Linux RPM Installation

Overview

This method of installation requires one of the following operating systems:

• Linux CentOS 7 or 8

• RHEL 7 or 8

The Keeper Connection Manager packages have dependencies on various Apache Tomcat and Apache Guacamole packages. Once Guacamole and Tomcat have been set up, a production deployment will also require:

• An instance of a supported database (MySQL / MariaDB, PostgreSQL, or SQL Server).

• SSL termination using a reverse proxy (Apache HTTPD or Nginx).

If you do not already have a database server and reverse proxy ready, and are not experienced with setting up those services, instructions are also provided for installing a local instance of MariaDB, installing a local instance of PostgreSQL, and for installing Nginx to provide SSL termination.

Keeper Connection Manager is made up of multiple packaged components. The packages provide binary versions of the Apache Guacamole stack that can be updated automatically. The other components will come from your OS repository (CentOS / RHEL), from other services deployed on your network, or from third-party service providers, depending on your preferences.

A typical and minimal production deployment of Keeper Connection Manager will involve the following:

• The Guacamole Web Application, served by Apache Tomcat.

• SSL termination that sits in front of Apache Tomcat.

• The "guacd" service, used internally by the Guacamole web application.

• A database, used by the Guacamole web application for authentication and storage.

Advanced capabilities of the platform can be installed as packages, providing features such as:

• SAML 2.0 / SSO Authentication

• AD/LDAP Authentication

• Keeper Secrets Manager integration

• TOTP for Two-Factor Authentication

System Diagram

Installation of Keeper Connection Manager requires the following steps:

1. Installing the Guacamole web application and its backend service, "guacd".

2. Installing a database like MariaDB or PostgreSQL, if no such database is already deployed.

3. Configuring Guacamole to use your database.

4. Installing and configuring a reverse proxy to provide SSL termination, if no such proxy is already deployed.

This guide will walk through the installation of the core components of Keeper Connection Manager- the components necessary to see the web application in a browser and test some remote desktop connections.

Once the basic Keeper Connection Manager setup has been installed, you will still need to configure a database and deploy SSL termination before moving to production.

Additional guides are available which cover configuring Keeper Connection Manager to use your database of choice and configuring your reverse proxy to provide SSL termination. If you do not yet have a database or do not yet have a reverse proxy, additional guides covering installation of those required services are available.

Configure the Linux Machine

Before getting started, make sure that your Linux environment is fully up-to-date.

sudo yum update

To ensure that the linux machine is capable of generating enough entropy for random number generation, we recommend installing the haveged package.

These packages can be installed using the commands below:

sudo yum install epel-release
sudo yum install haveged
sudo systemctl start haveged
sudo systemctl enable haveged

Set up the YUM repository

So that YUM can find the various RPM packages which make up Keeper Connection Manager, a repository file needs to be created.

To use the 'yum' utility to automatically create this .repo file, use the following command:

sudo yum install "https://keepersecurity.com/kcm/2/`rpm -E%{suffix:%dist}`/kcm-release.rpm"

Install and deploy Apache Guacamole

Keeper Connection Manager provides a "@kcm" package group for convenience which installs all of the packages typically required for an Apache Guacamole deployment, and includes support for VNC, RDP, SSH, Telnet, MySQL and Kubernetes. This package group automatically deploys Apache Guacamole beneath a version of Apache Tomcat bundled and packaged by Keeper Connection Manager.

Install the @kcm package group

Installing "@kcm" will install the core packages required for Apache Guacamole and a bundled version of Apache Tomcat. The Guacamole web application will be automatically deployed beneath the bundled version of Tomcat:

$ sudo yum install @kcm

Start Guacamole and guacd

The full Apache Guacamole stack is made up of two services: the Guacamole web application (served by Tomcat) and its remote desktop proxy service, "guacd". Thus, both the "guacamole" and "guacd" services must be started for Guacamole to function, and should be configured to start automatically on boot:

$ sudo systemctl start guacd guacamole
$ sudo systemctl enable guacd guacamole

Congratulations! At this point, Keeper Connection Manager should be working, and a login screen should be visible if you visit http://HOSTNAME:8080/ with a web browser, where “HOSTNAME” is the hostname or IP address of your server.

Note that this environment will be missing all of the connection management screens. These features will become activated as soon as you configure a database in the next step.

Quick Connection Test

With the bare bones deployment running, you can move forward with testing your deployment using /etc/guacamole/user-mapping.xml (the built-in authentication method intended for testing). This allows you to manually test a remote connection and set up a sandbox user account.

Database Setup

To activate the full functionality of the platform, a database must be configured.

MySQL / MariaDB, PostgreSQL, and SQL Server are supported. If you do not already have a database deployed, or are unfamiliar with deploying databases, instructions are provided for installing a local instance of MariaDB and for installing a local instance of PostgreSQL.

SSL Termination

In a production environment, proper SSL termination is required. Apache HTTPD and Nginx are supported for this purpose. If you do not already have a reverse proxy in place, or are unfamiliar with installing and configuring a reverse proxy, instructions are provided for installing Nginx to provide SSL termination.

Protecting your Keeper Connection Manager Instance

During the initial testing and deployment phase, we recommend locking down access to the Keeper Connection Manager service with firewall rules. Port 80 or 443 should only be opened and restricted to specific users.

When activating the Lets Encrypt SSL certificates, you may need to open up the gateway for the generation and verification of the domain.

In a production environment, we recommend using SAML/SSO authentication with your preferred identity provider. Step by step guides are provided in this documentation.