Ctrlk
HomepageSystem Status
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Gateway Configuration with Custom Fields

Advanced configuration of the Keeper gateway with Keeper Vault custom fields

These configuration capabilities are functional and currently in an experimental phase, and we invite users to actively explore and utilize them. We are actively evaluating their functionality and performance, with the intention of considering them for official integration into our product in the future.

Advanced Gateway Configuration with Custom Fields on PAM Resource Record Types

When setting up Rotation in your Keeper Vault, you store the credentials of your assets involved in rotation on their corresponding PAM Resource Record Types. On these record types, you are able to create custom fields.

The additional gateway configurations will be defined with these custom fields on the PAM Record Types. The Keeper Gateway will then adjust its behavior based on the defined configurations.

The following tables lists all the possible configurations with custom fields:

Custom Field Name
Type
Default Value
Description

Shell

Text

None

Allows you to specify a custom shell path that the Gateway will use when executing rotation and post-rotation scripts. This gives you control over the environment in which these scripts run. Example Value: C:\MY\SHELL

NOOP

Text

False

Allows you to control whether the Gateway performs the primary rotation operation or proceeds directly to execution of the post-rotation script.

If set to True the Gateway will skip the rotation process and proceed directly in executing the post-rotation script(s). Example Value: True

Kerberos

Text

False

Specifically designed for WinRM connections using Kerberos authentication. By default, the Gateway automatically decides whether to use Kerberos based on certain rules, and If these conditions are met, the Gateway will attempt to use Kerberos for WinRM. However, if you encounter issues with this automatic detection, setting this field to True will override the default behavior and force the Gateway to use Kerberos for WinRM. Example Value: True

Private Key Type

Text

ssh-rsa

Gateway Version 1.3.4+ This custom field pertains to the type or algorithm of the private key stored in a record. When adding a private key to a record, users do not need to take any additional action regarding its type or algorithm. The system is designed to automatically recognize and use the same algorithm as the existing private key during the rotation process. If the algorithm in use is ECDSA, the key size will also be preserved during the rotation. Available Options if needed to overwrite the key type: ssh-rsa (Note: 4096 bits)

ssh-dss (Note: 1024 bit, obsolete) ecdsa-sha2-nistp256

ecdsa-sha2-nistp384

ecdsa-sha2-nistp521

ssh-ed25519

Private Key Rotate

Text

True

Gateway Version 1.3.4+

TRUE - (Default) If the custom field doesn't exist, the private key will be rotated if it exists.

FALSE - The private key won't be rotated, even if it exists. Users should pick this if they wish to retain the private key in the record without any rotations.

Note:

  • The custom fields values are not case-sensitive.

Advanced Gateway Configuration with Custom Fields on PAM Configuration

When setting up Rotation in your Keeper Vault, you store essential information of your target infrastructure, settings and associated Keeper Gateway on the PAM Configuration. On the PAM Configuration, you are able to create custom fields.

The additional gateway configurations will be defined with these custom fields on the PAM Configuration. The Keeper Gateway will then adjust its behavior based on the defined configurations.

The following tables lists all the possible configurations with custom fields:

Custom Field Name
Type
Default Value
Description

Azure Authority FQDN

Text

Azure SDK Default

Overrides the Azure Active Directory authority endpoint used for authentication. If not specified, the default authority configured in the Azure SDK is used (e.g., login.microsoftonline.com). This field is only applicable to PAM configurations targeting Azure environments, including Azure Government. Example: login.microsoftonline.us

Azure Graph Endpoint

Text

Azure SDK Default

Overrides the Microsoft Graph API base URL used by Azure integrations. If not specified, the default Graph endpoint configured in the Azure SDK is used (e.g., https://graph.microsoft.com/v1.0). This field is only applicable to PAM configurations targeting Azure environments, including Azure Government Example: graph.microsoft.us/v1.0

userMatch

Text

Match on OU to filter found users during Discovery Example: OU=Users,DC=company,DC=com

Adding Custom Fields on PAM Configuration

Custom Fields can only be added on the PAM Configuration with Keeper Commander

Custom Fields can be added on PAM Configuration with Keeper Commander. To add custom fields:

  1. Log on to Keeper Commander

  2. List all your PAM Configuration and get the UID of your PAM Configuration

  1. Add the custom field to the PAM Configuration. The following example will add the custom field "Azure Authority FQDN" with value "login.microsoftonline.us" to the PAM Configuration:

For more information on adding custom fields with the record-update command, visit this page.

  1. The following command will allow you to view the custom field you set from step 3:

Note:

  • Custom fields on PAM Configurations can only be modified and viewed with Keeper Commander

Rotation Rollback Fields

PAM records (pamUser, pamMachine, pamDirectory, pamDatabase and pamConfiguration) support fields for enabling / disabling rotation rollback. These fields are documented in more detail here.

Label
Type
Default
Description

Rollback On Private Key Fail

Text

TRUE

If the private key rotation fails, should everything be rolled back?

Rollback On Password Fail

Text

TRUE

If the password rotation fails, should everything be rolled back?

Rollback On Post Rotation Fail

Text

FALSE

If the post rotation fails, should everything be rolled back?

Rollback On SaaS Fail

Text

TRUE

If the Saas rotation fails, should everything be rolled back?

Re-run On Post Rotation Fail

Text

FALSE

If the post rotation fails, should the rollback re-run the post rotation script?

Reverse Params On Re-run

Text

TRUE

If re-running the post rotation script, should the new and old passwords be switched?

Rollback On Service Fail

Text

TRUE

If the service password rotation fails, should everything be rolled back?

Rollback On Service Restart Fail

Text

TRUE

If the service cannot be stopped or started, should everything be rolled back?

Rollback On Service Machine Down

Text

FALSE

If the machine running the service is down, should everything be rolled back? This includes the machine is down, the gateway can not reach, or the username or password are invalid.

Rollback On Task Fail

Text

TRUE

If the task password rotation fails, should everything be rolled back?

Rollback On Task Machine Down

Text

FALSE

If the machine running the task is down, should everything be rolled back? This includes the machine is down, the gateway can not reach, or the username or password are invalid.

Rollback On IIS Pool Fail

Text

TRUE

If the IIS pool password rotation fails, should everything be rolled back?

Rollback On IIS Pool Machine Down

Text

FALSE

If the machine running the IIS pool is down, should everything be rolled back? This includes the machine is down, the gateway can not reach, or the username or password are invalid.

PreviousGateway Configuration with AWS KMSNextProxy Configuration

Last updated