LogoLogo
  • Linux RPM Installation
  • Security Architecture
    • SSL Termination with Apache
    • SSL Termination with NGINX
      • Installing and Configuring Nginx for SSL Termination
      • Client Certificate Configuration
  • Installation
    • License Key
    • System Requirements
    • Preparing for Installation
    • Linux RPM Installation
      • Upgrading
        • Updating From 1.x
      • Test Your Installation
    • Backup & Recovery
  • Authentication Options
    • SAML SSO Auth
      • Microsoft Azure
      • Okta
      • Google Workspace
    • Add TOTP for 2FA
    • Add Duo for MFA
    • OpenID Connect Auth
    • LDAP Auth Config
      • Storing connection data within LDAP
      • Using LDAP with a database
      • Using Multiple LDAP Servers
    • Using KCM with a MySQL Database
      • Installing MariaDB for Guacamole Authentication
    • Using KCM with a PostgreSQL Database
      • Installing PostgreSQL for Guacamole Authentication
    • Using KCM with a SQL Server Database
  • Connection Protocols
    • RDP
    • SSH
    • VNC
    • Kubernetes
    • MySQL
      • Importing and Exporting
      • Keyboard Shortcuts
    • PostgreSQL
      • Importing and Exporting
      • Keyboard Shortcuts
    • Microsoft SQL Server
      • Importing and Exporting
      • Keyboard Shortcuts
    • Telnet
  • How to Use KCM
    • Login Screen
    • Home Screen
    • Creating Connections
    • How to Use KCM
    • File Transfer Config
    • Sharing Connections
    • Session Recording and Playback
    • AWS EC2 Discovery
    • Credential Pass-Through
    • Dynamic Connections
  • Vault Integration
    • Connecting KCM to your Vault
    • Dynamic Tokens
    • Static Tokens
    • Multiple Vaults Integration
    • EC2 Cloud Connector
    • Advanced
  • Advanced Configuration
    • Custom Branding
    • guacd.conf
    • guacamole.properties
      • SAML 2.0 Authentication Configuration Properties
      • OpenID Connect Configuration Properties
      • Duo Two-Factor Authentication Configuration Properties
      • Encrypted JSON Configuration Properties
      • LDAP Configuration Properties
      • MySQL / MariaDB Configuration Properties
      • PostgreSQL Configuration Properties
      • SQL Server Configuration Properties
      • TOTP Configuration Properties
      • UDS Enterprise Configuration Properties
      • Login Attempts Properties
    • Custom Extensions
    • Custom Docker Images
  • Troubleshooting
  • Changelog
  • Licensing and Open Source
  • Scope of Support
  • Security Advisories
    • CVE-2020-9497: Improper input validation of RDP static virtual channels
    • CVE-2020-9498: Dangling pointer in RDP static virtual channel handling
    • CVE-2020-11997: Inconsistent restriction of connection history visibility
    • CVE-2021-41767: Private tunnel identifier may be included in the non-private details of active conne
    • CVE-2021-43999: Improper validation of SAML responses
  • Accessibility Conformance
Powered by GitBook
On this page
  • Overview
  • System Diagram
  • Configure the Linux Machine
  • Set up the YUM repository
  • Install and deploy Apache Guacamole
  • Quick Connection Test
  • Database Setup
  • SSL Termination
  • Protecting your Keeper Connection Manager Instance

Was this helpful?

Export as PDF
  1. Installation

Linux RPM Installation

RPM installation of the Keeper Connection Manager components in Linux environments.

The Advanced Linux Install method requires knowledge of Linux environments and experience with yum package managers.

Overview

This method of installation requires one of the following operating systems:

  • Linux CentOS 7 or 8

  • RHEL 7 or 8

The Keeper Connection Manager packages have dependencies on various Apache Tomcat and Apache Guacamole packages. Once Guacamole and Tomcat have been set up, a production deployment will also require:

  • An instance of a supported database (MySQL / MariaDB, PostgreSQL, or SQL Server).

  • SSL termination using a reverse proxy (Apache HTTPD or Nginx).

If you do not already have a database server and reverse proxy ready, and are not experienced with setting up those services, instructions are also provided for installing a local instance of MariaDB, installing a local instance of PostgreSQL, and for installing Nginx to provide SSL termination.

Keeper Connection Manager is made up of multiple packaged components. The packages provide binary versions of the Apache Guacamole stack that can be updated automatically. The other components will come from your OS repository (CentOS / RHEL), from other services deployed on your network, or from third-party service providers, depending on your preferences.

A typical and minimal production deployment of Keeper Connection Manager will involve the following:

  • The Guacamole Web Application, served by Apache Tomcat.

