Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Example guide for setting up SSH on target machines
Customers are responsible for the configuration of their servers and environments.
Secure Shell (SSH) allows confidential and authenticated remote access to a computer. SSH traffic is fully encrypted and, by default, runs on port 22
. For reference and testing, see below for instructions and guidance on enabling SSH for your target operating system.
Linux requires the SSH daemon to be running in order to accept SSH connections. Most Linux distributions will have the OpenSSH server installed, but may not have the service enabled. The service needs to be enabled, started, and added to the list of services to be started upon reboot.
To verify that ssh is running on your Linux system, invoke the following command:
If ssh is not running, you may need to install OpenSSH or/and enable ssh. The following commands demonstrate this in Ubuntu:
Note:
you may need sudo permissions to install and enable ssh
The installation command may be different based on your linux distribution
SSH is normally not installed on Windows. However, SSH can easily be installed via Windows capability packages which are maintained by Microsoft. The following PowerShell script will 1) install SSH, 2) start the SSH service and makes sure it starts with each reboot, and 3) make sure the firewall allows SSH connections:
Windows SSH can either default to PowerShell or CMD. Keeper Rotation uses PowerShell commands. If the default shell is CMD, Keeper Rotation will invoke rotation commands via PowerShell Invoke-Command -ScriptBlock { COMMANDS }
. To change the default shell to PowerShell, invoke the following PowerShell command:
SSH is installed on macOS and usually not turned on for the user.
To enable it via the UI, enable Remote Login on the General->Sharing panel.
To enable it via the command line, invoke the following command:
Note:
you will require Full Disk Access privileges for this command line method.
Example guide for setting up WinRM on target machines
Customers are responsible for the configuration of their servers and environments. For reference and testing, the below PowerShell script can be run on a target machine to enable WinRM with a self-signed certificate. We recommend creating a certificate with a public CA in your production environment.
Below is a breakdown of what this script performs to configure WinRM on a Windows machine:
Set the network connection profile to Private:
Configure and enable WinRM:
Allow non-SSL (unencrypted) traffic on port 5985:
Create a self-signed SSL certificate for encrypted traffic on port 5986:
Create Windows Firewall rules to allow inbound traffic on ports 5985 (non-SSL) and 5986 (SSL):
After running this script, WinRM will be configured to allow both unencrypted (port 5985) and encrypted (port 5986) remote connections. Additionally, Windows Firewall rules will be created to allow inbound traffic on these ports.
From a Windows server, you can test the connectivity to the target machine through PowerShell:
Complete list of the devices and accounts Keeper can access and rotate
After enabling Rotation, you will have access to new PAM record types:
PAM User Contains a login / password, private key, or both.
PAM Directory Information about your on-prem or cloud-based directory
PAM Database Self-hosted or managed cloud-based databases such as MySQL, SQL Server, etc
PAM Machine Windows, Linux, macOS machines on-prem or in the cloud
PAM Configuration Information on your network
On the Keeper Vault, these record types contain the relevant credential and/or configuration information for the Provider, Resource, or User
When Rotation is triggered, the credentials defined on the PAM User and/or PAM Directory, Database, Machine will be changed to new credentials. After rotation is complete, the updated credentials will be reflected on the remote Resource and on the Vault Record.
For detailed information on the how each of the PAM record types can be configured, visit the following:
Defining alternative ports in PAM Configurations
Rotation relies on the port field in resource records to determine its connection method.
For example, in a PAM Machine record, port 22 tells the gateway to use SSH, port 5985 for WinRM (http) and port 5986 for WinRM (https).
The expected standard ports are listed in the following table.
To use a non-standard port, specify the alternative port in two places:
In the PAM Configuration port mapping field, enter {port}=
{connection}
, for example, 32636=ldaps.
For {connection}
: refer to the labels under Standard Port in the standard ports table.
In the PAM Machine/Directory/Database record, enter the chosen port in the port field
For example, to connect to a MySQL database using port 3307, your PAM Configuration should have 3307=mysql
under port mapping, and your PAM Database record should reference port 3307.
Multiple port mappings are comma-separated in the PAM Configuration.
Steps to create a Keeper Secrets Manager application for rotation of passwords
Prior to working with Rotation, you need to create a KSM application. For more information on KSM, visit:
Navigate to the "Secret Managers" tab on the left and click on "Create Application" to create a KSM application
In the prompted window:
Enter the name of your KSM application
Choose the shared folder you have created in Step 1
Set the Record Permissions for Application to "Can Edit"
Click on "Generate Access Token" and then click on "OK"
You can safely ignore the first One-Time Access Token generated for the newly created KSM application. When creating a Keeper Gateway device, a different One-Time Access Token will be created.
