Complete list of the devices and accounts Keeper can access and rotate
After enabling Rotation, you will have access to new PAM record types:
PAM User Contains a login / password, private key, or both.
PAM Directory Information about your on-prem or cloud-based directory
PAM Database Self-hosted or managed cloud-based databases such as MySQL, SQL Server, etc
PAM Machine Windows, Linux, macOS machines on-prem or in the cloud
PAM Configuration Information on your network
On the Keeper Vault, these record types contain the relevant credential and/or configuration information for the Provider, Resource, or User
When Rotation is triggered, the credentials defined on the PAM User and/or PAM Directory, Database, Machine will be changed to new credentials. After rotation is complete, the updated credentials will be reflected on the remote Resource and on the Vault Record.
For detailed information on the how each of the PAM record types can be configured, visit the following:
Record Type Details for PAM Machine, Database, and Directory
When Keeper Rotation is activated on a Keeper account, Rotation record types are added to the account. Records created using these types facilitate record rotation.
The following are supported configurations for record type associated to each Device or Account type:
The following tables provides more details on each configurable field in PAM Machine, PAM Database, and PAM Directory records:
Details regarding the PAM Configuration record
When creating a PAM Configuration record, you have the option of choosing one of the following environments:
Local Network
AWS
Azure
The following tables provides more details on each configurable fields in the PAM Configuration record regardless of the environment you choose:
The following tables provides more details on each configurable fields in the PAM Network Configuration record based on the environment you chose:
Field | Description | Notes |
---|---|---|
Resource Type | Sub-type | Record Type |
---|---|---|
Field | Description | Notes |
---|---|---|
Field | Description | Notes |
---|---|---|
Field | Descrpiton | Notes |
---|---|---|
Field | Description | Notes |
---|---|---|
Field | Description | Notes |
---|---|---|
Field | Description | Notes |
---|---|---|
Field | Description | Notes |
---|---|---|
Login
Username; exact context depends on associated resource
Required
Password
Password of the user
Can be rotated
Private PEM Key
PEM Key associated with user
Can be rotated
Distinguished Name
Distinguished name; used if associated with a directory
Required when the User is managed by a directory
Managed User
Flag for accounts that are managed by the AWS or Azure IAM systems
If this is checked, Keeper will skip rotation for this user. This is a planned feature to support account discovery and will not be automatically populated by Keeper at this time.
Database
MySQL, MySQL Flexible
PAM Database
Database
PostgreSQL, PostgresSQL Flexible
PAM Database
Database
SQL Server
PAM Database
Database
Mongo
PAM Database
Database
MariaDB
PAM Database
Machine
Windows, macOS, Linux
PAM Machine
Machine
EC2 Instance
PAM Database
Machine
Azure VM
PAM Database
Directory
Active Directory
PAM Directory
Directory
OpenLDAP
PAM Directory
Hostname or IP Address
Address of the machine resource
Required
Port
Port to connect on. The Gateway uses this to determine connection method.
Must be a port for SSH or WinRM
Keeper expects 22, 5985, 5986, or an alternative port for SSH or WinRM specified in the PAM Configuration port mapping
Login
Admin account username
Password
Password for admin account
If Port is 22, or an alternative port mapped to ssh: Private PEM key can used instead
Private PEM Key
PEM Key for ssh connection (optional)
The key take precedence if both a key and password are provided
OS
Operating System
For human reference only. Operating system is detected during rotation
SSL Verification
Verify certificate of host when connecting with SSH
Instance Name
Azure or AWS Instance Name
Not used for rotation
Instance Id
Azure or AWS Instance ID
Not used for rotation
Provider Group
Provider Group for directories hosted in Azure
Not used for rotation
Provider Region
AWS region of hosted directory
Not used for rotation
Hostname or IP Address
Address of the Database Resource
Required
Port
Port to connect on. The Gateway uses this to determine connection method.
A Port must be provided. Standard ports are: postgresql: 5432 MySQL: 3306 Maria DB: 3306 Microsoft SQL: 1433 Oracle: 1521 Mongo DB: 27017
Use SSL
Use SSL when connecting
Login
Admin account username
Password
Admin account password
Connect Database
Database to connect to (Postgres only)
Required for connecting to Postgres, MongoDB, and MS SQL Server
Database Id
Azure or AWS Resource ID
Required for AWS and Azure rotations
Database Type
Appropriate database type from supported databases.
If a non-standard port is provided, the Database Type will be used to determine connection method.
Provider Group
Azure or AWS Provider Group
Required for Azure rotations
Provider Region
Azure or AWS Provider Region
Required for AWS rotations
Hostname or IP Address
Address of the directory resource
Required
Port
Port to connect on
Typically 389 or 636 (LDAP/LDAPS)
Use SSL
Use SSL when connecting
Login
Username of domain account with rotation privilege
Example: "administrator"
Password
Domain account password
Password is masked
Distinguished Name
Distinguished name of the domain login provided above
Example: CN=Jeff Smith,OU=Sales,DC=demo,DC=COM If left blank, defaults are attempted depending on the provider type
Directory ID
Instance ID for AD resource in Azure and AWS hosted environments
Required for Azure Active Directory and AWS Directory Service AWS Example: "d-9a423d0d3b'
Directory Type
Directory type, used for formatting of messaging
Must be Active Directory or OpenLDAP
Domain Name
domain managed by the directory
Example: some.company.com
Provider Group
Provider Group for directories hosted in Azure
Required for directories hosted in Azure
Provider Region
AWS region of hosted directory
Required for directories hosted in AWS Example: us-east-2
Title
Name of PAM configuration record
Ex: My Configuration
Gateway
The configured gateway
See docs for more info
Application Folder
The shared folder that contains the PAM records
Administrative Credential Record
The administrative credential record with sufficient permissions to rotate credentials
This is your PAM Machine, PAM Database or PAM Directory record
Default Rotation Schedule
Specify frequency of Rotation
Ex: Daily
Port Mapping
Type of Connection method
Ex: 3307=mysql
See docs for more info
Network ID
Unique ID for the network
This is for the user's reference
Ex: My Network
Network CIDR
Subnet of the IP address
Ex: 192.168.0.15/24
Refer to this for more info
AWS ID
A unique id for the instance of AWS
Required, This is for the user's reference
Ex: AWS-1
Access Key ID
From an IAM user account, the Access key ID from the desired Access key.
Optional
Secret Access Key
The secret key for the access key.
Optional, Masked
Region Names
AWS region names
Ex: us-east-2
Azure ID
A unique id for your instance of Azure
Required, This is for the user's reference
Ex: Azure-1
Client ID
The application/client id (UUID) of the Azure application
Required
Client Secret
The client credentials secret for the Azure application
Required
Subscription ID
The UUID of the subscription (i.e. Pay-As-You-GO).
Required
Tenant ID
The UUID of the Azure Active Directory
Required
Resource Groups
A list of resource groups to be checked. If left blank, all resource groups will be checked