  • SSL termination that sits in front of Apache Tomcat.

  • The "guacd" service, used internally by the Guacamole web application.

  • A database, used by the Guacamole web application for authentication and storage.

Advanced capabilities of the platform can be installed as packages, providing features such as:

  • SAML 2.0 / SSO Authentication

  • AD/LDAP Authentication

  • Keeper Secrets Manager integration

  • TOTP for Two-Factor Authentication

System Diagram

Installation of Keeper Connection Manager requires the following steps:

  1. Installing the Guacamole web application and its backend service, "guacd".

  2. Installing a database like MariaDB or PostgreSQL, if no such database is already deployed.

  3. Configuring Guacamole to use your database.

  4. Installing and configuring a reverse proxy to provide SSL termination, if no such proxy is already deployed.

This guide will walk through the installation of the core components of Keeper Connection Manager- the components necessary to see the web application in a browser and test some remote desktop connections.

Once the basic Keeper Connection Manager setup has been installed, you will still need to configure a database and deploy SSL termination before moving to production.

Additional guides are available which cover configuring Keeper Connection Manager to use your database of choice and configuring your reverse proxy to provide SSL termination. If you do not yet have a database or do not yet have a reverse proxy, additional guides covering installation of those required services are available.

Configure the Linux Machine

Before getting started, make sure that your Linux environment is fully up-to-date.

sudo yum update

To ensure that the linux machine is capable of generating enough entropy for random number generation, we recommend installing the haveged package.

These packages can be installed using the commands below:

sudo yum install epel-release
sudo yum install haveged
sudo systemctl start haveged
sudo systemctl enable haveged

Set up the YUM repository

So that YUM can find the various RPM packages which make up Keeper Connection Manager, a repository file needs to be created.

To use the 'yum' utility to automatically create this .repo file, use the following command:

sudo yum install "https://keepersecurity.com/kcm/2/`rpm -E%{suffix:%dist}`/kcm-release.rpm"

Install and deploy Apache Guacamole

Keeper Connection Manager provides a "@kcm" package group for convenience which installs all of the packages typically required for an Apache Guacamole deployment, and includes support for VNC, RDP, SSH, Telnet, MySQL and Kubernetes. This package group automatically deploys Apache Guacamole beneath a version of Apache Tomcat bundled and packaged by Keeper Connection Manager.

Install the @kcm package group

Installing "@kcm" will install the core packages required for Apache Guacamole and a bundled version of Apache Tomcat. The Guacamole web application will be automatically deployed beneath the bundled version of Tomcat:

$ sudo yum install @kcm

Start Guacamole and guacd

The full Apache Guacamole stack is made up of two services: the Guacamole web application (served by Tomcat) and its remote desktop proxy service, "guacd". Thus, both the "guacamole" and "guacd" services must be started for Guacamole to function, and should be configured to start automatically on boot:

$ sudo systemctl start guacd guacamole
$ sudo systemctl enable guacd guacamole

Congratulations! At this point, Keeper Connection Manager should be working, and a login screen should be visible if you visit http://HOSTNAME:8080/ with a web browser, where “HOSTNAME” is the hostname or IP address of your server.

Note that this environment will be missing all of the connection management screens. These features will become activated as soon as you configure a database in the next step.

Quick Connection Test

With the bare bones deployment running, you can move forward with testing your deployment using /etc/guacamole/user-mapping.xml (the built-in authentication method intended for testing). This allows you to manually test a remote connection and set up a sandbox user account.

Database Setup

To activate the full functionality of the platform, a database must be configured.

MySQL / MariaDB, PostgreSQL, and SQL Server are supported. If you do not already have a database deployed, or are unfamiliar with deploying databases, instructions are provided for installing a local instance of MariaDB and for installing a local instance of PostgreSQL.

SSL Termination

In a production environment, proper SSL termination is required. Apache HTTPD and Nginx are supported for this purpose. If you do not already have a reverse proxy in place, or are unfamiliar with installing and configuring a reverse proxy, instructions are provided for installing Nginx to provide SSL termination.

Protecting your Keeper Connection Manager Instance

During the initial testing and deployment phase, we recommend locking down access to the Keeper Connection Manager service with firewall rules. Port 80 or 443 should only be opened and restricted to specific users.

When activating the Lets Encrypt SSL certificates, you may need to open up the gateway for the generation and verification of the domain.

In a production environment, we recommend using SAML/SSO authentication with your preferred identity provider. Step by step guides are provided in this documentation.

PreviousPreparing for InstallationNextUpgrading

Last updated 7 months ago

Was this helpful?