Installation
How to set up integration between Vault and Connection Manager

Installation Steps

Below are the steps to establishing the integration between Keeper Connection Manager and Keeper Secrets Manager.
(1) Set up your Keeper Vault
In your Keeper Vault, create a Shared Folder that is populated with credentials that will be used for making connections. In the example below you can see a shared folder called "Connection Manager Secrets" that includes a Windows 2022 Server password, SSH Key, MySQL Database, etc...
Shared Folder in the Keeper Vault
(2) Install Keeper Commander CLI
Our CLI tool will allow you to quickly set up the configuration.
There's a few ways to install Commander. We provide binary installers, pip3 packages or Python source code. The top level installation page is here:
(3) Login to Commander
After installation of Commander, login to the CLI:
1
$ keeper shell
2
...
3
...
4
5
Not Logged In> login [email protected]
6
...
7
...
8
9
My Vault>
Copied!
In the example screenshot below, I'm logging in with a Keeper admin account using a FIDO2 key and Master Password. Depending on your security settings, you may have to pass device verification, MFA and password entry.
Login to Keeper Commander
(3) Get the Shared Folder UID
The command lsf will list the Shared Folders and display the UID.
List Shared Folders
In this example, the Shared Folder UID we're using is zyMiCn8596yvMln4YwdEdA
(4) Create an Application
A Secrets Manager application is created in the vault, which is assigned to the Shared Folder. An application is made up of one or more devices. Here we will create a Secrets Manager application and then retrieve the Application UID.
1
secrets-manager app create "Connection Manager Example"
2
3
secrets-manager app get "Connection Manager Example"
4
5
Secrets Manager Application
6
App Name: Connection Manager Example
7
App UID: YGHY7nWrvkzEzF0I2AuFfg
Copied!
The resulting Secrets Manager App UID in this example is YGHY7nWrvkzEzF0I2AuFfg
(5) Assign the Shared Folder to the Application
In this step, we will assign our Shared Folder to the application.
1
secrets-manager share add --app "Connection Manager Example" --secret zyMiCn8596yvMln4YwdEdA
Copied!
If successful, you will get the response "Successfully added secrets to app".
(6) Generate a Client Configuration
In this step, we will create a client device configuration. This client device configuration will be directly provided to the Connection Manager.
1
secrets-manager client add --app "Connection Manager Example" --config-init b64 --name "KCM Device" --unlock-ip
Copied!
Generate Initialized Configuration
The "Initialized Config" section in green must now be added to the Keeper Connection Manager configuration file. The location of the configuration will depend on which method of installation, as described in the next section.
Copy the token for the next section where it will be initialized

Simple Docker Install Method

If you installed Keeper Connection Manager using the Simple Docker Install method, you will need to modify the auto-generated Docker Compose file to include the integration token.
(1) On the local instance, it is a good idea to stop the containers. You can do this using kcm-setup or using docker-compose directly.
1
sudo ./kcm-setup.run stop
Copied!
or...
1
sudo su
2
cd /etc/kcm-setup/
3
docker-compose -p kcm stop
Copied!
Using the simple docker method creates a docker-compose.yml file that is preconfigured for you. One change to this file will be needed to add KSM support.
(2) As root, edit the /etc/kcm-setup/docker-compose.yml file. You can use your favorite editor on the linux system such as nano or vim.
Look for the "guacamole" docker image and the "environment" section which defines environmental variables. A sample file is listed below. Paste the token from step 6 above.
1
guacamole:
2
image: keeper/guacamole:2
3
restart: unless-stopped
4
volumes:
5
- common-storage:/var/lib/guacamole
6
environment:
7
ACCEPT_EULA: "Y"
8
GUACD_HOSTNAME: "guacd"
9
MYSQL_HOSTNAME: "db"
10
MYSQL_DATABASE: "guacamole_db"
11
MYSQL_USERNAME: "guacamole_user"
12
MYSQL_PASSWORD: "xxxxxxx"
13
KSM_CONFIG: "paste token here"
14
Copied!
With our example, a resulting file will look something like this:
(3) Save the File and Update Containers
Once the file changes have been saved, simply update the containers:
1
$ sudo ./kcm-setup.run upgrade
Copied!
Test Login and Initialize Token
Now that the KSM integration is completed, please ensure that you're able to login normally to Keeper Connection Manager and open connections. If errors occur, please check the log files.
If you are unable to login or launch connections, see the troubleshooting section to learn how to check the log files.

Custom Docker Install Method

If you installed Keeper Connection Manager using the Custom Docker Install method, you will need to modify your Docker Compose file to include the integration token. The instructions for activating the integration are below:
(1) On the local instance, stop the containers.
1
cd /path/to/docker-compose.yml
2
docker-compose stop
Copied!
(2) Edit your docker-compose.yml file. Look for the "guacamole" docker image and the "environment" section which defines environmental variables. A sample file is listed below. Paste the token from step 6 above.
1
guacamole:
2
image: keeper/guacamole:2
3
restart: unless-stopped
4
volumes:
5
- common-storage:/var/lib/guacamole
6
environment:
7
ACCEPT_EULA: "Y"
8
GUACD_HOSTNAME: "guacd"
9
MYSQL_HOSTNAME: "db"
10
MYSQL_DATABASE: "guacamole_db"
11
MYSQL_USERNAME: "guacamole_user"
12
MYSQL_PASSWORD: "xxxxxxx"
13
KSM_CONFIG: "paste token here"
14
Copied!
With our example, a resulting file will look something like this:
(3) Save the File and Update Containers
Once the file changes have been saved, simply update the containers:
1
sudo su
2
docker-compose up -d
Copied!
Test Login and Initialize Token
Now that the KSM integration is completed, please ensure that you're able to login normally to Keeper Connection Manager and open connections. If errors occur, please check the log files.
If you are unable to login or launch connections, see the troubleshooting section to learn how to check the log files.

Advanced Linux Install Method

If you installed Keeper Connection Manager using the Advanced Linux Install method, you can install the Keeper Secrets Manager package as you would other Keeper Connection Manager plugins. The vault integration package is named "kcm-guacamole-vault-ksm"
1
$ sudo yum install kcm-guacamole-vault-ksm
Copied!
To ensure that the linux machine is capable of generating enough entropy for random number generation, we recommend installing the haveged package.
These packages can be installed using the commands below:
1
sudo yum install epel-release
2
sudo yum install haveged
3
sudo systemctl start haveged
4
sudo systemctl enable haveged
Copied!
To complete setup, simply add the base64 format configuration (from Step 6 above) to your /etc/guacamole/guacamole.properties file with the ksm-config value.
guacamole.properties
1
ksm-config: eyJob3N0bm[...]1IzRTN2UVNTNkhsb0NZQW9nUmlPVlY5cjhvUT0ifQ==
Copied!
Then, restart the guacamole process as you typically would.
1
$ sudo systemctl restart guacamole
Copied!
Test Login and Initialize Token
Now that the KSM integration is completed, please ensure that you're able to login normally to Keeper Connection Manager and open connections. If errors occur, please check the log files.
If you are unable to login or launch connections, see the troubleshooting section to learn how to check the log files.