type	Default Value	Description
`Shell`	Text	`None`	Allows you to specify a custom shell path that the Gateway will use when executing rotation and post-rotation scripts. This gives you control over the environment in which these scripts run. Example Value: `C:\MY\SHLL`
`NOOP`	Text	`False`	Allows you to control whether the Gateway performs the primary rotation operation or proceeds directly to execution of the post-rotation script. If set to `True` the Gateway will skip the rotation process and proceed directly in executing the post-rotation script(s). Example Value: `True`
`Kerberos`	Text	`False`	Specifically designed for WinRM connections using Kerberos authentication. By default, the Gateway automatically decides whether to use Kerberos based on certain rules, and If these conditions are met, the Gateway will attempt to use Kerberos for WinRM. However, if you encounter issues with this automatic detection, setting this field to `True` will override the default behavior and force the Gateway to use Kerberos for WinRM. Example Value: `True`
`Private Key Type`	Text	`ssh-rsa`	Gateway Version 1.3.4+ This custom field pertains to the type or algorithm of the private key stored in a record. When adding a private key to a record, users do not need to take any additional action regarding its type or algorithm. The system is designed to automatically recognize and use the same algorithm as the existing private key during the rotation process. If the algorithm in use is ECDSA, the key size will also be preserved during the rotation. Available Options if needed to overwrite the key type: `ssh-rsa` (Note: 4096 bits) `ssh-dss` (Note: 1024 bit, obsolete) `ecdsa-sha2-nistp256` `ecdsa-sha2-nistp384` `ecdsa-sha2-nistp521` `ssh-ed25519`
`Private Key Rotate`	Text	`True`	Gateway Version 1.3.4+ `TRUE` - (Default) If the custom field doesn't exist, the private key will be rotated if it exists. `FALSE` - The private key won't be rotated, even if it exists. Users should pick this if they wish to retain the private key in the record without any rotations.

Shell

Text

None

Allows you to specify a custom shell path that the Gateway will use when executing rotation and post-rotation scripts. This gives you control over the environment in which these scripts run. Example Value: C:\MY\SHLL

NOOP

Text

False

Allows you to control whether the Gateway performs the primary rotation operation or proceeds directly to execution of the post-rotation script.

If set to True the Gateway will skip the rotation process and proceed directly in executing the post-rotation script(s). Example Value: True

Kerberos

Text

False

Specifically designed for WinRM connections using Kerberos authentication. By default, the Gateway automatically decides whether to use Kerberos based on certain rules, and If these conditions are met, the Gateway will attempt to use Kerberos for WinRM. However, if you encounter issues with this automatic detection, setting this field to True will override the default behavior and force the Gateway to use Kerberos for WinRM. Example Value: True

Private Key Type

Text

ssh-rsa

Gateway Version 1.3.4+ This custom field pertains to the type or algorithm of the private key stored in a record. When adding a private key to a record, users do not need to take any additional action regarding its type or algorithm. The system is designed to automatically recognize and use the same algorithm as the existing private key during the rotation process. If the algorithm in use is ECDSA, the key size will also be preserved during the rotation. Available Options if needed to overwrite the key type: ssh-rsa (Note: 4096 bits)

ssh-dss (Note: 1024 bit, obsolete) ecdsa-sha2-nistp256

ecdsa-sha2-nistp384

ecdsa-sha2-nistp521

ssh-ed25519

Private Key Rotate

Text

True

Gateway Version 1.3.4+

TRUE - (Default) If the custom field doesn't exist, the private key will be rotated if it exists.

FALSE - The private key won't be rotated, even if it exists. Users should pick this if they wish to retain the private key in the record without any rotations.

Note:

The custom fields values are not case-sensitive.

PreviousGateway Configuration with AWS KMS NextRotation Use Cases

Last updated 6 months ago