Keeper Connection Manager
Search…
Overview
Installation
Authentication
Supported Protocols
Using Keeper Connection Manager
Vault Integration
Installation
Dynamic Tokens
Static Tokens
Advanced
Security
Advanced Configuration
Troubleshooting
Changelog
Licensing and Open Source
Scope of Support
Security Advisories
Accessibility Conformance
Powered By GitBook
Advanced
Advanced features of the Keeper Vault integration

Config Parameter Protection

The Keeper Vault can be utilized to protect and store configuration secrets that would normally be hard-coded into the guacamole.properties or Docker Compose file.

Simple Docker Install Method

If you installed Keeper Connection Manager using the Simple Docker Install method, configuration secrets are protected in the auto-generated Docker Compose file.
As root, edit the /etc/kcm-setup/docker-compose.yml file.
For each configuration secret that you want to protect, you can replace the entry with a direct lookup in the Keeper vault. A good example of this is replacing the hard-coded MySQL database password with a vault record.
BEFORE:
1
MYSQL_HOSTNAME: "db"
2
MYSQL_DATABASE: "guacamole_db"
3
MYSQL_USERNAME: "guacamole_user"
4
MYSQL_PASSWORD: "your_mysql_database_password"
Copied!
AFTER:
1
MYSQL_HOSTNAME: "db"
2
MYSQL_DATABASE: "guacamole_db"
3
MYSQL_USERNAME: "guacamole_user"
4
MYSQL_PASSWORD_KSM_SECRET: keeper://2ZlOFQAYi4DubJWBtSbRxw/field/password
Copied!
The token syntax is using Keeper Notation. The name of the parameter must follow the format of *_KSM_SECRET. In this example, the MySQL database password is pulled directly from a Keeper record in the Shared Folder.
Configuration Storage in the Keeper Vault
The value of each *_KSM_SECRET variable should be the Keeper notation of the secret that should be used to pull the necessary configuration value. For example, if SOME_VARIABLE_KSM_SECRET were set to valid Keeper notation, then the value of the Guacamole property normally associated with SOME_VARIABLE will be pulled from that secret in KSM.
Once the file changes have been saved, update the containers:
1
$ sudo ./kcm-setup.run upgrade
Copied!

Custom Docker Install Method

Edit your docker-compose.yml file.
For each configuration secret that you want to protect, you can replace the entry with a direct lookup in the Keeper vault. A good example of this is replacing the hard-coded MySQL database password with a vault record:
1
MYSQL_HOSTNAME: "db"
2
MYSQL_DATABASE: "guacamole_db"
3
MYSQL_USERNAME: "guacamole_user"
4
MYSQL_PASSWORD_KSM_SECRET: keeper://2ZlOFQAYi4DubJWBtSbRxw/field/password
Copied!
The token syntax is using Keeper Notation. In this example, the MySQL database password is pulled directly from a Keeper record in the Shared Folder as seen below:
Configuration Storage in the Keeper Vault
The value of each *_KSM_SECRET variable should be the Keeper notation of the secret that should be used to pull the necessary configuration value. For example, if SOME_VARIABLE_KSM_SECRET were set to valid Keeper notation, then the value of the Guacamole property normally associated with SOME_VARIABLE will be pulled from that secret in KSM.
Once the file changes have been saved, update the containers:
1
sudo su
2
docker-compose up -d
Copied!

Advanced Linux Install Method

To utilize Keeper Vault storage of Guacamole properties, create a file guacamole.properties.ksm in the same location as your guacamole.properties file (/etc/guacamole/ by default).
In the new file, add any properties that you would like to store in the Keeper vault, and set the value to a Keeper Notation query of the record field to use for that property. Note that the guacamole.properties file must still contain the ksm-config property to identify the Keeper Secrets Manager configuration.
Example Setup
guacamole.properties:
1
ksm-config: eyJob3N0bm[...]1IzRTN2UVNTNkhsb0NZQW9nUmlPVlY5cjhvUT0ifQ==
Copied!
guacamole.properties.ksm:
1
mysql-hostname: keeper://tqd1F9zHRKokN44Xso8PkQ/field/host[hostname]
2
mysql-port: keeper://tqd1F9zHRKokN44Xso8PkQ/field/host[port]
3
mysql-password: keeper://tqd1F9zHRKokN44Xso8PkQ/field/password
Copied!
The token syntax is using Keeper Notation. In this example, the MySQL database password is pulled directly from a Keeper record with the specified UID tqd1F9zHRKokN44Xso8PkQ.
Then, restart the guacamole process as you typically would.
1
$ sudo systemctl restart guacamole
Copied!
The records referenced by token replacement must be in a shared folder that your Secrets Manager Application has access to.

Other configuration options

In docker installations, the parameter ADDITIONAL_GUACAMOLE_PROPERTIES_KSM can be used to move parameters from the guacamole.properties file into guacamole.properties.ksm.
Previous
Static Tokens
Next
Security
Last modified 1mo ago
Export as PDF
Copy link
Contents
Config Parameter Protection
Simple Docker Install Method
Custom Docker Install Method
Advanced Linux Install Method
Other configuration options