# Advanced
## Config Parameter Protection
The Keeper Vault can be utilized to protect and store configuration secrets that would normally be hard-coded into the `guacamole.properties` or Docker Compose file.
### **Auto Docker Install Method**
If you installed Keeper Connection Manager using the Auto Docker Install method, configuration secrets are protected in the auto-generated Docker Compose file.
As root, edit the `/etc/kcm-setup/docker-compose.yml` file.
For each configuration secret that you want to protect, you can replace the entry with a direct lookup in the Keeper vault. A good example of this is replacing the hard-coded MySQL database password with a vault record.
**BEFORE:**
```
MYSQL_HOSTNAME: "db"
MYSQL_DATABASE: "guacamole_db"
MYSQL_USERNAME: "guacamole_user"
MYSQL_PASSWORD: "your_mysql_database_password"
```
**AFTER:**
```
MYSQL_HOSTNAME: "db"
MYSQL_DATABASE: "guacamole_db"
MYSQL_USERNAME: "guacamole_user"
MYSQL_PASSWORD_KSM_SECRET: keeper://2ZlOFQAYi4DubJWBtSbRxw/field/password
```
The token syntax is using [Keeper Notation](/keeperpam/secrets-manager/about/keeper-notation.md). The name of the parameter must follow the format of `*_KSM_SECRET`. In this example, the MySQL database password is pulled directly from a Keeper record in the Shared Folder.
The value of each `*_KSM_SECRET` variable should be the Keeper notation of the secret that should be used to pull the necessary configuration value. For example, if `SOME_VARIABLE_KSM_SECRET` were set to valid Keeper notation, then the value of the Guacamole property normally associated with `SOME_VARIABLE` will be pulled from that secret in KSM.
Once the file changes have been saved, update the containers:
```
$ sudo ./kcm-setup.run upgrade
```
### **Docker Compose Install Method**
Edit your `docker-compose.yml` file.
For each configuration secret that you want to protect, you can replace the entry with a direct lookup in the Keeper vault. A good example of this is replacing the hard-coded MySQL database password with a vault record:
```
MYSQL_HOSTNAME: "db"
MYSQL_DATABASE: "guacamole_db"
MYSQL_USERNAME: "guacamole_user"
MYSQL_PASSWORD_KSM_SECRET: keeper://2ZlOFQAYi4DubJWBtSbRxw/field/password
```
The token syntax is using [Keeper Notation](/keeperpam/secrets-manager/about/keeper-notation.md). In this example, the MySQL database password is pulled directly from a Keeper record in the Shared Folder as seen below:
The value of each `*_KSM_SECRET` variable should be the Keeper notation of the secret that should be used to pull the necessary configuration value. For example, if `SOME_VARIABLE_KSM_SECRET` were set to valid Keeper notation, then the value of the Guacamole property normally associated with `SOME_VARIABLE` will be pulled from that secret in KSM.
Once the file changes have been saved, update the containers:
```
sudo su
docker-compose up -d
```
### Other configuration options
In docker installations, the parameter `ADDITIONAL_GUACAMOLE_PROPERTIES_KSM` can be used to move parameters from the guacamole.properties file into guacamole.properties.ksm.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.keeper.io/keeper-connection-manager/vault-integration/advanced.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
