# Setup Steps

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FTrW1sx4hPCCYoyJysDQD%2FKeeperPAM%20Preview.jpg?alt=media&#x26;token=06c8f11d-bac6-45c8-9c87-bef333095a7e" alt=""><figcaption></figcaption></figure>

## Setup Steps

Follow the below steps to start using KeeperPAM.

{% stepper %}
{% step %}
**Keeper Enterprise license**

If you are not a Keeper customer or do not have the required license, you can [start a free trial](https://www.keepersecurity.com/password-manager-free-trial-sign-up.html) from our website. The free trial includes KeeperPAM full capabilities.
{% endstep %}

{% step %}
**Activate Privileged Access Manager**

From the Keeper Admin Console, ensure that your Privileged Access Manager subscription is active. Go to the **Admin Console** > **Subscriptions** and activate the trial or contact your Keeper customer success manager.
{% endstep %}

{% step %}
**Enable PAM Policies**

From the Admin Console, enable the corresponding PAM Enforcement Policies.

* Login to the Admin Console for your region.
* Under **Admin** > **Roles**, create a new role for PAM or modify an existing role
* Go to **Enforcement Policies** and open the "**Privileged Access Manager**" section.
* Enable all the [PAM enforcement policies](/keeperpam/privileged-access-manager/getting-started/enforcement-policies.md) to use the new features.
* Assign yourself or your test user account to this role.
  {% endstep %}

{% step %}
**Existing Customers: Updating your Gateway**

This assumes you are an existing customer with Keeper Secrets Manager and you have a Gateway already deployed. Using the latest Keeper Gateway is required to support the new features. Depending on the operating system, features available will differ.

**Docker**

Use the basic `docker-compose.yml` file as shown below:

```
services:
      keeper-gateway:
        platform: linux/amd64
        image: keeper/gateway:latest
        shm_size: 2g
        restart: unless-stopped
        security_opt:
          - seccomp:docker-seccomp.json
          - apparmor:gateway-apparmor-profile
        environment:
          ACCEPT_EULA: Y
          GATEWAY_CONFIG: XXXXXXXXXXXX
```

Download the files called `docker-seccomp.json` and `gateway-apparmor-profile` and place them in the same folder as your Docker Compose file.

[Download Seccomp File](https://raw.githubusercontent.com/Keeper-Security/KeeperPAM/refs/heads/main/gateway/docker-seccomp.json) and [Apparmor File](https://raw.githubusercontent.com/Keeper-Security/KeeperPAM/refs/heads/main/gateway/gateway-apparmor-profile) or use `curl`:

{% code overflow="wrap" %}

```
curl -O https://raw.githubusercontent.com/Keeper-Security/KeeperPAM/refs/heads/main/gateway/docker-seccomp.json

curl -O https://raw.githubusercontent.com/Keeper-Security/KeeperPAM/refs/heads/main/gateway/gateway-apparmor-profile
```

{% endcode %}

**Windows**

* Download the latest installer: [**64-bit Installer**](https://keepersecurity.com/pam/gateway/keeper-gateway_windows_x86_64.exe)
* You'll be asked to confirm uninstalling the previous Gateway, this is OK
* Ensure the "Enter one-time access token" selection is **NOT selected**

**Linux**

To update an existing Gateway on Linux:

{% code overflow="wrap" %}

```sh
curl -fsSL https://keepersecurity.com/pam/install | sudo bash -s --
```

{% endcode %}

**Retrieving the Configuration**

If you are replacing an existing Gateway, get the old base64 configuration string from:\
`/etc/keeper-gateway/gateway-config.json` on Linux or `C:\ProgramData\KeeperGateway\config\gateway-config.json` on Windows.
{% endstep %}

{% step %}
**New Customers: Create a new Gateway and Sandbox**

Follow the step by step guide in the [Getting Started](/keeperpam/privileged-access-manager/getting-started.md) section of this documentation. A new [Quick Start Wizard](/keeperpam/privileged-access-manager/quick-start-sandbox.md) is available to instantly create a sandbox for exploring some of the connection types.
{% endstep %}

{% step %}
**Explore new features**

* [Quick Start Sandbox](/keeperpam/privileged-access-manager/quick-start-sandbox.md)
* [Connections](/keeperpam/privileged-access-manager/connections.md)
* [Tunnels](/keeperpam/privileged-access-manager/tunnels.md)
* [Remote Browser Isolation](/keeperpam/privileged-access-manager/remote-browser-isolation.md)
* [Session Recording & Playback](/keeperpam/privileged-access-manager/session-recording-and-playback.md)
* [SSH Agent](/keeperpam/privileged-access-manager/ssh-agent.md)
* [Discovery](/keeperpam/privileged-access-manager/discovery.md)
  {% endstep %}
  {% endstepper %}

### Notes

* PAM Features differ between Linux, Docker and Windows versions of the Keeper Gateway.
* For a full range of features, use the Docker installation method, or Linux installation method on Rocky Linux or RHEL.
* We recommend setting up a Keeper Gateway using the [Quick Start Sandbox](/keeperpam/secrets-manager/quick-start-guide.md). This provides a customized Docker Compose file that provides an instant sandbox for testing.

### Feedback

If you have any questions, please [open a support ticket](https://keepersecurity.servicenowservices.com/csm?id=csm_index) or email <business.support@keepersecurity.com>.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/privileged-access-manager/setup-steps.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.