Details regarding the PAM Configuration record
When creating a PAM Configuration record, you have the option of choosing one of the following environments:
Local Network
AWS
Azure
The following tables provides more details on each configurable fields in the PAM Configuration record regardless of the environment you choose:
The following tables provides more details on each configurable fields in the PAM Network Configuration record based on the environment you chose:
Record Type Details for PAM Machine, Database, and Directory
When Keeper Rotation is activated on a Keeper account, Rotation record types are added to the account. Records created using these types facilitate record rotation.
The following are supported configurations for record type associated to each Device or Account type:
The following tables provides more details on each configurable field in PAM Machine, PAM Database, and PAM Directory records:
Resource Type | Connection Type | Standard Port |
---|---|---|
In the Keeper Web Vault or Desktop App user interface, create a shared folder. This shared folder will contain the PAM records you will create as you are working through the guides.
Field | Description | Notes |
---|
Field | Description | Notes |
---|
Field | Description | Notes |
---|
Field | Description | Notes |
---|
Field | Description | Notes |
---|
Resource Type | Sub-type | Record Type |
---|
Field | Description | Notes |
---|
Field | Description | Notes |
---|
Field | Descrpiton | Notes |
---|
PAM Machine
SSH
ssh=22
PAM Machine
WinRM
winrm=5986
PAM Directory
Active Directory
ldaps=636
PAM Directory
OpenLDAP
ldaps=636
PAM Database
Postgresql
postgresql=5432
PAM Database
MySQL
mysql=3306
PAM Database
MariaDB
mariadb=3306
PAM Database
Microsoft SQL
mssql=1433
PAM Database
Oracle
oracle=1521
PAM Database
MongoDB
mongodb=27017
Login | Username; exact context depends on associated resource | Required |
Password | Password of the user | Can be rotated |
Private PEM Key | PEM Key associated with user | Can be rotated |
Distinguished Name | Distinguished name; used if associated with a directory | Required when the User is managed by a directory |
Managed User | Flag for accounts that are managed by the AWS or Azure IAM systems | If this is checked, Keeper will skip rotation for this user. This is a planned feature to support account discovery and will not be automatically populated by Keeper at this time. |
AWS ID | A unique id for the instance of AWS | Required, This is for the user's reference
Ex: |
Access Key ID | From an IAM user account, the Access key ID from the desired Access key. | Optional |
Secret Access Key | The secret key for the access key. | Optional, Masked |
Region Names | AWS region names | Ex: |
Azure ID | A unique id for your instance of Azure | Required, This is for the user's reference
Ex: |
Client ID | The application/client id (UUID) of the Azure application | Required |
Client Secret | The client credentials secret for the Azure application | Required |
Subscription ID | The UUID of the subscription (i.e. Pay-As-You-GO). | Required |
Tenant ID | The UUID of the Azure Active Directory | Required |
Resource Groups | A list of resource groups to be checked. If left blank, all resource groups will be checked |
Database | MySQL, MySQL Flexible | PAM Database |
Database | PostgreSQL, PostgresSQL Flexible | PAM Database |
Database | SQL Server | PAM Database |
Database | Mongo | PAM Database |
Database | MariaDB | PAM Database |
Machine | Windows, macOS, Linux | PAM Machine |
Machine | EC2 Instance | PAM Database |
Machine | Azure VM | PAM Database |
Directory | Active Directory | PAM Directory |
Directory | OpenLDAP | PAM Directory |
Hostname or IP Address | Address of the machine resource | Required |
Port | Port to connect on. The Gateway uses this to determine connection method. | Must be a port for SSH or WinRM Keeper expects 22, 5985, 5986, or an alternative port for SSH or WinRM specified in the PAM Configuration port mapping |
Login | Admin account username |
Password | Password for admin account | If Port is 22, or an alternative port mapped to ssh: Private PEM key can used instead |
Private PEM Key | PEM Key for ssh connection (optional) | The key take precedence if both a key and password are provided |
OS | Operating System | For human reference only. Operating system is detected during rotation |
SSL Verification | Verify certificate of host when connecting with SSH |
Instance Name | Azure or AWS Instance Name | Not used for rotation |
Instance Id | Azure or AWS Instance ID | Not used for rotation |
Provider Group | Provider Group for directories hosted in Azure | Not used for rotation |
Provider Region | AWS region of hosted directory | Not used for rotation |
Hostname or IP Address | Address of the Database Resource | Required |
Port | Port to connect on. The Gateway uses this to determine connection method. | A Port must be provided. Standard ports are: postgresql: 5432 MySQL: 3306 Maria DB: 3306 Microsoft SQL: 1433 Oracle: 1521 Mongo DB: 27017 |
Use SSL | Use SSL when connecting |
Login | Admin account username |
Password | Admin account password |
Connect Database | Database to connect to (Postgres only) | Required for connecting to Postgres, MongoDB, and MS SQL Server |
Database Id | Azure or AWS Resource ID | Required for AWS and Azure rotations |
