# Gateway Configuration with Custom Fields {% hint style="info" %} These configuration capabilities are functional and currently in an experimental phase, and we invite users to actively explore and utilize them. We are actively evaluating their functionality and performance, with the intention of considering them for official integration into our product in the future. {% endhint %} ## Advanced Gateway Configuration with Custom Fields on PAM Resource Record Types When setting up Rotation in your Keeper Vault, you store the credentials of your assets involved in rotation on their corresponding [PAM Resource Record Types](/keeperpam/privileged-access-manager/getting-started/pam-resources.md). On these record types, you are able to [create custom fields](/enterprise-guide/record-types.md#custom-fields). The additional gateway configurations will be defined with these custom fields on the PAM Record Types. The Keeper Gateway will then adjust its behavior based on the defined configurations. The following tables lists all the possible configurations with custom fields:

Custom Field Name	Type	Default Value	Description
`Shell`	Text	`None`	Allows you to specify a custom shell path that the Gateway will use when executing rotation and post-rotation scripts. This gives you control over the environment in which these scripts run. Example Value: `C:\MY\SHELL`
`NOOP`	Text	`False`	Allows you to control whether the Gateway performs the primary rotation operation or proceeds directly to execution of the post-rotation script. If set to `True` the Gateway will skip the rotation process and proceed directly in executing the post-rotation script(s). Example Value: `True`
`Kerberos`	Text	`False`	Specifically designed for WinRM connections using Kerberos authentication. By default, the Gateway automatically decides whether to use Kerberos based on certain rules, and If these conditions are met, the Gateway will attempt to use Kerberos for WinRM. However, if you encounter issues with this automatic detection, setting this field to `True` will override the default behavior and force the Gateway to use Kerberos for WinRM. Example Value: `True`
`Private Key Type`	Text	`ssh-rsa`	Gateway Version 1.3.4+ This custom field pertains to the type or algorithm of the private key stored in a record. When adding a private key to a record, users do not need to take any additional action regarding its type or algorithm. The system is designed to automatically recognize and use the same algorithm as the existing private key during the rotation process. If the algorithm in use is ECDSA, the key size will also be preserved during the rotation. Available Options if needed to overwrite the key type: `ssh-rsa` (Note: 4096 bits) `ssh-dss` (Note: 1024 bit, obsolete) `ecdsa-sha2-nistp256` `ecdsa-sha2-nistp384` `ecdsa-sha2-nistp521` `ssh-ed25519`
`Private Key Rotate`	Text	`True`	Gateway Version 1.3.4+ `TRUE` - (Default) If the custom field doesn't exist, the private key will be rotated if it exists. `FALSE` - The private key won't be rotated, even if it exists. Users should pick this if they wish to retain the private key in the record without any rotations.

**Note:** * The custom fields values are not case-sensitive. ## Advanced Gateway Configuration with Custom Fields on PAM Configuration When setting up Rotation in your Keeper Vault, you store essential information of your target infrastructure, settings and associated Keeper Gateway on the [PAM Configuration](/keeperpam/privileged-access-manager/getting-started/pam-configuration.md). On the PAM Configuration, [you are able to create custom fields.](#adding-custom-fields-on-pam-configuration) The additional gateway configurations will be defined with these custom fields on the PAM Configuration. The Keeper Gateway will then adjust its behavior based on the defined configurations. The following tables lists all the possible configurations with custom fields:

Custom Field Name	Type	Default Value	Description
`Azure Authority FQDN`	Text	`Azure SDK Default`	Overrides the Azure Active Directory authority endpoint used for authentication. If not specified, the default authority configured in the Azure SDK is used (e.g., login.microsoftonline.com). This field is only applicable to PAM configurations targeting Azure environments, including Azure Government. Example: login.microsoftonline.us
`Azure Graph Endpoint`	Text	`Azure SDK Default`	Overrides the Microsoft Graph API base URL used by Azure integrations. If not specified, the default Graph endpoint configured in the Azure SDK is used (e.g., `https://graph.microsoft.com/v1.0`). This field is only applicable to PAM configurations targeting Azure environments, including Azure Government Example: graph.microsoft.us/v1.0
`userMatch`	Text		Match on OU to filter found users during Discovery Example: `OU=Users,DC=company,DC=com`

### Adding Custom Fields on PAM Configuration {% hint style="info" %} Custom Fields can only be added on the PAM Configuration with Keeper Commander {% endhint %} Custom Fields can be added on PAM Configuration with Keeper Commander. To add custom fields: 1. Log on to Keeper Commander 2. List all your PAM Configuration and get the UID of your PAM Configuration ```bash pam config list ``` 3. Add the custom field to the PAM Configuration. The following example will add the custom field "Azure Authority FQDN" with value "login.microsoftonline.us" to the PAM Configuration: ```bash record-update -r "YOUR_PAM_CONFIG_UID" c.text."Azure Authority FQDN"="login.microsoftonline.us" ``` For more information on adding custom fields with the record-update command, visit this [page](/keeperpam/commander-cli/command-reference/record-commands/creating-and-updating-records.md#custom-fields). 4. The following command will allow you to view the custom field you set from step 3: ```bash get "YOUR_PAM_CONFIG_UID" ``` **Note:** * Custom fields on PAM Configurations can only be modified and viewed with Keeper Commander ## Rotation Rollback Fields PAM records (pamUser, pamMachine, pamDirectory, pamDatabase and pamConfiguration) support fields for enabling / disabling rotation rollback. These fields are documented in more detail [here](/keeperpam/privileged-access-manager/password-rotation/post-rotation-scripts/rotation-rollback.md).

Label	Type	Default	Description
`Rollback On Private Key Fail`	Text	`TRUE`	If the private key rotation fails, should everything be rolled back?
`Rollback On Password Fail`	Text	`TRUE`	If the password rotation fails, should everything be rolled back?
`Rollback On Post Rotation Fail`	Text	`FALSE`	If the post rotation fails, should everything be rolled back?
`Rollback On SaaS Fail`	Text	`TRUE`	If the Saas rotation fails, should everything be rolled back?
`Re-run On Post Rotation Fail`	Text	`FALSE`	If the post rotation fails, should the rollback re-run the post rotation script?
`Reverse Params On Re-run`	Text	`TRUE`	If re-running the post rotation script, should the new and old passwords be switched?
`Rollback On Service Fail`	Text	`TRUE`	If the service password rotation fails, should everything be rolled back?
`Rollback On Service Restart Fail`	Text	`TRUE`	If the service cannot be stopped or started, should everything be rolled back?
`Rollback On Service Machine Down`	Text	`FALSE`	If the machine running the service is down, should everything be rolled back? This includes the machine is down, the gateway can not reach, or the username or password are invalid.
`Rollback On Task Fail`	Text	`TRUE`	If the task password rotation fails, should everything be rolled back?
`Rollback On Task Machine Down`	Text	`FALSE`	If the machine running the task is down, should everything be rolled back? This includes the machine is down, the gateway can not reach, or the username or password are invalid.
`Rollback On IIS Pool Fail`	Text	`TRUE`	If the IIS pool password rotation fails, should everything be rolled back?
`Rollback On IIS Pool Machine Down`	Text	`FALSE`	If the machine running the IIS pool is down, should everything be rolled back? This includes the machine is down, the gateway can not reach, or the username or password are invalid.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/gateways/advanced-configuration/gateway-configuration-with-custom-fields.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.