MongoDB

Overview

In this guide, you'll learn how to rotate Local MongoDB User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.

Prerequisites

This guide assumes the following tasks have already taken place:

• Keeper Secrets Manager is enabled for your enterprise and your role.

• Keeper Rotation is enabled for your role.

• A Keeper Secrets Manager application has been created.

• A Keeper Rotation gateway is already installed, running, and is able to communicate to your MongoDB Database

1. Set up a PAM Database Record

Keeper Rotation will use an admin credential to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.

In this guide, we will store the admin credentials in a PAM Database Record.

The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:

2. Set up a PAM Configuration

If you already have a PAM Configuration for your Local environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.

If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:

3. Set up one or more PAM user records

Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.

The following table lists all the required fields on the PAM User record:

4. Configure Rotation on the Record - MongoDB User

Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".

• Select the desired schedule and password complexity.

• The "Rotation Settings" should use the PAM Configuration setup previously.

• The "Resource Credential" field should select the PAM Database credential setup from Step 1.

• Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.

Any user with edit rights to a PAM User record has the ability to setup rotation for that record.

If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.

5. Configure Rotation on the Record - MongoDB Admin

Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".

• Select the desired schedule and password complexity.

• The "Rotation Settings" should use the PAM Configuration setup previously.

• The "Resource Credential" field should select the PAM Database credential setup from Step 1.

• Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.

If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.