Database Type | Appropriate database type from supported databases. | If a non-standard port is provided, the Database Type will be used to determine connection method. |
Provider Group | Azure or AWS Provider Group | Required for Azure rotations |
Provider Region | Azure or AWS Provider Region | Required for AWS rotations |
Hostname or IP Address | Address of the directory resource | Required |
Port | Port to connect on | Typically 389 or 636 (LDAP/LDAPS) |
Use SSL | Use SSL when connecting |
Login | Username of domain account with rotation privilege | Example: "administrator" |
Password | Domain account password | Password is masked |
Distinguished Name | Distinguished name of the domain login provided above | Example: CN=Jeff Smith,OU=Sales,DC=demo,DC=COM If left blank, defaults are attempted depending on the provider type |
Directory ID | Instance ID for AD resource in Azure and AWS hosted environments | Required for Azure Active Directory and AWS Directory Service AWS Example: "d-9a423d0d3b' |
Directory Type | Directory type, used for formatting of messaging | Must be Active Directory or OpenLDAP |
Domain Name | domain managed by the directory | Example: some.company.com |
Provider Group | Provider Group for directories hosted in Azure | Required for directories hosted in Azure |
Provider Region | AWS region of hosted directory | Required for directories hosted in AWS Example: us-east-2 |
Managing rotation with the Commander CLI / SDK interface
Keeper Commander commands have been created to automate and manage the Keeper PAM capabilities including:
Managing Gateways
Managing PAM Configurations
Managing Password Rotation and Discovery
Managing jobs
For more information see the KeeperPAM "pam" command documentation.
Title | Name of PAM configuration record | Ex: |
Gateway | The configured gateway |
Application Folder | The shared folder that contains the PAM records |
Administrative Credential Record | The administrative credential record with sufficient permissions to rotate credentials | This is your PAM Machine, PAM Database or PAM Directory record |
Default Rotation Schedule | Specify frequency of Rotation | Ex: |
Port Mapping | Type of Connection method |
Network ID | Unique ID for the network | This is for the user's reference Ex: |
Network CIDR | Subnet of the IP address |
Granting a service account the minimum permissions to rotate
When creating a PAM Directory Resource, it is recommended that you use a service account with the least required privileges to perform rotation.
The following steps show you how to enable a service account to rotate credentials using Active Directory's Delegation of Control feature.
Before starting, create a service account for password rotation whose credentials you will store in the Keeper resource record.
Launch Active Directory Users and Computers
In the directory tree, select a node for which password rotation should be allowed.
Right-click on the node, then click Delegate Control.
In the Delegation of Control Wizard, click 'Add'.
Locate your chosen service account, then click 'OK'.
Click 'Next' to advance to permission selection.
In 'Delegate the following common tasks', check the option for 'Reset user passwords and force password change at next logon', then click 'Next'.
Add the service account's login and password to the Resource Record for the AD instance.
Keeper rotation event reporting in the Advanced Reporting & Alerts module
A new set of Keeper Rotation events are included in the Advanced Reporting & Alerts module within the Keeper Admin Console.
In addition, Rotation leverages existing Keeper Secrets Manager event types. For example, when a Gateway is registered, the app_client_added event is generated.
For the following events, two status codes are included in the status message: one for Rotation, and one for Post-Rotation (if applicable).
If no post-rotation script is present, the event status reflects rotation only.
If multiple-post rotation scripts are present, a success event is generated only if all scripts complete execution without errors.
To receive immediate feedback on any rotation related events, Keeper's "Alerts" capability can push these events to email, SMS, webhooks, Slack, Teams, etc.
To learn more about the Keeper Advanced Reporting & Alerts module at this link.
See for more info
Ex: 3307=mysql
See for more info
Ex: 192.168.0.15/24
Refer to for more info
Event | Description |
---|---|
Event | Description |
---|---|
event_record_rotation_scheduled_ok
A scheduled rotation has completed successfully
event_record_rotation_scheduled_fail
A scheduled rotation has encountered an error in either rotation or post-rotation
event_record_rotation_on_demand_ok
An on-demand rotation has completed successfully
event_record_rotation_on_demand_fail
An on-demand rotation has encountered an error in either rotation or post-rotation
event_pam_configuration_created
PAM Configuration has been created
event_pam_configuration_updated
PAM Configuration has been modified
event_pam_configuration_deleted
PAM Configuration has been deleted
event_record_rotation_created
Rotation settings have been added to a record
event_record_rotation_updated
Rotation settings have been modified on a record
event_record_rotation_disabled
Rotation settings have been removed from a record