# Gateway on Linux Native

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FLrkXCEAnkZ5mHSvXvqLE%2FLinux%20Install.jpg?alt=media&#x26;token=132b3ef1-e943-461b-8c25-753ccce83a38" alt=""><figcaption></figcaption></figure>

## Overview

This document contains information on how to install, configure, and update your Keeper Gateway on Linux with native packages.

## Prerequisites

* Prior to proceeding with this document, make sure you [created a Gateway device](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways/one-time-access-token).
* For full capabilities, use Rocky Linux 9, RHEL 9 or Alma Linux 9.
* If you cannot use one of these Linux flavors, please install using the [Docker method](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways/gateway-with-docker)

## Installation

#### **Install Command**

Executing the following command will install the Keeper Gateway, and run it as a service:

{% code overflow="wrap" %}

```bash
curl -fsSL https://keepersecurity.com/pam/install | \
  sudo bash -s -- --token XXXXXX
```

{% endcode %}

* Replace XXXXX with the One-Time Access Token provided from creating the Keeper Gateway
* The initial install file is retrieved from keepersecurity.com. After installation, the Gateway’s steady-state outbound connections can be restricted to the regional endpoints as [documented](#network-requirements).

#### **Installation Location**

The gateway will be installed in the following location:

```
/usr/local/bin/keeper-gateway
```

An alias `gateway` is also created in the same directory

```
gateway -> /usr/local/bin/keeper-gateway
```

## Gateway Service Management

For managing the Keeper Gateway as a service, the following are created during the Gateway installation:

* A `keeper-gateway` folder
* A `keeper-gw` user

**keeper-gateway folder**

The `keeper-gateway` folder contains the gateway configuration file and is created in the following location:

```
/etc/keeper-gateway
```

**keeper-gw user**

During the gateway installation, a new user, `keeper-gw`, is created and added to the sudoers list in `/etc/sudoers.d/.`

The `keeper-gw` user is the owner of the keeper-gateway folder and runs the gateway service. This is required when performing rotations on the gateway service and performing post-execution scripts.

### Managing the Gateway Service

The following commands can be executed to start, restart, or stop the Keeper Gateway as a service:

```sh
sudo systemctl start keeper-gateway
sudo systemctl restart keeper-gateway
sudo systemctl stop keeper-gateway
```

## **Keeper Gateway Configuration File**

The Keeper Gateway configuration file contains a set of tokens that includes encryption keys, client identifiers, and tenant server information used to authenticate and decrypt data from the Keeper Secrets Manager APIs. This configuration file is created from the One-Time Access Token generated when you [created the Gateway](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways/one-time-access-token).

If the Keeper Gateway is installed and running as a service, the gateway configuration file is stored in the following location:

```
/etc/keeper-gateway/gateway-config.json
```

If the Keeper Gateway is installed locally and not running as a service, the gateway configuration file is stored in the following location:

```
<User>/.keeper/gateway-config.json
```

## **Keeper Gateway Log files**

Logs that contain helpful debugging information are automatically created and stored on the local machine.

If the Gateway is running as a service, the log files are stored in the following location:

```
/var/log/keeper-gateway/
```

If the Gateway is not running as a service, the log files are stored in the following location:

```
<User>/.keeper/logs/
```

### **Verbose Logging**

To add verbose debug logging, modify this file:

```
/etc/systemd/system/keeper-gateway.service
```

and add the `-d` flag to the "gateway start" command, e.g:

{% code overflow="wrap" %}

```
ExecStart=/bin/bash -c "/usr/local/bin/gateway start --service -d --config-file /etc/keeper-gateway/gateway-config.json"
```

{% endcode %}

Apply changes to the service:

```sh
sudo systemctl daemon-reload
sudo systemctl restart keeper-gateway
```

**Tailing the Logs**

```
sudo journalctl -u keeper-gateway.service -f
```

## **Updating**

Executing the following command will update the Keeper Gateway to the latest version:

```sh
curl -fsSL https://keepersecurity.com/pam/install | sudo bash -s --
```

## **Auto Update**

Configure your Keeper Gateway installation to automatically check for updates, ensuring it stays up-to-date with the latest version.

* [Activate the Auto Updater](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways/auto-updater)

## **Uninstalling**

Executing the following command will uninstall the Keeper Gateway:

```sh
curl -fsSL https://keepersecurity.com/pam/uninstall | sudo bash -s --
```

### **Health Checks**

To monitor the Gateway service, you can configure health checks that expose its operational status. These checks are useful for Docker orchestration, load balancing, and automated monitoring. See the [Health Check section](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways/health-checks) for full setup details and examples.

### Network Requirements

The Keeper Gateway establishes outbound-only connections and does not require any inbound firewall rules. The following **outbound** connections must be allowed:

<table><thead><tr><th width="310.1015625">Destination Endpoint</th><th>Ports Needed</th><th>More Info</th></tr></thead><tbody><tr><td><p><strong>Keeper Cloud</strong><br><code>keepersecurity.[x]</code></p><p>Endpoints:</p><p>US: <code>.com</code></p><p>EU: <code>.eu</code></p><p>AU: <code>.com.au</code></p><p>JP: <code>.jp</code></p><p>CA: <code>.ca</code></p><p>US_GOV: <code>.us</code></p></td><td>TLS Port 443</td><td>Communicates with Keeper Cloud to access target infrastructure via native protocols (e.g., SSH, RDP)</td></tr><tr><td><p><strong>Keeper Router</strong><br><code>connect.keepersecurity.[x]</code></p><p>Endpoints:</p><p>US: <code>.com</code></p><p>EU: <code>.eu</code></p><p>AU: <code>.com.au</code></p><p>JP: <code>.jp</code></p><p>CA: <code>.ca</code></p><p>US_GOV: <code>.us</code></p></td><td>TLS Port 443</td><td>Communicates with Keeper Router to establish secure, real-time WebSocket connections</td></tr><tr><td><p><strong>Keeper Stun/Turn Service</strong></p><p><code>krelay.keepersecurity.[x]</code></p><p>Endpoints:</p><p>US: <code>.com</code></p><p>EU: <code>.eu</code></p><p>AU: <code>.com.au</code></p><p>JP: <code>.jp</code></p><p>CA: <code>.ca</code></p><p>US_GOV: <code>.us</code></p></td><td>TCP and UDP opened on Port 3478<br><br>Outbound access to TCP and UDP ports 49152 through 65535<br></td><td>Facilitates secure and encrypted WebRTC connections between end-user's vault and target systems via the Gateway</td></tr></tbody></table>

The Gateway preserves zero knowledge by performing all encryption and decryption of data locally. Keeper Secrets Manager APIs are used to communicate with the Keeper cloud.

### Checksum Verification

Keeper Gateway SHA256 hashes for the latest version are published at the below location:

<https://keepersecurity.com/pam/latest.txt>

Calculating and verifying the checksum:

#### Linux

```
sha256sum keeper-gateway_linux_x86_64
cat keeper-gateway_X.X.X_SHA256SUMS | grep keeper-gateway_linux_x86_64
```

#### PowerShell

{% code overflow="wrap" %}

```
Get-FileHash -Algorithm SHA256 keeper-gateway_windows_x86_64.exe | Format-List
Get-Content keeper-gateway_X.X.X_SHA256SUMS | Select-String keeper-gateway_windows_x86_64.exe
```

{% endcode %}